Source: |
Binary string: C:\Users\GT350\source\repos\AtllasRunp\AtllasRunp\obj\Debug\Bienvenida.pdb source: sZXuT60Q6P.exe, 00000000.00000002.2029162979.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, sZXuT60Q6P.exe, 00000000.00000002.2034346118.0000000005490000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2038802597.0000000003567000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\System.Management.Automation.pdb3 source: powershell.exe, 00000002.00000002.2048506249.0000000007C92000.00000004.00000020.00020000.00000000.sdmp |
Source: Yara match |
File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.sZXuT60Q6P.exe.3b9b420.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.sZXuT60Q6P.exe.3b4adf0.4.raw.unpack, type: UNPACKEDPE |
Source: RegAsm.exe, 00000004.00000002.4483187709.00000000028FF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://api.ipify.org |
Source: svchost.exe, 00000005.00000002.3637582487.000001876F400000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.ver) |
Source: qmgr.db.5.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU |
Source: qmgr.db.5.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n |
Source: qmgr.db.5.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/ |
Source: qmgr.db.5.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567 |
Source: qmgr.db.5.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg |
Source: qmgr.db.5.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe |
Source: edb.log.5.dr |
String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20 |
Source: powershell.exe, 00000002.00000002.2040580784.000000000561D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://go.micros |
Source: RegAsm.exe, 00000004.00000002.4483187709.0000000002920000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.0000000002871000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.0000000002937000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ip-api.com |
Source: sZXuT60Q6P.exe, 00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4475240542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.0000000002920000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.0000000002871000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ip-api.com/line/?fields=hosting |
Source: powershell.exe, 00000002.00000002.2045407904.00000000061D5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000002.00000002.2040580784.00000000052C6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000002.00000002.2040580784.00000000052C6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: powershell.exe, 00000002.00000002.2040580784.0000000005171000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.0000000002821000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.00000000028E4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000002.00000002.2040580784.00000000052C6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: powershell.exe, 00000002.00000002.2040580784.00000000052C6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: RegAsm.exe, 00000004.00000002.4498237173.0000000005C3F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.microsoft. |
Source: sZXuT60Q6P.exe, 00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4475240542.0000000000402000.00000040.00000400.00020000.00000000.sdmp |
String found in binary or memory: https://account.dyn.com/ |
Source: powershell.exe, 00000002.00000002.2040580784.0000000005171000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lBhq |
Source: powershell.exe, 00000002.00000002.2040580784.00000000052C6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/winsvr-2022-pshelp |
Source: RegAsm.exe, 00000004.00000002.4483187709.00000000028F8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ipif8 |
Source: sZXuT60Q6P.exe, 00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4475240542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.0000000002821000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.00000000028E4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ipify.org |
Source: RegAsm.exe, 00000004.00000002.4483187709.0000000002821000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.00000000028E4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ipify.org/ |
Source: RegAsm.exe, 00000004.00000002.4483187709.00000000028E4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ipify.org/T |
Source: RegAsm.exe, 00000004.00000002.4483187709.00000000028E4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ipify.org/p |
Source: RegAsm.exe, 00000004.00000002.4483187709.0000000002821000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.00000000028E4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ipify.org/t |
Source: powershell.exe, 00000002.00000002.2045407904.00000000061D5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000002.00000002.2045407904.00000000061D5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000002.00000002.2045407904.00000000061D5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: edb.log.5.dr |
String found in binary or memory: https://g.live.com/odclientsettings/Prod/C: |
Source: svchost.exe, 00000005.00000003.2027291394.000001876F1A0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr |
String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C: |
Source: powershell.exe, 00000002.00000002.2040580784.00000000052C6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: sZXuT60Q6P.exe, 00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, sZXuT60Q6P.exe, 00000000.00000002.2034102813.0000000005430000.00000004.08000000.00040000.00000000.sdmp |
String found in binary or memory: https://github.com/sam210723/goesrecv-monitor/releases/latest |
Source: powershell.exe, 00000002.00000002.2045407904.00000000061D5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: qmgr.db.5.dr |
String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C: |
Source: sZXuT60Q6P.exe, 00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, sZXuT60Q6P.exe, 00000000.00000002.2034102813.0000000005430000.00000004.08000000.00040000.00000000.sdmp |
String found in binary or memory: https://vksdr.com/goesrecv-monitor |
Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 0.2.sZXuT60Q6P.exe.3b9b420.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 0.2.sZXuT60Q6P.exe.3b4adf0.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: C:\Users\user\Desktop\sZXuT60Q6P.exe |
Code function: 0_2_02933CF4 |
0_2_02933CF4 |
Source: C:\Users\user\Desktop\sZXuT60Q6P.exe |
Code function: 0_2_02932448 |
0_2_02932448 |
Source: C:\Users\user\Desktop\sZXuT60Q6P.exe |
Code function: 0_2_0293246B |
0_2_0293246B |
Source: C:\Users\user\Desktop\sZXuT60Q6P.exe |
Code function: 0_2_0293DAFC |
0_2_0293DAFC |
Source: C:\Users\user\Desktop\sZXuT60Q6P.exe |
Code function: 0_2_04F903F0 |
0_2_04F903F0 |
Source: C:\Users\user\Desktop\sZXuT60Q6P.exe |
Code function: 0_2_04F903E0 |
0_2_04F903E0 |
Source: C:\Users\user\Desktop\sZXuT60Q6P.exe |
Code function: 0_2_04F9EC78 |
0_2_04F9EC78 |
Source: C:\Users\user\Desktop\sZXuT60Q6P.exe |
Code function: 0_2_04FF54D0 |
0_2_04FF54D0 |
Source: C:\Users\user\Desktop\sZXuT60Q6P.exe |
Code function: 0_2_04FF25C0 |
0_2_04FF25C0 |
Source: C:\Users\user\Desktop\sZXuT60Q6P.exe |
Code function: 0_2_04FFD380 |
0_2_04FFD380 |
Source: C:\Users\user\Desktop\sZXuT60Q6P.exe |
Code function: 0_2_04FFAE98 |
0_2_04FFAE98 |
Source: C:\Users\user\Desktop\sZXuT60Q6P.exe |
Code function: 0_2_04FF786A |
0_2_04FF786A |
Source: C:\Users\user\Desktop\sZXuT60Q6P.exe |
Code function: 0_2_04FF3818 |
0_2_04FF3818 |
Source: C:\Users\user\Desktop\sZXuT60Q6P.exe |
Code function: 0_2_04FF6960 |
0_2_04FF6960 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_00F8B77C |
4_2_00F8B77C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_00F84AC0 |
4_2_00F84AC0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_00F83EA8 |
4_2_00F83EA8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_00F8AF30 |
4_2_00F8AF30 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_00F841F0 |
4_2_00F841F0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_06603078 |
4_2_06603078 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_06603E20 |
4_2_06603E20 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_066055C0 |
4_2_066055C0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_06600040 |
4_2_06600040 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_06604ED8 |
4_2_06604ED8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_06609EA2 |
4_2_06609EA2 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_06609EA8 |
4_2_06609EA8 |
Source: sZXuT60Q6P.exe, 00000000.00000002.2027600254.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameclr.dllT vs sZXuT60Q6P.exe |
Source: sZXuT60Q6P.exe, 00000000.00000002.2029162979.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameBienvenida.exe6 vs sZXuT60Q6P.exe |
Source: sZXuT60Q6P.exe, 00000000.00000002.2029162979.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename1f940a0d-a27b-4ffe-9f6f-6b985da4c6d6.exe4 vs sZXuT60Q6P.exe |
Source: sZXuT60Q6P.exe, 00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamegoesrecv.dllB vs sZXuT60Q6P.exe |
Source: sZXuT60Q6P.exe, 00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename1f940a0d-a27b-4ffe-9f6f-6b985da4c6d6.exe4 vs sZXuT60Q6P.exe |
Source: sZXuT60Q6P.exe, 00000000.00000000.2004807672.0000000000703000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameESET.exe, vs sZXuT60Q6P.exe |
Source: sZXuT60Q6P.exe, 00000000.00000002.2034346118.0000000005490000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameBienvenida.exe6 vs sZXuT60Q6P.exe |
Source: sZXuT60Q6P.exe, 00000000.00000002.2034102813.0000000005430000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenamegoesrecv.dllB vs sZXuT60Q6P.exe |
Source: sZXuT60Q6P.exe |
Binary or memory string: OriginalFilenameESET.exe, vs sZXuT60Q6P.exe |
Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 0.2.sZXuT60Q6P.exe.3b9b420.2.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 0.2.sZXuT60Q6P.exe.3b4adf0.4.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 0.2.sZXuT60Q6P.exe.5430000.5.raw.unpack, ConstellationPanel.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, OTWUo99bfyR.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, OTWUo99bfyR.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, Ui9qhZiA7.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, Ui9qhZiA7.cs |
Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, BqMB7yHhrXg.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, BqMB7yHhrXg.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, BqMB7yHhrXg.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, BqMB7yHhrXg.cs |
Cryptographic APIs: 'TransformFinalBlock' |