Source: |
Binary string: C:\Users\GT350\source\repos\AtllasRunp\AtllasRunp\obj\Debug\Bienvenida.pdb source: eO2bqORIJb.exe, 00000000.00000002.2117285247.0000000002921000.00000004.00000800.00020000.00000000.sdmp, eO2bqORIJb.exe, 00000000.00000002.2119335638.0000000004DE0000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2140082787.0000000007B8A000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2129596586.0000000003506000.00000004.00000020.00020000.00000000.sdmp |
Source: RegAsm.exe, 00000005.00000002.4584279133.0000000002A90000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://api.ipify.org |
Source: svchost.exe, 00000006.00000002.3724535002.000001E391A00000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.ver) |
Source: qmgr.db.6.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU |
Source: qmgr.db.6.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5 |
Source: qmgr.db.6.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n |
Source: qmgr.db.6.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/ |
Source: qmgr.db.6.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567 |
Source: qmgr.db.6.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg |
Source: qmgr.db.6.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe |
Source: edb.log.6.dr |
String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20 |
Source: powershell.exe, 00000002.00000002.2133048152.000000000580D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://go.micros |
Source: RegAsm.exe, 00000005.00000002.4584279133.0000000002AC8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4584279133.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4584279133.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ip-api.com |
Source: eO2bqORIJb.exe, 00000000.00000002.2117563643.0000000003929000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4570680102.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4584279133.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4584279133.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ip-api.com/line/?fields=hosting |
Source: powershell.exe, 00000002.00000002.2136905939.0000000006136000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000002.00000002.2133048152.0000000005226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2140082787.0000000007B8A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000002.00000002.2133048152.0000000005226000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: powershell.exe, 00000002.00000002.2133048152.00000000050D1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4584279133.0000000002A74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4584279133.00000000029B1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000002.00000002.2133048152.0000000005226000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: powershell.exe, 00000002.00000002.2133048152.0000000005226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2140082787.0000000007B8A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000002.00000002.2129596586.0000000003506000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.microsoft. |
Source: eO2bqORIJb.exe, 00000000.00000002.2117563643.0000000003929000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4570680102.0000000000402000.00000040.00000400.00020000.00000000.sdmp |
String found in binary or memory: https://account.dyn.com/ |
Source: powershell.exe, 00000002.00000002.2133048152.00000000050D1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB |
Source: powershell.exe, 00000002.00000002.2133048152.0000000005226000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/winsvr-2022-pshelp |
Source: RegAsm.exe, 00000005.00000002.4584279133.0000000002A74000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ipif8 |
Source: eO2bqORIJb.exe, 00000000.00000002.2117563643.0000000003929000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4570680102.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4584279133.0000000002A74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4584279133.00000000029B1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ipify.org |
Source: RegAsm.exe, 00000005.00000002.4584279133.0000000002A74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4584279133.00000000029B1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ipify.org/ |
Source: RegAsm.exe, 00000005.00000002.4584279133.0000000002A74000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ipify.org/Th |
Source: RegAsm.exe, 00000005.00000002.4584279133.0000000002A74000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ipify.org/p |
Source: RegAsm.exe, 00000005.00000002.4584279133.0000000002A74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4584279133.00000000029B1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ipify.org/t |
Source: powershell.exe, 00000002.00000002.2136905939.0000000006136000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000002.00000002.2136905939.0000000006136000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000002.00000002.2136905939.0000000006136000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: edb.log.6.dr |
String found in binary or memory: https://g.live.com/odclientsettings/Prod1C: |
Source: svchost.exe, 00000006.00000003.2116304046.000001E391880000.00000004.00000800.00020000.00000000.sdmp, edb.log.6.dr |
String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C: |
Source: powershell.exe, 00000002.00000002.2133048152.0000000005226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2140082787.0000000007B8A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: eO2bqORIJb.exe, 00000000.00000002.2120553142.00000000051C0000.00000004.08000000.00040000.00000000.sdmp, eO2bqORIJb.exe, 00000000.00000002.2117563643.0000000003929000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/sam210723/goesrecv-monitor/releases/latest |
Source: powershell.exe, 00000002.00000002.2136905939.0000000006136000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: eO2bqORIJb.exe, 00000000.00000002.2120553142.00000000051C0000.00000004.08000000.00040000.00000000.sdmp, eO2bqORIJb.exe, 00000000.00000002.2117563643.0000000003929000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://vksdr.com/goesrecv-monitor |
Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 0.2.eO2bqORIJb.exe.3a91450.3.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 0.2.eO2bqORIJb.exe.3a91450.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 0.2.eO2bqORIJb.exe.39ca1b0.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 0.2.eO2bqORIJb.exe.3979b80.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: C:\Users\user\Desktop\eO2bqORIJb.exe |
Code function: 0_2_02704560 |
0_2_02704560 |
Source: C:\Users\user\Desktop\eO2bqORIJb.exe |
Code function: 0_2_0270CD3C |
0_2_0270CD3C |
Source: C:\Users\user\Desktop\eO2bqORIJb.exe |
Code function: 0_2_0270F5B8 |
0_2_0270F5B8 |
Source: C:\Users\user\Desktop\eO2bqORIJb.exe |
Code function: 0_2_0270F5A8 |
0_2_0270F5A8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 5_2_00E04AC0 |
5_2_00E04AC0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 5_2_00E03EA8 |
5_2_00E03EA8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 5_2_00E041F0 |
5_2_00E041F0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 5_2_067807CC |
5_2_067807CC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 5_2_0678B7B4 |
5_2_0678B7B4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 5_2_067865F8 |
5_2_067865F8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 5_2_067873A0 |
5_2_067873A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 5_2_06788458 |
5_2_06788458 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 5_2_0678D428 |
5_2_0678D428 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 5_2_0678D418 |
5_2_0678D418 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 5_2_0678E111 |
5_2_0678E111 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 5_2_06788B40 |
5_2_06788B40 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 5_2_067858D1 |
5_2_067858D1 |
Source: eO2bqORIJb.exe, 00000000.00000002.2117285247.0000000002921000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameBienvenida.exe6 vs eO2bqORIJb.exe |
Source: eO2bqORIJb.exe, 00000000.00000002.2117285247.0000000002921000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename1f940a0d-a27b-4ffe-9f6f-6b985da4c6d6.exe4 vs eO2bqORIJb.exe |
Source: eO2bqORIJb.exe, 00000000.00000002.2120553142.00000000051C0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenamegoesrecv.dllB vs eO2bqORIJb.exe |
Source: eO2bqORIJb.exe, 00000000.00000002.2115657874.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameclr.dllT vs eO2bqORIJb.exe |
Source: eO2bqORIJb.exe, 00000000.00000000.2098258388.00000000004A2000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameESET.exe, vs eO2bqORIJb.exe |
Source: eO2bqORIJb.exe, 00000000.00000002.2119335638.0000000004DE0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameBienvenida.exe6 vs eO2bqORIJb.exe |
Source: eO2bqORIJb.exe, 00000000.00000002.2117563643.0000000003929000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamegoesrecv.dllB vs eO2bqORIJb.exe |
Source: eO2bqORIJb.exe, 00000000.00000002.2117563643.0000000003929000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename1f940a0d-a27b-4ffe-9f6f-6b985da4c6d6.exe4 vs eO2bqORIJb.exe |
Source: eO2bqORIJb.exe |
Binary or memory string: OriginalFilenameESET.exe, vs eO2bqORIJb.exe |
Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 0.2.eO2bqORIJb.exe.3a91450.3.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 0.2.eO2bqORIJb.exe.3a91450.3.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 0.2.eO2bqORIJb.exe.39ca1b0.4.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 0.2.eO2bqORIJb.exe.3979b80.2.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 0.2.eO2bqORIJb.exe.3979b80.2.raw.unpack, ConstellationPanel.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.eO2bqORIJb.exe.39ca1b0.4.raw.unpack, ConstellationPanel.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.eO2bqORIJb.exe.51c0000.6.raw.unpack, ConstellationPanel.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.eO2bqORIJb.exe.3a91450.3.raw.unpack, OTWUo99bfyR.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.eO2bqORIJb.exe.3a91450.3.raw.unpack, OTWUo99bfyR.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.eO2bqORIJb.exe.3a91450.3.raw.unpack, Ui9qhZiA7.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.eO2bqORIJb.exe.3a91450.3.raw.unpack, Ui9qhZiA7.cs |
Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: 0.2.eO2bqORIJb.exe.3a91450.3.raw.unpack, BqMB7yHhrXg.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.eO2bqORIJb.exe.3a91450.3.raw.unpack, BqMB7yHhrXg.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.eO2bqORIJb.exe.3a91450.3.raw.unpack, BqMB7yHhrXg.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.eO2bqORIJb.exe.3a91450.3.raw.unpack, BqMB7yHhrXg.cs |
Cryptographic APIs: 'TransformFinalBlock' |