Source: |
Binary string: C:\Users\GT350\source\repos\AtllasRunp\AtllasRunp\obj\Debug\Bienvenida.pdb source: PO-095325.scr.exe, 00000000.00000002.2032946402.0000000005400000.00000004.08000000.00040000.00000000.sdmp, PO-095325.scr.exe, 00000000.00000002.2029347793.00000000028F1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2056029725.0000000008194000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2053643974.000000000725A000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Management.Automation.pdb@70s/ source: powershell.exe, 00000002.00000002.2055885190.000000000815A000.00000004.00000020.00020000.00000000.sdmp |
Source: RegAsm.exe, 00000004.00000002.4466181997.000000000338E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://api.ipify.org |
Source: powershell.exe, 00000002.00000002.2055731933.0000000008132000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.micro |
Source: svchost.exe, 00000005.00000002.3638291875.00000214424A8000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.ver) |
Source: qmgr.db.5.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU |
Source: qmgr.db.5.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n |
Source: qmgr.db.5.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/ |
Source: qmgr.db.5.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567 |
Source: qmgr.db.5.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg |
Source: qmgr.db.5.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe |
Source: edb.log.5.dr |
String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20 |
Source: powershell.exe, 00000002.00000002.2047492767.0000000004BF3000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://go.micros |
Source: RegAsm.exe, 00000004.00000002.4466181997.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.00000000033AF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.0000000003301000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ip-api.com |
Source: PO-095325.scr.exe, 00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4463449563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.00000000033AF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.0000000003301000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ip-api.com/line/?fields=hosting |
Source: powershell.exe, 00000002.00000002.2050990678.00000000057A5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000002.00000002.2047492767.0000000004896000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000002.00000002.2047492767.0000000004896000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: powershell.exe, 00000002.00000002.2047492767.0000000004741000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.0000000003374000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000002.00000002.2047492767.0000000004896000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: powershell.exe, 00000002.00000002.2047492767.0000000004896000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: PO-095325.scr.exe, 00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4463449563.0000000000402000.00000040.00000400.00020000.00000000.sdmp |
String found in binary or memory: https://account.dyn.com/ |
Source: powershell.exe, 00000002.00000002.2047492767.0000000004741000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB |
Source: powershell.exe, 00000002.00000002.2047492767.0000000004896000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/winsvr-2022-pshelp |
Source: RegAsm.exe, 00000004.00000002.4466181997.0000000003374000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ipif8 |
Source: PO-095325.scr.exe, 00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.0000000003374000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4463449563.0000000000402000.00000040.00000400.00020000.00000000.sdmp |
String found in binary or memory: https://api.ipify.org |
Source: RegAsm.exe, 00000004.00000002.4466181997.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.0000000003374000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ipify.org/ |
Source: RegAsm.exe, 00000004.00000002.4466181997.0000000003374000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ipify.org/T4 |
Source: RegAsm.exe, 00000004.00000002.4466181997.0000000003374000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ipify.org/p |
Source: RegAsm.exe, 00000004.00000002.4466181997.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.0000000003374000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ipify.org/t |
Source: powershell.exe, 00000002.00000002.2050990678.00000000057A5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000002.00000002.2050990678.00000000057A5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000002.00000002.2050990678.00000000057A5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: edb.log.5.dr |
String found in binary or memory: https://g.live.com/odclientsettings/Prod/C: |
Source: svchost.exe, 00000005.00000003.2028768858.00000214421F0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr |
String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C: |
Source: powershell.exe, 00000002.00000002.2047492767.0000000004896000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: PO-095325.scr.exe, 00000000.00000002.2032466947.0000000005290000.00000004.08000000.00040000.00000000.sdmp, PO-095325.scr.exe, 00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/sam210723/goesrecv-monitor/releases/latest |
Source: powershell.exe, 00000002.00000002.2050990678.00000000057A5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: qmgr.db.5.dr |
String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C: |
Source: PO-095325.scr.exe, 00000000.00000002.2032466947.0000000005290000.00000004.08000000.00040000.00000000.sdmp, PO-095325.scr.exe, 00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://vksdr.com/goesrecv-monitor |
Source: C:\Users\user\Desktop\PO-095325.scr.exe |
Code function: 0_2_028A4560 |
0_2_028A4560 |
Source: C:\Users\user\Desktop\PO-095325.scr.exe |
Code function: 0_2_028ACD3C |
0_2_028ACD3C |
Source: C:\Users\user\Desktop\PO-095325.scr.exe |
Code function: 0_2_028AF5A8 |
0_2_028AF5A8 |
Source: C:\Users\user\Desktop\PO-095325.scr.exe |
Code function: 0_2_028AF5B8 |
0_2_028AF5B8 |
Source: C:\Users\user\Desktop\PO-095325.scr.exe |
Code function: 0_2_04FB7718 |
0_2_04FB7718 |
Source: C:\Users\user\Desktop\PO-095325.scr.exe |
Code function: 0_2_04FB12B7 |
0_2_04FB12B7 |
Source: C:\Users\user\Desktop\PO-095325.scr.exe |
Code function: 0_2_04FBCF50 |
0_2_04FBCF50 |
Source: C:\Users\user\Desktop\PO-095325.scr.exe |
Code function: 0_2_04FB35BC |
0_2_04FB35BC |
Source: C:\Users\user\Desktop\PO-095325.scr.exe |
Code function: 0_2_04FBCF3F |
0_2_04FBCF3F |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_01604AC0 |
4_2_01604AC0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_01603EA8 |
4_2_01603EA8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_016041F0 |
4_2_016041F0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_06E6B7B4 |
4_2_06E6B7B4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_06E665F8 |
4_2_06E665F8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_06E60040 |
4_2_06E60040 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_06E68458 |
4_2_06E68458 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_06E6D428 |
4_2_06E6D428 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_06E6D418 |
4_2_06E6D418 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_06E6E11F |
4_2_06E6E11F |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_06E68B40 |
4_2_06E68B40 |
Source: PO-095325.scr.exe, 00000000.00000002.2028292789.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameclr.dllT vs PO-095325.scr.exe |
Source: PO-095325.scr.exe, 00000000.00000002.2032946402.0000000005400000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameBienvenida.exe6 vs PO-095325.scr.exe |
Source: PO-095325.scr.exe, 00000000.00000000.2007786745.000000000053A000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameESET.exe, vs PO-095325.scr.exe |
Source: PO-095325.scr.exe, 00000000.00000002.2029347793.00000000028F1000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameBienvenida.exe6 vs PO-095325.scr.exe |
Source: PO-095325.scr.exe, 00000000.00000002.2029347793.00000000028F1000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename1f940a0d-a27b-4ffe-9f6f-6b985da4c6d6.exe4 vs PO-095325.scr.exe |
Source: PO-095325.scr.exe, 00000000.00000002.2032466947.0000000005290000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenamegoesrecv.dllB vs PO-095325.scr.exe |
Source: PO-095325.scr.exe, 00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamegoesrecv.dllB vs PO-095325.scr.exe |
Source: PO-095325.scr.exe, 00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename1f940a0d-a27b-4ffe-9f6f-6b985da4c6d6.exe4 vs PO-095325.scr.exe |
Source: PO-095325.scr.exe |
Binary or memory string: OriginalFilenameESET.exe, vs PO-095325.scr.exe |
Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 0.2.PO-095325.scr.exe.3949b80.2.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |