Windows Analysis Report
Pago__2023031700.pdf.exe

Overview

General Information

Sample Name: Pago__2023031700.pdf.exe
Analysis ID: 830621
MD5: 2890be155f76dae747449063116b030e
SHA1: 5e5e5aa5b011fe2997362b3980ce6a0fc7cb06e2
SHA256: aceda5af117eafde721c3e286dca3fab79b6acab63c96036ede208fb7359085f
Tags: agentteslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Uses an obfuscated file name to hide its real file extension (double extension)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Drops certificate files (DER)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Contains functionality to detect virtual machines (SLDT)
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Pago__2023031700.pdf.exe ReversingLabs: Detection: 46%
Machine Learning detection for sample
Source: Pago__2023031700.pdf.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 36.2.jsc.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 0.2.Pago__2023031700.pdf.exe.246900a5680.2.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.itzayanaland.com", "Username": "security01@itzayanaland.com", "Password": " H!S6_PFHTAN{ "}

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 0.2.Pago__2023031700.pdf.exe.24680460328.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Pago__2023031700.pdf.exe PID: 4956, type: MEMORYSTR
Source: Pago__2023031700.pdf.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Allah\sources\Gemstones-master\obj\x86\Debug\Gemstones.pdb source: Pago__2023031700.pdf.exe
Source: Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmp
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 107.161.75.133 107.161.75.133
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49685 -> 107.161.75.133:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49685 -> 107.161.75.133:587
Source: unknown TCP traffic detected without corresponding DNS query: 8.253.207.121
Source: jsc.exe, 00000024.00000003.358124125.0000000005F5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: jsc.exe, 00000024.00000003.358124125.0000000005F5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: jsc.exe, 00000024.00000002.531160900.0000000005F97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apps.identrust.com/
Source: jsc.exe, 00000024.00000002.531160900.0000000005EE6000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.531160900.0000000005F7F000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.531160900.0000000005EC0000.00000004.00000020.00020000.00000000.sdmp, E0F5C59F9FA661F6F4C50B87FEF3A15A0.36.dr String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: jsc.exe, 00000024.00000002.531160900.0000000005EE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c%
Source: jsc.exe, 00000024.00000002.526757689.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: jsc.exe, 00000024.00000002.531160900.0000000005EE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7cF
Source: jsc.exe, 00000024.00000002.532091713.00000000071A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: jsc.exe, 00000024.00000003.358365892.0000000005F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: jsc.exe, 00000024.00000003.358124125.0000000005F5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: jsc.exe, 00000024.00000002.526757689.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: jsc.exe, 00000024.00000002.526757689.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: jsc.exe, 00000024.00000003.358269924.0000000005F65000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.531160900.0000000005F63000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358124125.0000000005F5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: jsc.exe, 00000024.00000003.358124125.0000000005F5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.defence.gov.au/pki0
Source: jsc.exe, 00000024.00000003.358269924.0000000005F65000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.531160900.0000000005F63000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358124125.0000000005F5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: jsc.exe, 00000024.00000002.531160900.0000000005EE6000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: jsc.exe, 00000024.00000002.526757689.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: jsc.exe, 00000024.00000003.358365892.0000000005F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: jsc.exe, 00000024.00000002.531160900.0000000005EE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: jsc.exe, 00000024.00000002.531160900.0000000005EE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: jsc.exe, 00000024.00000002.531160900.0000000005EE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/I
Source: jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: jsc.exe, 00000024.00000002.531160900.0000000005EE6000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.531160900.0000000005EC0000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.357919260.0000000005F93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB0
Source: jsc.exe, 00000024.00000002.525913170.0000000000F74000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.36.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: jsc.exe, 00000024.00000003.350861020.0000000005F86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0ca1f1e4ed3eb
Source: jsc.exe, 00000024.00000002.531160900.0000000005EE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/r
Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: jsc.exe, 00000024.00000002.526757689.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://itzayanaland.com
Source: jsc.exe, 00000024.00000002.526757689.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.itzayanaland.com
Source: jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.accv.es0
Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: jsc.exe, 00000024.00000002.532091713.00000000071A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.pki.gva.es0
Source: jsc.exe, 00000024.00000003.358269924.0000000005F5A000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358602357.00000000071CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.532091713.00000000071B9000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358426161.00000000071B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://policy.camerfirma.com0
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: jsc.exe, 00000024.00000002.526757689.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0/
Source: jsc.exe, 00000024.00000002.526757689.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.acabogacia.org/doc0
Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.acabogacia.org0
Source: jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es00
Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: jsc.exe, 00000024.00000003.358098755.0000000007249000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ancert.com/cps0
Source: jsc.exe, 00000024.00000003.358365892.0000000005F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.anf.es
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: jsc.exe, 00000024.00000003.358365892.0000000005F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: Pago__2023031700.pdf.exe, 00000000.00000003.261636290.00000246F0289000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.261761880.00000246F0287000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.261795395.00000246F0287000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.261596860.00000246F0286000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com
Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358124125.0000000005F5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.chambersign.org1
Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.comsign.co.il/cps0
Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
Source: jsc.exe, 00000024.00000003.358269924.0000000005F5A000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.532147030.00000000071C7000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358602357.00000000071CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358098755.0000000007249000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.defence.gov.au/pki0
Source: jsc.exe, 00000024.00000002.532091713.00000000071A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: jsc.exe, 00000024.00000002.532091713.00000000071A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.disig.sk/ca0f
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.dnie.es/dpc0
Source: jsc.exe, 00000024.00000003.358098755.0000000007249000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.e-me.lv/repository0
Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: jsc.exe, 00000024.00000002.532170624.00000000071E3000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.0000000007253000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.532170624.000000000724F000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358098755.0000000007249000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: jsc.exe, 00000024.00000003.358269924.0000000005F5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.eme.lv/repository0
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.273782371.00000246F0283000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.266250899.00000246F0283000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.266302224.00000246F028A000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.265627536.00000246F0274000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Pago__2023031700.pdf.exe, 00000000.00000003.266421432.00000246F0274000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.265627536.00000246F0274000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.266883102.00000246F0283000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Pago__2023031700.pdf.exe, 00000000.00000003.265627536.00000246F0274000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Pago__2023031700.pdf.exe, 00000000.00000003.266586944.00000246F02B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Pago__2023031700.pdf.exe, 00000000.00000003.265627536.00000246F0274000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers0
Source: Pago__2023031700.pdf.exe, 00000000.00000003.267436796.00000246F0273000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.266883102.00000246F0283000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers0F(
Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Pago__2023031700.pdf.exe, 00000000.00000002.326471766.00000246F0270000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.273782371.00000246F0283000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.319343765.00000246F0270000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersrsivo
Source: Pago__2023031700.pdf.exe, 00000000.00000003.265826059.00000246F0273000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.273782371.00000246F0283000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.266250899.00000246F0283000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.266302224.00000246F028A000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.266421432.00000246F0274000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: Pago__2023031700.pdf.exe, 00000000.00000003.265826059.00000246F0273000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comFF
Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Pago__2023031700.pdf.exe, 00000000.00000003.260344417.00000246F0285000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/F
Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Pago__2023031700.pdf.exe, 00000000.00000003.260810947.00000246F0287000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cna
Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: jsc.exe, 00000024.00000003.357919260.0000000005FAE000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.531160900.0000000005FAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.globaltrust.info0
Source: jsc.exe, 00000024.00000003.357919260.0000000005FAE000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.531160900.0000000005FAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.globaltrust.info0=
Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: Pago__2023031700.pdf.exe, 00000000.00000003.263440133.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263223347.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263938181.00000246F028A000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263854181.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263739502.00000246F028A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Pago__2023031700.pdf.exe, 00000000.00000003.264075136.00000246F028B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/(
Source: Pago__2023031700.pdf.exe, 00000000.00000003.264075136.00000246F028B000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263938181.00000246F028A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/.TF
Source: Pago__2023031700.pdf.exe, 00000000.00000003.264149744.00000246F0273000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264202253.00000246F0289000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/.TTC
Source: Pago__2023031700.pdf.exe, 00000000.00000003.264075136.00000246F028B000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264149744.00000246F0273000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/8
Source: Pago__2023031700.pdf.exe, 00000000.00000003.263854181.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263739502.00000246F028A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/F
Source: Pago__2023031700.pdf.exe, 00000000.00000003.263522721.00000246F0288000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263223347.00000246F028C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/FF
Source: Pago__2023031700.pdf.exe, 00000000.00000003.263522721.00000246F0288000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263854181.00000246F028C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/H
Source: Pago__2023031700.pdf.exe, 00000000.00000003.264149744.00000246F0273000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264289608.00000246F028A000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264202253.00000246F0289000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/h
Source: Pago__2023031700.pdf.exe, 00000000.00000003.263667188.00000246F0289000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263522721.00000246F0288000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp
Source: Pago__2023031700.pdf.exe, 00000000.00000003.264149744.00000246F0273000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263854181.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264202253.00000246F0289000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Pago__2023031700.pdf.exe, 00000000.00000003.263938181.00000246F028A000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263854181.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263739502.00000246F028A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/(
Source: Pago__2023031700.pdf.exe, 00000000.00000003.263938181.00000246F028A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/F
Source: Pago__2023031700.pdf.exe, 00000000.00000003.263440133.00000246F028C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/FF
Source: Pago__2023031700.pdf.exe, 00000000.00000003.264075136.00000246F028B000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264149744.00000246F0273000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263938181.00000246F028A000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263854181.00000246F028C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jpH
Source: Pago__2023031700.pdf.exe, 00000000.00000003.263667188.00000246F0289000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264075136.00000246F028B000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263522721.00000246F0288000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264149744.00000246F0273000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263440133.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263938181.00000246F028A000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263854181.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263739502.00000246F028A000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264202253.00000246F0289000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/x
Source: Pago__2023031700.pdf.exe, 00000000.00000003.269016971.00000246F0286000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.269159707.00000246F0273000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.monotype.
Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oaticerts.com/repository.
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: jsc.exe, 00000024.00000002.532091713.00000000071A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pki.gva.es/cps0
Source: jsc.exe, 00000024.00000002.532091713.00000000071A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pki.gva.es/cps0%
Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: jsc.exe, 00000024.00000002.532147030.00000000071C7000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.rcsc.lt/repository0
Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.258247018.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.258224705.00000246F028C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264370786.00000246F0288000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264419223.00000246F0289000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: Pago__2023031700.pdf.exe, 00000000.00000003.264345593.00000246F02B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.comtrI
Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Pago__2023031700.pdf.exe, 00000000.00000003.260309818.00000246F0288000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.260251424.00000246F0282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.krFF
Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.531160900.0000000005F57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sk.ee/cps/0
Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.531160900.0000000005F57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: jsc.exe, 00000024.00000002.531160900.0000000005EE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ssc.lt/cps03
Source: jsc.exe, 00000024.00000003.358269924.0000000005F5A000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358602357.00000000071CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: jsc.exe, 00000024.00000003.358269924.0000000005F5A000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358602357.00000000071CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: Pago__2023031700.pdf.exe, 00000000.00000003.261795395.00000246F0287000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: Pago__2023031700.pdf.exe, 00000000.00000003.261795395.00000246F0287000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.come
Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.531160900.0000000005F57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: Pago__2023031700.pdf.exe, 00000000.00000003.259062093.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.259099145.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.259189619.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.259176812.00000246F028C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netF
Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: Pago__2023031700.pdf.exe, 00000000.00000003.265508570.00000246F0274000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.de
Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Pago__2023031700.pdf.exe, 00000000.00000003.261532654.00000246F028B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cnFF
Source: Pago__2023031700.pdf.exe, 00000000.00000003.261532654.00000246F028B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cno.
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: jsc.exe, 00000024.00000002.526757689.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: jsc.exe, 00000024.00000002.526757689.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://eca.hinet.net/repository0
Source: jsc.exe, 00000024.00000002.532147030.00000000071C7000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://repository.luxtrust.lu0
Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.anf.es/address/)1(0&
Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.catcert.net/verarrel
Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.catcert.net/verarrel05
Source: jsc.exe, 00000024.00000003.357895931.0000000007254000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.netlock.hu/docs/
Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.netlock.net/docs
Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.sysinternals.com0
Source: jsc.exe, 00000024.00000003.358269924.0000000005F65000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.531160900.0000000005F63000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358124125.0000000005F5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: unknown DNS traffic detected: queries for: mail.itzayanaland.com
Drops certificate files (DER)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Jump to dropped file

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.Pago__2023031700.pdf.exe.24680460328.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.Pago__2023031700.pdf.exe.24680460328.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Pago__2023031700.pdf.exe
Yara signature match
Source: 0.2.Pago__2023031700.pdf.exe.24680460328.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.Pago__2023031700.pdf.exe.24680460328.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Detected potential crypto function
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Code function: 0_2_00007FFBB01F5519 0_2_00007FFBB01F5519
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Code function: 0_2_00007FFBB01E3D68 0_2_00007FFBB01E3D68
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Code function: 0_2_00007FFBB01E6628 0_2_00007FFBB01E6628
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Code function: 0_2_00007FFBB01F6A71 0_2_00007FFBB01F6A71
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Code function: 0_2_00007FFBB01E8B88 0_2_00007FFBB01E8B88
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Code function: 0_2_00007FFBB01E3C70 0_2_00007FFBB01E3C70
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Code function: 0_2_00007FFBB01E6598 0_2_00007FFBB01E6598
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Code function: 0_2_00007FFBB01E3D20 0_2_00007FFBB01E3D20
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Code function: 0_2_00007FFBB01EDEF5 0_2_00007FFBB01EDEF5
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Code function: 0_2_00007FFBB01EF7CF 0_2_00007FFBB01EF7CF
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Code function: 36_2_02BBC998 36_2_02BBC998
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Code function: 36_2_02BBA9D8 36_2_02BBA9D8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Code function: 36_2_02BB9DC0 36_2_02BB9DC0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Code function: 36_2_02BBA108 36_2_02BBA108
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Code function: 36_2_053AC914 36_2_053AC914
PE file does not import any functions
Source: Pago__2023031700.pdf.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: Pago__2023031700.pdf.exe Binary or memory string: OriginalFilename vs Pago__2023031700.pdf.exe
Source: Pago__2023031700.pdf.exe, 00000000.00000002.325425902.00000246EFA30000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs Pago__2023031700.pdf.exe
Source: Pago__2023031700.pdf.exe, 00000000.00000002.321896717.0000024690011000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename529fad16-02a2-4f78-a5e9-0893c5783a19.exe4 vs Pago__2023031700.pdf.exe
Source: Pago__2023031700.pdf.exe, 00000000.00000002.321896717.00000246901BC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs Pago__2023031700.pdf.exe
Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680044000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename529fad16-02a2-4f78-a5e9-0893c5783a19.exe4 vs Pago__2023031700.pdf.exe
Source: Pago__2023031700.pdf.exe, 00000000.00000002.323944606.00000246EDE99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Pago__2023031700.pdf.exe
Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprocexp.SysB vs Pago__2023031700.pdf.exe
Source: Pago__2023031700.pdf.exe, 00000000.00000002.321896717.000002469029C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs Pago__2023031700.pdf.exe
Source: Pago__2023031700.pdf.exe Binary or memory string: OriginalFilenameGemstones.exe4 vs Pago__2023031700.pdf.exe
Source: Pago__2023031700.pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Pago__2023031700.pdf.exe ReversingLabs: Detection: 46%
Source: Pago__2023031700.pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Pago__2023031700.pdf.exe C:\Users\user\Desktop\Pago__2023031700.pdf.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Pago__2023031700.pdf.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@53/5@2/2
Source: Pago__2023031700.pdf.exe Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Pago__2023031700.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Pago__2023031700.pdf.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Pago__2023031700.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Allah\sources\Gemstones-master\obj\x86\Debug\Gemstones.pdb source: Pago__2023031700.pdf.exe
Source: Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Code function: 0_2_00007FFBB01E0360 push eax; retn B00Ch 0_2_00007FFBB01E0373
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Code function: 0_2_00007FFBB01E9021 pushad ; retf 0_2_00007FFBB01E9081
Source: initial sample Static PE information: section name: .text entropy: 7.961630902096703

Hooking and other Techniques for Hiding and Protection
barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: Pago__2023031700.pdf.exe
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Pago__2023031700.pdf.exe PID: 4956, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe TID: 4936 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5540 Thread sleep count: 9652 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -21213755684765971s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -99859s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -99749s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -99640s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -99531s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -99421s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -99310s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -99190s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -99047s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -98906s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -98748s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -98640s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -98530s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -98415s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -98290s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -98171s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -98039s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -97906s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5656 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -97776s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -97667s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -97500s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -97357s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -97249s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -97140s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -96906s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -96770s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -96595s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -96453s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -96343s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -96218s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -96108s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -95997s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -95890s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -95781s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -95671s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -95562s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -95453s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -95343s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -95234s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -95124s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -95014s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -94906s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -94796s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -94687s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -94578s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -94465s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -94312s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660 Thread sleep time: -94203s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Window / User API: threadDelayed 9652 Jump to behavior
Contains functionality to detect virtual machines (SLDT)
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Code function: 0_2_00000246EDC4FE52 sldt word ptr [rax] 0_2_00000246EDC4FE52
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 99859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 99749 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 99640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 99531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 99421 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 99310 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 99190 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 99047 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 98906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 98748 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 98640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 98530 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 98415 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 98290 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 98171 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 98039 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 97906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 97776 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 97667 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 97500 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 97357 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 97249 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 97140 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 96906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 96770 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 96595 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 96453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 96343 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 96218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 96108 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 95997 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 95890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 95781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 95671 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 95562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 95453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 95343 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 95234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 95124 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 95014 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 94906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 94796 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 94687 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 94578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 94465 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 94312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Thread delayed: delay time: 94203 Jump to behavior
Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware
Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: jsc.exe, 00000024.00000002.531160900.0000000005FB3000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.350357232.0000000005FB1000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.357919260.0000000005FB3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: jsc.exe, 00000024.00000002.531160900.0000000005EC0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`H
Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Enables debug privileges
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 42C000 Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 42E000 Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: D3A008 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Users\user\Desktop\Pago__2023031700.pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Code function: 36_2_02BBF6F0 GetUserNameW, 36_2_02BBF6F0

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000024.00000002.526757689.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jsc.exe PID: 5456, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000024.00000002.526757689.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jsc.exe PID: 5456, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000024.00000002.526757689.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jsc.exe PID: 5456, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 830621 Sample: Pago__2023031700.pdf.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 29 Malicious sample detected (through community Yara rule) 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 Yara detected UAC Bypass using CMSTP 2->33 35 6 other signatures 2->35 6 Pago__2023031700.pdf.exe 3 2->6         started        process3 dnsIp4 23 192.168.2.1 unknown unknown 6->23 21 C:\Users\...\Pago__2023031700.pdf.exe.log, CSV 6->21 dropped 37 Writes to foreign memory regions 6->37 39 Injects a PE file into a foreign processes 6->39 11 jsc.exe 4 6->11         started        15 cvtres.exe 6->15         started        17 AddInProcess.exe 6->17         started        19 23 other processes 6->19 file5 signatures6 process7 dnsIp8 25 itzayanaland.com 107.161.75.133, 49685, 587 IWEB-ASCA Canada 11->25 27 mail.itzayanaland.com 11->27 41 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->41 43 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->43 45 Tries to steal Mail credentials (via file / registry access) 11->45 47 2 other signatures 11->47 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
107.161.75.133
 itzayanaland.com Canada
32613 IWEB-ASCA false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
itzayanaland.com 107.161.75.133 true
windowsupdatebg.s.llnwi.net 178.79.225.0 true
mail.itzayanaland.com unknown unknown