Windows Analysis Report
D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe

Overview

General Information

Sample Name: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe
Original Sample Name: Dtails_des_transactions_envoyes_141927_20230606.exe
Analysis ID: 882716
MD5: c2410682e7efc9a89f4c88ac2bd51fd1
SHA1: ebca329924db6f5326250edf8b304b01f26062c2
SHA256: 8977050efc90ae103360367456fd07a930525c1b6cb5ff0f69b90ed21d13ab19
Tags: exe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for domain / URL
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Classification

AV Detection
barindex
Found malware configuration
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.glassy.com.tr", "Username": "info@glassy.com.tr", "Password": "Sc2017*"}
Multi AV Scanner detection for submitted file
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Virustotal: Detection: 11% Perma Link
Multi AV Scanner detection for domain / URL
Source: http://5.42.94.169 Virustotal: Detection: 7% Perma Link
Machine Learning detection for sample
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: /log.tmp
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: KL
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: KL
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <br>[
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: yyyy-MM-dd HH:mm:ss
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: ]<br>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <br>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: PW
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Time:
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <br>User Name:
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <br>Computer Name:
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <br>OSFullName:
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <br>CPU:
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <br>RAM:
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <br>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: IP Address:
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <br>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <hr>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: New
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: /
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: IP Address:
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: _
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: /
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: /
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: false
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: false
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: false
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: false
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: false
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: false
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: false
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: 1
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: 1
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: 1
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: true
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: 587
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: false
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: mail.glassy.com.tr
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: info@glassy.com.tr
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Sc2017*
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: og.bahd@yandex.ru
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: true
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: false
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: appdata
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Myapp
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Myapp.exe
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Myapp
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: true
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: true
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Type
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \drivers\etc\hosts
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Software\Microsoft\Windows\CurrentVersion\Run
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: :
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: :
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <br>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <hr>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <br>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <b>[
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: ]</b> (
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: )<br>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {BACK}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {ALT+TAB}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {ALT+F4}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {TAB}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {ESC}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {Win}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {CAPSLOCK}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {KEYUP}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {KEYDOWN}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {KEYLEFT}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {KEYRIGHT}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {DEL}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {END}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {HOME}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {Insert}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {NumLock}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {PageDown}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {PageUp}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {ENTER}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {F1}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {F2}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {F3}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {F4}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {F5}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {F6}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {F7}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {F8}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {F9}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {F10}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {F11}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {F12}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor:
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: control
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {CTRL}
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: &
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: &amp;
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: &lt;
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: >
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: &gt;
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: "
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: &quot;
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <br><hr>Copied Text: <br>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <hr>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: logins
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: IE/Edge
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Windows Secure Note
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Windows Web Password Credential
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Windows Credential Picker Protector
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Web Credentials
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Windows Credentials
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Windows Domain Certificate Credential
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Windows Domain Password Credential
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Windows Extended Credential
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: 00000000-0000-0000-0000-000000000000
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: SchemaId
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: pResourceElement
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: pIdentityElement
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: pPackageSid
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: pAuthenticatorElement
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: IE/Edge
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: UC Browser
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: UCBrowser\
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: *
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Login Data
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: journal
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: wow_logins
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Safari for Windows
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <array>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <dict>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <string>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: </string>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <string>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: </string>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <data>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: </data>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: -convert xml1 -s -o "
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \fixed_keychain.xml"
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: "
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: "
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Microsoft\Credentials\
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Microsoft\Credentials\
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Microsoft\Credentials\
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Microsoft\Credentials\
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Microsoft\Protect\
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: credential
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: QQ Browser
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Tencent\QQBrowser\User Data
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Default\EncryptedStorage
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Profile
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \EncryptedStorage
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: entries
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: category
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Password
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: str3
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: str2
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: blob0
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: password_value
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: IncrediMail
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: PopPassword
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: SmtpPassword
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Software\IncrediMail\Identities\
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Accounts_New
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: PopPassword
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: SmtpPassword
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: SmtpServer
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: EmailAddress
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Eudora
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: current
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Settings
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: SavePasswordText
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Settings
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: ReturnAddress
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: -
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Falkon Browser
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \falkon\profiles\
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: profiles.ini
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: profiles.ini
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \browsedata.db
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: autofill
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: ClawsMail
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Claws-mail
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \clawsrc
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \clawsrc
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: passkey0
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: master_passphrase_salt=(.+)
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \accountrc
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: smtp_server
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: address
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: account
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: [
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor:
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: ]
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \passwordstorerc
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: {(.*),(.*)}(.*)
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Flock Browser
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: APPDATA
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Flock\Browser\
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: signons3.txt
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: ---
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: .
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: ---
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: DynDns
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: ALLUSERSPROFILE
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Dyn\Updater\config.dyndns
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: username=
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: password=
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: https://account.dyn.com/
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: t6KzXhCh
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: ALLUSERSPROFILE
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Dyn\Updater\daemon.cfg
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: global
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: accounts
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: account.
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: username
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: account.
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: password
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Psi/Psi+
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: name
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: jid
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: password
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: jid
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Psi/Psi+
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: APPDATA
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Psi\profiles
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: APPDATA
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Psi+\profiles
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \accounts.xml
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \accounts.xml
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: OpenVPN
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Software\OpenVPN-GUI\configs\
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: username
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: auth-data
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: entropy
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: USERPROFILE
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \OpenVPN\config\
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: remote
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: remote
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: NordVPN
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: NordVPN
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: NordVpn.exe*
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: user.config
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: //setting[@name='Username']/value
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: //setting[@name='Password']/value
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: NordVPN
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: -
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Private Internet Access
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: %ProgramW6432%
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Private Internet Access\data
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: ProgramFiles(x86)
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Private Internet Access\data
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \account.json
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: .*"username":"(.*?)"
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: .*"password":"(.*?)"
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Private Internet Access
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: privateinternetaccess.com
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: FileZilla
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: APPDATA
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \FileZilla\recentservers.xml
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: APPDATA
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \FileZilla\recentservers.xml
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <Server>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <Host>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <Host>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: </Host>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: :
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <Port>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: </Port>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <User>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <User>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: </User>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <Pass encoding="base64">
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <Pass encoding="base64">
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: </Pass>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <Pass>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <Pass encoding="base64">
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: </Pass>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: CoreFTP
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: PW
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: User
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Host
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Port
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: hdfzpysvpzimorhk
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: WinSCP
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: HostName
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: UserName
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Password
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: PublicKeyFile
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: :
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: PortNumber
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: 22
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: WinSCP
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: A
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: 10
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: B
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: 11
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: C
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: 12
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: D
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: 13
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: E
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: 14
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: F
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: 15
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: ABCDEF
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Flash FXP
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: IP
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: :
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: port
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: user
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: pass
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: quick.dat
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Sites.dat
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \FlashFXP\
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \FlashFXP\
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: FTP Navigator
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: SystemDrive
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \FTP Navigator\Ftplist.txt
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Server
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Password
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: No Password
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: User
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: SmartFTP
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: APPDATA
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: WS_FTP
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: appdata
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: HOST
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: UID
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: PWD
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: PWD=
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: PWD=
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: FtpCommander
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: SystemDrive
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: SystemDrive
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: SystemDrive
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \cftp\Ftplist.txt
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: ;Password=
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: ;User=
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: ;Server=
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: ;Port=
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: ;Port=
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: ;Password=
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: ;User=
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: ;Anonymous=
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: :
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: FTPGetter
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \FTPGetter\servers.xml
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <server>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <server_ip>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <server_ip>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: </server_ip>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: :
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <server_port>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: </server_port>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <server_user_name>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <server_user_name>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: </server_user_name>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <server_user_password>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: <server_user_password>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: </server_user_password>
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: FTPGetter
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: The Bat!
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: appdata
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \The Bat!
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Account.CFN
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Account.CFN
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: zzz
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Becky!
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: DataDir
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Folder.lst
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Mailbox.ini
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Account
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: PassWd
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Account
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: SMTPServer
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Account
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: MailAddress
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Becky!
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Outlook
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Email
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: IMAP Password
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: POP3 Password
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: HTTP Password
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: SMTP Password
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Email
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Email
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Email
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: IMAP Password
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: POP3 Password
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: HTTP Password
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: SMTP Password
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Server
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Windows Mail App
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: 1
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Email
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Server
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: SchemaId
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: pResourceElement
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: pIdentityElement
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: pPackageSid
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: pAuthenticatorElement
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: syncpassword
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: mailoutgoing
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: FoxMail
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Executable
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: FoxmailPath
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Storage\
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Storage\
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \mail
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \mail
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Accounts\Account.rec0
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Accounts\Account.rec0
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Account.stg
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Account.stg
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: POP3Host
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: SMTPHost
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: IncomingServer
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Account
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: MailAddress
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Password
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: POP3Password
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: 5A
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: 71
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Opera Mail
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: opera:
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor:
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: PocoMail
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: appdata
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \Pocomail\accounts.ini
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Email
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: POPPass
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: SMTPPass
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: SMTP
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: eM Client
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: eM Client\accounts.dat
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: eM Client
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: Accounts
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: \
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: "Username":"
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: ",
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: "Secret":"
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: ",
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: "ProviderName":"
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: ",
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack String decryptor: o6806642kbM7c5

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26754cff980.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.361896473.0000026754CAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe PID: 5644, type: MEMORYSTR
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, 00000003.00000003.368853968.0000000001004000.00000004.00000020.00020000.00000000.sdmp, Myapp.exe, 00000004.00000000.393674148.0000000000F02000.00000002.00000001.01000000.00000006.sdmp, Myapp.exe.3.dr
Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000003.00000003.368853968.0000000001004000.00000004.00000020.00020000.00000000.sdmp, Myapp.exe, 00000004.00000000.393674148.0000000000F02000.00000002.00000001.01000000.00000006.sdmp, Myapp.exe.3.dr
Source: Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.361896473.0000026754CAD000.00000004.00000800.00020000.00000000.sdmp
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /customer/577 HTTP/1.1Host: 5.42.94.169Connection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 5.42.94.169 5.42.94.169
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49701 -> 89.252.186.89:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.7:49701 -> 89.252.186.89:587
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.361896473.0000026754C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://5.42.94.169
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.361896473.0000026754C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://5.42.94.169/customer/577
Source: AddInProcess32.exe, 00000003.00000003.380608355.0000000006C63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: AddInProcess32.exe, 00000003.00000003.380608355.0000000006C63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: AddInProcess32.exe, 00000003.00000003.380718660.0000000005F35000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.380524565.0000000005F5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: AddInProcess32.exe, 00000003.00000003.380524565.0000000005F5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: AddInProcess32.exe, 00000003.00000003.380718660.0000000005F35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: AddInProcess32.exe, 00000003.00000002.610257702.0000000005F83000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.609957229.0000000005EB8000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.606232298.0000000002D5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: AddInProcess32.exe, 00000003.00000003.380317982.0000000006C65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: AddInProcess32.exe, 00000003.00000003.380524565.0000000005F5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: AddInProcess32.exe, 00000003.00000003.380524565.0000000005F5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: AddInProcess32.exe, 00000003.00000003.380524565.0000000005F5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: AddInProcess32.exe, 00000003.00000003.380524565.0000000005F5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: AddInProcess32.exe, 00000003.00000003.380524565.0000000005F5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: AddInProcess32.exe, 00000003.00000003.380608355.0000000006C63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: AddInProcess32.exe, 00000003.00000003.380524565.0000000005F5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: AddInProcess32.exe, 00000003.00000002.605694979.0000000001005000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.609957229.0000000005EB8000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.425558872.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.606232298.0000000002D5A000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.605694979.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: AddInProcess32.exe, 00000003.00000002.610257702.0000000005F83000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.609957229.0000000005EB8000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.606232298.0000000002D5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: AddInProcess32.exe, 00000003.00000003.380317982.0000000006C65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: AddInProcess32.exe, 00000003.00000003.380608355.0000000006C63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: AddInProcess32.exe, 00000003.00000003.380524565.0000000005F5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: AddInProcess32.exe, 00000003.00000003.380757354.0000000006BFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: AddInProcess32.exe, 00000003.00000003.380718660.0000000005F35000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.425518274.0000000005F3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.defence.gov.au/pki0
Source: AddInProcess32.exe, 00000003.00000003.380317982.0000000006C65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: AddInProcess32.exe, 00000003.00000002.609957229.0000000005EB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: AddInProcess32.exe, 00000003.00000002.610257702.0000000005F83000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.609957229.0000000005EB8000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.606232298.0000000002D5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: AddInProcess32.exe, 00000003.00000003.381033686.0000000006BEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: AddInProcess32.exe, 00000003.00000002.609957229.0000000005EB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: AddInProcess32.exe, 00000003.00000003.380230644.0000000006C6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: AddInProcess32.exe, 00000003.00000003.380718660.0000000005F35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: AddInProcess32.exe, 00000003.00000003.381009579.0000000005F3A000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.380718660.0000000005F35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: AddInProcess32.exe, 00000003.00000002.605694979.0000000001009000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: AddInProcess32.exe, 00000003.00000002.609957229.0000000005EB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: AddInProcess32.exe, 00000003.00000003.380230644.0000000006C7B000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.425558872.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB0
Source: AddInProcess32.exe, 00000003.00000002.609957229.0000000005EB8000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.3.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: AddInProcess32.exe, 00000003.00000003.379467412.0000000005F83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?86afaeec507c9
Source: AddInProcess32.exe, 00000003.00000003.380553103.0000000005F53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
Source: AddInProcess32.exe, 00000003.00000003.380553103.0000000005F53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
Source: AddInProcess32.exe, 00000003.00000003.380553103.0000000005F53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: AddInProcess32.exe, 00000003.00000003.380553103.0000000005F53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: AddInProcess32.exe, 00000003.00000003.381033686.0000000006BEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: AddInProcess32.exe, 00000003.00000003.381062942.0000000005FAD000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.380380699.0000000005FA4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: AddInProcess32.exe, 00000003.00000003.381009579.0000000005F3A000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.380718660.0000000005F35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: AddInProcess32.exe, 00000003.00000002.606232298.0000000002D5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://glassy.com.tr
Source: AddInProcess32.exe, 00000003.00000003.380683980.0000000005F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: AddInProcess32.exe, 00000003.00000002.606232298.0000000002D5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.glassy.com.tr
Source: AddInProcess32.exe, 00000003.00000003.380683980.0000000005F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.accv.es0
Source: AddInProcess32.exe, 00000003.00000003.380553103.0000000005F53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
Source: AddInProcess32.exe, 00000003.00000003.380553103.0000000005F53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: AddInProcess32.exe, 00000003.00000003.380683980.0000000005F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.pki.gva.es0
Source: AddInProcess32.exe, 00000003.00000003.380956339.0000000006BF4000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: AddInProcess32.exe, 00000003.00000003.380230644.0000000006C6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.380524565.0000000005F5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://policy.camerfirma.com0
Source: AddInProcess32.exe, 00000003.00000003.380683980.0000000005F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: AddInProcess32.exe, 00000003.00000002.605694979.0000000001005000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.609957229.0000000005EB8000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.425558872.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.606232298.0000000002D5A000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.605694979.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0?
Source: AddInProcess32.exe, 00000003.00000002.605694979.0000000001005000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.609957229.0000000005EB8000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.425558872.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.606232298.0000000002D5A000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.605694979.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: AddInProcess32.exe, 00000003.00000003.380956339.0000000006BF4000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.380683980.0000000005F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.361896473.0000026754C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AddInProcess32.exe, 00000003.00000003.380956339.0000000006BF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: AddInProcess32.exe, 00000003.00000003.380683980.0000000005F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: AddInProcess32.exe, 00000003.00000003.380553103.0000000005F53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: AddInProcess32.exe, 00000003.00000003.380553103.0000000005F53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: AddInProcess32.exe, 00000003.00000003.380956339.0000000006BF4000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.380553103.0000000005F53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.acabogacia.org/doc0
Source: AddInProcess32.exe, 00000003.00000003.380553103.0000000005F53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.acabogacia.org0
Source: AddInProcess32.exe, 00000003.00000003.380683980.0000000005F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: AddInProcess32.exe, 00000003.00000003.380683980.0000000005F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: AddInProcess32.exe, 00000003.00000003.380683980.0000000005F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: AddInProcess32.exe, 00000003.00000003.380683980.0000000005F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es00
Source: AddInProcess32.exe, 00000003.00000003.380553103.0000000005F53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: AddInProcess32.exe, 00000003.00000003.380553103.0000000005F53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: AddInProcess32.exe, 00000003.00000003.380230644.0000000006C6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ancert.com/cps0
Source: AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.anf.es
Source: AddInProcess32.exe, 00000003.00000003.380757354.0000000006BFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: AddInProcess32.exe, 00000003.00000003.380956339.0000000006BF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: AddInProcess32.exe, 00000003.00000003.380718660.0000000005F35000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.381033686.0000000006BEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: AddInProcess32.exe, 00000003.00000003.380380699.0000000005FA4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
Source: AddInProcess32.exe, 00000003.00000003.380380699.0000000005FA4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
Source: AddInProcess32.exe, 00000003.00000003.380742001.0000000005F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: AddInProcess32.exe, 00000003.00000003.380524565.0000000005F5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: AddInProcess32.exe, 00000003.00000003.380524565.0000000005F5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: AddInProcess32.exe, 00000003.00000003.380956339.0000000006BF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: AddInProcess32.exe, 00000003.00000003.380230644.0000000006C6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: AddInProcess32.exe, 00000003.00000003.380608355.0000000006C63000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.380524565.0000000005F5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.chambersign.org1
Source: AddInProcess32.exe, 00000003.00000003.380553103.0000000005F53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.comsign.co.il/cps0
Source: AddInProcess32.exe, 00000003.00000003.381062942.0000000005FAD000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.380380699.0000000005FA4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
Source: AddInProcess32.exe, 00000003.00000003.380956339.0000000006BF4000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.610240472.0000000005F79000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.380683980.0000000005F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: AddInProcess32.exe, 00000003.00000003.380718660.0000000005F35000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.380230644.0000000006C6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: AddInProcess32.exe, 00000003.00000003.380553103.0000000005F53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.defence.gov.au/pki0
Source: AddInProcess32.exe, 00000003.00000003.380317982.0000000006C65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: AddInProcess32.exe, 00000003.00000003.380317982.0000000006C65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.disig.sk/ca0f
Source: AddInProcess32.exe, 00000003.00000003.380718660.0000000005F35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.dnie.es/dpc0
Source: AddInProcess32.exe, 00000003.00000003.380230644.0000000006C7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.e-me.lv/repository0
Source: AddInProcess32.exe, 00000003.00000003.380230644.0000000006C6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: AddInProcess32.exe, 00000003.00000003.380230644.0000000006C6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: AddInProcess32.exe, 00000003.00000003.380230644.0000000006C6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: AddInProcess32.exe, 00000003.00000003.380718660.0000000005F35000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.380524565.0000000005F5D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.380230644.0000000006C7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: AddInProcess32.exe, 00000003.00000003.380742001.0000000005F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: AddInProcess32.exe, 00000003.00000003.380742001.0000000005F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.eme.lv/repository0
Source: AddInProcess32.exe, 00000003.00000003.381009579.0000000005F3A000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.380718660.0000000005F35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: AddInProcess32.exe, 00000003.00000003.380608355.0000000006C63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.globaltrust.info0
Source: AddInProcess32.exe, 00000003.00000003.380608355.0000000006C63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.globaltrust.info0=
Source: AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: AddInProcess32.exe, 00000003.00000003.380230644.0000000006C6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oaticerts.com/repository.
Source: AddInProcess32.exe, 00000003.00000003.380718660.0000000005F35000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.380875195.0000000005F43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: AddInProcess32.exe, 00000003.00000003.380742001.0000000005F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: AddInProcess32.exe, 00000003.00000003.380524565.0000000005F5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: AddInProcess32.exe, 00000003.00000003.380683980.0000000005F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pki.gva.es/cps0
Source: AddInProcess32.exe, 00000003.00000003.380683980.0000000005F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pki.gva.es/cps0%
Source: AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: AddInProcess32.exe, 00000003.00000003.380230644.0000000006C6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: AddInProcess32.exe, 00000003.00000003.380683980.0000000005F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: AddInProcess32.exe, 00000003.00000003.380956339.0000000006BF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: AddInProcess32.exe, 00000003.00000003.380230644.0000000006C6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: AddInProcess32.exe, 00000003.00000003.380683980.0000000005F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.rcsc.lt/repository0
Source: AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sk.ee/cps/0
Source: AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.380230644.0000000006C6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ssc.lt/cps03
Source: AddInProcess32.exe, 00000003.00000003.380956339.0000000006BF4000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: AddInProcess32.exe, 00000003.00000003.380956339.0000000006BF4000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: AddInProcess32.exe, 00000003.00000003.380553103.0000000005F53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: AddInProcess32.exe, 00000003.00000003.380553103.0000000005F53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: AddInProcess32.exe, 00000003.00000003.380553103.0000000005F53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: AddInProcess32.exe, 00000003.00000003.380683980.0000000005F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: AddInProcess32.exe, 00000003.00000002.609957229.0000000005EB8000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.605694979.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.606232298.0000000002D5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: AddInProcess32.exe, 00000003.00000002.609957229.0000000005EB8000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.605694979.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.606232298.0000000002D5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: AddInProcess32.exe, 00000003.00000003.380757354.0000000006BFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: AddInProcess32.exe, 00000003.00000003.380553103.0000000005F53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://eca.hinet.net/repository0
Source: AddInProcess32.exe, 00000003.00000003.380956339.0000000006BF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: AddInProcess32.exe, 00000003.00000003.380230644.0000000006C6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: AddInProcess32.exe, 00000003.00000003.380230644.0000000006C6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://repository.luxtrust.lu0
Source: AddInProcess32.exe, 00000003.00000003.380446191.0000000005F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: AddInProcess32.exe, 00000003.00000003.380757354.0000000006BFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: AddInProcess32.exe, 00000003.00000003.380757354.0000000006BFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: AddInProcess32.exe, 00000003.00000003.380757354.0000000006BFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.anf.es/address/)1(0&
Source: AddInProcess32.exe, 00000003.00000003.380230644.0000000006C6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.catcert.net/verarrel
Source: AddInProcess32.exe, 00000003.00000003.380230644.0000000006C6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.catcert.net/verarrel05
Source: AddInProcess32.exe, 00000003.00000003.381078627.0000000006C85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.netlock.hu/docs/
Source: AddInProcess32.exe, 00000003.00000003.380718660.0000000005F35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.netlock.net/docs
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.361896473.0000026754CAD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.sysinternals.com0
Source: AddInProcess32.exe, 00000003.00000003.380317982.0000000006C65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: unknown DNS traffic detected: queries for: mail.glassy.com.tr
Source: global traffic HTTP traffic detected: GET /customer/577 HTTP/1.1Host: 5.42.94.169Connection: Keep-Alive

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26754cff980.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26754cff980.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Yara signature match
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764d1d9b8.3.unpack, type: UNPACKEDPE Matched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.unpack, type: UNPACKEDPE Matched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
Source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26754cff980.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26754cff980.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764d1d9b8.3.raw.unpack, type: UNPACKEDPE Matched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
Source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack, type: UNPACKEDPE Matched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Code function: 3_2_012AA0A0 3_2_012AA0A0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Code function: 3_2_012AC930 3_2_012AC930
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Code function: 3_2_012AA970 3_2_012AA970
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Code function: 3_2_012A9D58 3_2_012A9D58
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Code function: 3_2_012A5A30 3_2_012A5A30
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Code function: 3_2_052645B2 3_2_052645B2
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Code function: 3_2_0526AE68 3_2_0526AE68
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Code function: 3_2_0526D148 3_2_0526D148
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Code function: 3_2_05267998 3_2_05267998
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Code function: 3_2_0526E1F8 3_2_0526E1F8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Code function: 3_2_0526D8B7 3_2_0526D8B7
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Code function: 3_2_05267CA9 3_2_05267CA9
PE file does not import any functions
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Binary or memory string: OriginalFilename vs D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000000.340224200.00000267530D2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameimefopahi2 vs D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.363891245.0000026764C61000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamed2b00ccb-6e09-43b8-a4e2-5be86c7f70ff.exe4 vs D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.363891245.0000026764C61000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.361501715.0000026753280000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.361896473.0000026754CAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprocexp.SysB vs D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Binary or memory string: OriginalFilenameimefopahi2 vs D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Virustotal: Detection: 11%
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe "C:\Users\user\AppData\Roaming\Myapp\Myapp.exe"
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe "C:\Users\user\AppData\Roaming\Myapp\Myapp.exe"
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@11/5@2/3
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6872:120:WilError_01
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, ????????/?????????????.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, 00000003.00000003.368853968.0000000001004000.00000004.00000020.00020000.00000000.sdmp, Myapp.exe, 00000004.00000000.393674148.0000000000F02000.00000002.00000001.01000000.00000006.sdmp, Myapp.exe.3.dr
Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000003.00000003.368853968.0000000001004000.00000004.00000020.00020000.00000000.sdmp, Myapp.exe, 00000004.00000000.393674148.0000000000F02000.00000002.00000001.01000000.00000006.sdmp, Myapp.exe.3.dr
Source: Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.361896473.0000026754CAD000.00000004.00000800.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Code function: 0_2_00007FFDC28EA783 push FFFFFFE8h; retf 0_2_00007FFDC28EA8A1
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Code function: 0_2_00007FFDC28E761E pushad ; retf 0_2_00007FFDC28E764D
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Code function: 0_2_00007FFDC28E7E1E pushad ; ret 0_2_00007FFDC28E7E4D
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Code function: 0_2_00007FFDC28E764E push eax; retf 0_2_00007FFDC28E765D
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Code function: 0_2_00007FFDC28E7E4E push eax; ret 0_2_00007FFDC28E7E5D
PE file contains an invalid checksum
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Static PE information: real checksum: 0x13e23 should be: 0x15898
Compiles C# or VB.Net code
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Jump to behavior
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Myapp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Myapp Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe PID: 5644, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.361896473.0000026754CAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.361896473.0000026754CAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Section loaded: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Section loaded: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Section loaded: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Section loaded: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Jump to behavior
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe TID: 6528 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe TID: 6524 Thread sleep count: 9493 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5796 Thread sleep count: 6729 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -99875s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -99690s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -99514s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -99393s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -99250s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -99140s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -99026s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -98906s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -98797s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -98331s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -98079s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -97886s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -96973s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -96438s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -96311s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -96203s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -96078s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -95968s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5900 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -95858s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -95750s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -95641s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -95515s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -95359s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -95234s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -95094s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -94984s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -94844s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -94734s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -94576s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -94469s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -94359s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -94250s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -94125s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -94015s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe TID: 5836 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe TID: 1008 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe TID: 4972 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Window / User API: threadDelayed 9493 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Window / User API: threadDelayed 6729 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 99690 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 99514 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 99393 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 99250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 99140 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 99026 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 98906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 98797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 98331 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 98079 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 97886 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 96973 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 96438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 96311 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 96203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 96078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 95968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 95858 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 95750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 95641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 95515 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 95359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 95234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 95094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 94984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 94844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 94734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 94576 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 94469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 94359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 94250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 94125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 94015 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000003.341849044.0000026753460000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: hGFSg
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.361896473.0000026754CAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.361896473.0000026754CAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.363891245.0000026764C61000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: <!--Blazor:{"sequence":0,"type":"server","prerenderId":"eed94f154b554b45b4777ef21cfa6a1e","descriptor":"CfDJ8NGDjlbBORNElQgiMK\u002B5S\u002BvDD72Gfo5GMioQqxS/RbkxY4yjEyf0Hr1hsC7vjw424eVPZAO0ghiNEl7dMm8thwpU0\u002BESGRragWENyxApfzfSqPUuta2Sb7DTZlboYGcAyUd7fxByh8TtCZUkFMLQn1MNFN9SdhviW\u002BI49oArFIlculQhTmP/0zJKQjM5xv5cuZC\u002BowoPJD6KFaHUlKqKDB\u002BV01TWmvPs1Cc\u002B3237\u002Bh74GB8I1YQEmUR9qF9dNLGL2c54Hjmwi\u002BzY7HXoHGvpEl6\u002Biu1dFJDA7pPRemuTTTMNbGnOG9y4fN\u002BqcuMt439aV43KImluuFpyDQiiI4hfi0ROXTuVkLs5KpAMLfryDKKlTDd0k\u002Bvv0yNUzpSawgnVv6V7bpz2/Z9kw9auMXs7zQ0nu3saLVeyQcIgTMMUSKhW"}--><!--Blazor:{"prerenderId":"eed94f154b554b45b4777ef21cfa6a1e"}-->
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.361896473.0000026754CAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.361896473.0000026754CAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.361896473.0000026754CAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.361896473.0000026754CAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: AddInProcess32.exe, 00000003.00000003.380446191.0000000005F8E000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.378934912.0000000005F8F000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.425457537.0000000005F8E000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.609957229.0000000005EB8000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.378934912.0000000005F9E000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000003.379467412.0000000005FA3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.361896473.0000026754CAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.361896473.0000026754CAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.361896473.0000026754CAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.361896473.0000026754CAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.361501715.00000267532EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.361896473.0000026754CAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000002.361896473.0000026754CAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000003.341812693.0000026753460000.00000004.00000800.00020000.00000000.sdmp, D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, 00000000.00000003.341628662.0000026753464000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: HgFSg
Enables debug privileges
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 42C000 Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 462000 Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: A86008 Jump to behavior
.NET source code references suspicious native API functions
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, ????????/?????????????.cs Reference to suspicious API methods: ('??????????', 'WriteProcessMemory@kernel32.dll'), ('???????????', 'VirtualAllocEx@kernel32.dll')
Source: D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe, ??????????????/?????????????.cs Reference to suspicious API methods: ('??????????', 'GetProcAddress@kernel32.dll'), ('??????????????', 'LoadLibrary@kernel32.dll'), ('????????????', 'VirtualProtect@kernel32.dll'), ('?????????', 'VirtualAlloc@kernel32.dll')
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Queries volume information: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Queries volume information: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AddIn\v4.0_4.0.0.0__b77a5c561934e089\System.AddIn.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Queries volume information: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AddIn\v4.0_4.0.0.0__b77a5c561934e089\System.AddIn.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Myapp\Myapp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Code function: 3_2_012AF678 GetUserNameW, 3_2_012AF678

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000003.00000002.606232298.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: AddInProcess32.exe PID: 1288, type: MEMORYSTR
Source: Yara match File source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764d1d9b8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764d1d9b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.605388772.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.363891245.0000026764C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000003.00000002.606232298.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: AddInProcess32.exe PID: 1288, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000003.00000002.606232298.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: AddInProcess32.exe PID: 1288, type: MEMORYSTR
Source: Yara match File source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764d1d9b8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764d1d9b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe.26764cbf970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.605388772.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.363891245.0000026764C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 882716 Sample: D#U00e9tails_des_transactio... Startdate: 06/06/2023 Architecture: WINDOWS Score: 100 48 Multi AV Scanner detection for domain / URL 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 8 other signatures 2->54 6 D#U00e9tails_des_transactions_envoy#U00e9es_141927_20230606.exe 14 3 2->6         started        11 Myapp.exe 2 2->11         started        13 Myapp.exe 1 2->13         started        process3 dnsIp4 32 5.42.94.169, 49700, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 6->32 30 D#U00e9tails_des_t...27_20230606.exe.log, ASCII 6->30 dropped 56 Writes to foreign memory regions 6->56 58 Injects a PE file into a foreign processes 6->58 15 AddInProcess32.exe 2 4 6->15         started        20 RegAsm.exe 6->20         started        22 csc.exe 6->22         started        60 Tries to detect sandboxes / dynamic malware analysis system (file name check) 11->60 24 conhost.exe 11->24         started        26 conhost.exe 13->26         started        file5 signatures6 process7 dnsIp8 34 glassy.com.tr 89.252.186.89, 49701, 587 RADORETR Turkey 15->34 36 mail.glassy.com.tr 15->36 38 192.168.2.1 unknown unknown 15->38 28 C:\Users\user\AppData\Roaming\...\Myapp.exe, PE32 15->28 dropped 40 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->40 42 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->42 44 Tries to steal Mail credentials (via file / registry access) 15->44 46 2 other signatures 15->46 file9 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
5.42.94.169
 unknown Russian Federation
39493 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU false
89.252.186.89
 glassy.com.tr Turkey
42926 RADORETR true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
glassy.com.tr 89.252.186.89 true
mail.glassy.com.tr unknown unknown