Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Pago__2023031700.pdf.exe

Overview

General Information

Sample Name:Pago__2023031700.pdf.exe
Analysis ID:830621
MD5:2890be155f76dae747449063116b030e
SHA1:5e5e5aa5b011fe2997362b3980ce6a0fc7cb06e2
SHA256:aceda5af117eafde721c3e286dca3fab79b6acab63c96036ede208fb7359085f
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Uses an obfuscated file name to hide its real file extension (double extension)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Drops certificate files (DER)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Contains functionality to detect virtual machines (SLDT)
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Pago__2023031700.pdf.exe (PID: 4956 cmdline: C:\Users\user\Desktop\Pago__2023031700.pdf.exe MD5: 2890BE155F76DAE747449063116B030E)
    • cvtres.exe (PID: 5140 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
    • AddInProcess.exe (PID: 5208 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe MD5: 11D8A500C4C0FBAF20EBDB8CDF6EA452)
    • DataSvcUtil.exe (PID: 5216 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe MD5: CCDF8F3B189FFB839B390F695FAE2A6D)
    • ComSvcConfig.exe (PID: 5256 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe MD5: 2778AE0EB674B74FF8028BF4E51F1DF5)
    • mscorsvw.exe (PID: 5276 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe MD5: B00E9325AC7356A3F4864EAAAD48E13F)
    • Microsoft.Workflow.Compiler.exe (PID: 5292 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe MD5: D91462AE31562E241AF5595BA5E1A3C4)
    • MSBuild.exe (PID: 5300 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe MD5: 8B9E68304AF4B81C9AB70CB2220EBA74)
    • ngentask.exe (PID: 5308 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe MD5: AA98E294A0210BDA5F79A7288F91B78C)
    • ngen.exe (PID: 5316 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe MD5: FBA5E8D94C9EADC279BC06B9CF041A9A)
    • aspnet_regsql.exe (PID: 5324 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe MD5: F31014EE4DE7FE48E9B7C9BE94CFB45F)
    • dfsvc.exe (PID: 5332 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe MD5: 48FD4DD682051712E3E7757C525DED71)
    • AddInProcess32.exe (PID: 5340 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
    • CasPol.exe (PID: 5348 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe MD5: CB86BA6B2759BF478ADD7A1612C183D5)
    • vbc.exe (PID: 5356 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe MD5: AC610BC00AF71E7C5B89F5AC0F65DAFA)
    • aspnet_compiler.exe (PID: 5364 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe MD5: 7809A19AA8DA1A41F36B60B0664C4E20)
    • InstallUtil.exe (PID: 5372 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe MD5: 6EE3F830099ADD53C26DF5739B44D608)
    • ilasm.exe (PID: 5380 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe MD5: 155758025B42F1804E1429483BA53553)
    • SMSvcHost.exe (PID: 5388 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe MD5: 7EC8B56348F9298BCCA7A745C7F70E2C)
    • aspnet_wp.exe (PID: 5396 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe MD5: 3F68BCF536EEAE067038C67022CDF6D8)
    • WsatConfig.exe (PID: 5408 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe MD5: EDA1875528E99782E9A2C0001BB4C5A9)
    • aspnet_state.exe (PID: 5416 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe MD5: 9EDC7F9BB19D3F12EB05437BD5687C8A)
    • AddInUtil.exe (PID: 5424 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe MD5: 65D30D747EB31E108A36EBC966C1227D)
    • EdmGen.exe (PID: 5432 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe MD5: 2B6A31DFD7C9ED8B413DBDAB800F10F3)
    • RegSvcs.exe (PID: 5440 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe MD5: 59FCE79E9D81AB9E2ED4C3561205F5DF)
    • AppLaunch.exe (PID: 5448 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe MD5: 98A8F518B66BA43DF38821C364C3B791)
    • jsc.exe (PID: 5456 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe MD5: 2B40A449D6034F41771A460DADD53A60)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.itzayanaland.com", "Username": "security01@itzayanaland.com", "Password": "      H!S6_PFHTAN{       "}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    00000024.00000002.526757689.0000000002D81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000024.00000002.526757689.0000000002D81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: Pago__2023031700.pdf.exe PID: 4956JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Process Memory Space: Pago__2023031700.pdf.exe PID: 4956JoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Pago__2023031700.pdf.exe.24680460328.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              0.2.Pago__2023031700.pdf.exe.24680460328.0.raw.unpackINDICATOR_SUSPICIOUS_DisableWinDefenderDetects executables containing artifcats associated with disabling Widnows DefenderditekSHen
              • 0x9d05:$e1: Microsoft\Windows Defender\Exclusions\Paths
              • 0x9d34:$e2: Add-MpPreference -ExclusionPath
              0.2.Pago__2023031700.pdf.exe.24680460328.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOMDetects executables embedding command execution via IExecuteCommand COM objectditekSHen
              • 0x9cd5:$r1: Classes\Folder\shell\open\command
              • 0x9124:$k1: DelegateExecute

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: Pago__2023031700.pdf.exeReversingLabs: Detection: 46%
              Machine Learning detection for sample
              Source: Pago__2023031700.pdf.exeJoe Sandbox ML: detected
              Source: 36.2.jsc.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: 0.2.Pago__2023031700.pdf.exe.246900a5680.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.itzayanaland.com", "Username": "security01@itzayanaland.com", "Password": " H!S6_PFHTAN{ "}

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 0.2.Pago__2023031700.pdf.exe.24680460328.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pago__2023031700.pdf.exe PID: 4956, type: MEMORYSTR
              Source: Pago__2023031700.pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: C:\Users\Allah\sources\Gemstones-master\obj\x86\Debug\Gemstones.pdb source: Pago__2023031700.pdf.exe
              Source: Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmp
              Source: Joe Sandbox ViewIP Address: 107.161.75.133 107.161.75.133
              Source: global trafficTCP traffic: 192.168.2.3:49685 -> 107.161.75.133:587
              Source: global trafficTCP traffic: 192.168.2.3:49685 -> 107.161.75.133:587
              Source: unknownTCP traffic detected without corresponding DNS query: 8.253.207.121
              Source: jsc.exe, 00000024.00000003.358124125.0000000005F5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/cps.html0
              Source: jsc.exe, 00000024.00000003.358124125.0000000005F5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/last.crl0G
              Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acedicom.edicomgroup.com/doc0
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
              Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
              Source: jsc.exe, 00000024.00000002.531160900.0000000005F97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apps.identrust.com/
              Source: jsc.exe, 00000024.00000002.531160900.0000000005EE6000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.531160900.0000000005F7F000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.531160900.0000000005EC0000.00000004.00000020.00020000.00000000.sdmp, E0F5C59F9FA661F6F4C50B87FEF3A15A0.36.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
              Source: jsc.exe, 00000024.00000002.531160900.0000000005EE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c%
              Source: jsc.exe, 00000024.00000002.526757689.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
              Source: jsc.exe, 00000024.00000002.531160900.0000000005EE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7cF
              Source: jsc.exe, 00000024.00000002.532091713.00000000071A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
              Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
              Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
              Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
              Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/ocsp0
              Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
              Source: jsc.exe, 00000024.00000003.358365892.0000000005F47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
              Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
              Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
              Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
              Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
              Source: jsc.exe, 00000024.00000003.358124125.0000000005F5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
              Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
              Source: jsc.exe, 00000024.00000002.526757689.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.letsencrypt.org0
              Source: jsc.exe, 00000024.00000002.526757689.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
              Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
              Source: jsc.exe, 00000024.00000003.358269924.0000000005F65000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.531160900.0000000005F63000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358124125.0000000005F5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
              Source: jsc.exe, 00000024.00000003.358124125.0000000005F5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
              Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.defence.gov.au/pki0
              Source: jsc.exe, 00000024.00000003.358269924.0000000005F65000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.531160900.0000000005F63000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358124125.0000000005F5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
              Source: jsc.exe, 00000024.00000002.531160900.0000000005EE6000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: jsc.exe, 00000024.00000002.526757689.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
              Source: jsc.exe, 00000024.00000003.358365892.0000000005F47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
              Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
              Source: jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
              Source: jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
              Source: jsc.exe, 00000024.00000002.531160900.0000000005EE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
              Source: jsc.exe, 00000024.00000002.531160900.0000000005EE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
              Source: jsc.exe, 00000024.00000002.531160900.0000000005EE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/I
              Source: jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
              Source: jsc.exe, 00000024.00000002.531160900.0000000005EE6000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.531160900.0000000005EC0000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.357919260.0000000005F93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB0
              Source: jsc.exe, 00000024.00000002.525913170.0000000000F74000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.36.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: jsc.exe, 00000024.00000003.350861020.0000000005F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0ca1f1e4ed3eb
              Source: jsc.exe, 00000024.00000002.531160900.0000000005EE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/r
              Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
              Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
              Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
              Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
              Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
              Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
              Source: jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
              Source: jsc.exe, 00000024.00000002.526757689.0000000002DD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://itzayanaland.com
              Source: jsc.exe, 00000024.00000002.526757689.0000000002DD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.itzayanaland.com
              Source: jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es0
              Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
              Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.ncdc.gov.sa0
              Source: jsc.exe, 00000024.00000002.532091713.00000000071A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
              Source: jsc.exe, 00000024.00000003.358269924.0000000005F5A000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358602357.00000000071CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.suscerte.gob.ve0
              Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.digidentity.eu/validatie0
              Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.registradores.org/normativa/index.htm0
              Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.532091713.00000000071B9000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358426161.00000000071B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://policy.camerfirma.com0
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
              Source: jsc.exe, 00000024.00000002.526757689.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0/
              Source: jsc.exe, 00000024.00000002.526757689.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
              Source: jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
              Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
              Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
              Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
              Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org0
              Source: jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
              Source: jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
              Source: jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
              Source: jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es00
              Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
              Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
              Source: jsc.exe, 00000024.00000003.358098755.0000000007249000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ancert.com/cps0
              Source: jsc.exe, 00000024.00000003.358365892.0000000005F47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
              Source: jsc.exe, 00000024.00000003.358365892.0000000005F47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/es/address-direccion.html
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.261636290.00000246F0289000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.261761880.00000246F0287000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.261795395.00000246F0287000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.261596860.00000246F0286000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/0
              Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
              Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
              Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class1.crl0
              Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
              Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
              Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
              Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358124125.0000000005F5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org1
              Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
              Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
              Source: jsc.exe, 00000024.00000003.358269924.0000000005F5A000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.532147030.00000000071C7000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358602357.00000000071CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
              Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-int0
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358098755.0000000007249000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-std0
              Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.defence.gov.au/pki0
              Source: jsc.exe, 00000024.00000002.532091713.00000000071A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
              Source: jsc.exe, 00000024.00000002.532091713.00000000071A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca0f
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dnie.es/dpc0
              Source: jsc.exe, 00000024.00000003.358098755.0000000007249000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-me.lv/repository0
              Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
              Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
              Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
              Source: jsc.exe, 00000024.00000002.532170624.00000000071E3000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.0000000007253000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.532170624.000000000724F000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358098755.0000000007249000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
              Source: jsc.exe, 00000024.00000003.358269924.0000000005F5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ecee.gov.pt/dpc0
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.eme.lv/repository0
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.273782371.00000246F0283000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.266250899.00000246F0283000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.266302224.00000246F028A000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.265627536.00000246F0274000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.266421432.00000246F0274000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.265627536.00000246F0274000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.266883102.00000246F0283000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.265627536.00000246F0274000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.266586944.00000246F02B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.265627536.00000246F0274000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers0
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.267436796.00000246F0273000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.266883102.00000246F0283000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers0F(
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.326471766.00000246F0270000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.273782371.00000246F0283000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.319343765.00000246F0270000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersrsivo
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.265826059.00000246F0273000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.273782371.00000246F0283000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.266250899.00000246F0283000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.266302224.00000246F028A000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.266421432.00000246F0274000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.265826059.00000246F0273000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comFF
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.260344417.00000246F0285000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/F
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.260810947.00000246F0287000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cna
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: jsc.exe, 00000024.00000003.357919260.0000000005FAE000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.531160900.0000000005FAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0
              Source: jsc.exe, 00000024.00000003.357919260.0000000005FAE000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.531160900.0000000005FAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0=
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
              Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.263440133.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263223347.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263938181.00000246F028A000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263854181.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263739502.00000246F028A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.264075136.00000246F028B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.264075136.00000246F028B000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263938181.00000246F028A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.TF
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.264149744.00000246F0273000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264202253.00000246F0289000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.TTC
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.264075136.00000246F028B000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264149744.00000246F0273000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.263854181.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263739502.00000246F028A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/F
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.263522721.00000246F0288000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263223347.00000246F028C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/FF
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.263522721.00000246F0288000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263854181.00000246F028C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/H
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.264149744.00000246F0273000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264289608.00000246F028A000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264202253.00000246F0289000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.263667188.00000246F0289000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263522721.00000246F0288000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.264149744.00000246F0273000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263854181.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264202253.00000246F0289000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.263938181.00000246F028A000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263854181.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263739502.00000246F028A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/(
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.263938181.00000246F028A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/F
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.263440133.00000246F028C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/FF
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.264075136.00000246F028B000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264149744.00000246F0273000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263938181.00000246F028A000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263854181.00000246F028C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jpH
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.263667188.00000246F0289000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264075136.00000246F028B000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263522721.00000246F0288000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264149744.00000246F0273000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263440133.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263938181.00000246F028A000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263854181.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263739502.00000246F028A000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264202253.00000246F0289000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.269016971.00000246F0286000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.269159707.00000246F0273000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.
              Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.oaticerts.com/repository.
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
              Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
              Source: jsc.exe, 00000024.00000002.532091713.00000000071A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0
              Source: jsc.exe, 00000024.00000002.532091713.00000000071A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
              Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
              Source: jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
              Source: jsc.exe, 00000024.00000002.532147030.00000000071C7000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
              Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
              Source: jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rcsc.lt/repository0
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.258247018.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.258224705.00000246F028C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264370786.00000246F0288000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264419223.00000246F0289000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.264345593.00000246F02B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.comtrI
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.260309818.00000246F0288000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.260251424.00000246F0282000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krFF
              Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.531160900.0000000005F57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/cps/0
              Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.531160900.0000000005F57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
              Source: jsc.exe, 00000024.00000002.531160900.0000000005EE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ssc.lt/cps03
              Source: jsc.exe, 00000024.00000003.358269924.0000000005F5A000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358602357.00000000071CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/dpc0
              Source: jsc.exe, 00000024.00000003.358269924.0000000005F5A000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358602357.00000000071CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/lcr0#
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.261795395.00000246F0287000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.261795395.00000246F0287000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.come
              Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
              Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.531160900.0000000005F57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.259062093.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.259099145.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.259189619.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.259176812.00000246F028C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netF
              Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
              Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.265508570.00000246F0274000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.261532654.00000246F028B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnFF
              Source: Pago__2023031700.pdf.exe, 00000000.00000003.261532654.00000246F028B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
              Source: jsc.exe, 00000024.00000002.526757689.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: jsc.exe, 00000024.00000002.526757689.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
              Source: jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eca.hinet.net/repository0
              Source: jsc.exe, 00000024.00000002.532147030.00000000071C7000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
              Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
              Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://repository.luxtrust.lu0
              Source: jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.certicamara.com/marco-legal0Z
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ACTAS/789230
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
              Source: jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/address/)1(0&
              Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel
              Source: jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
              Source: jsc.exe, 00000024.00000003.357895931.0000000007254000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.hu/docs/
              Source: jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.net/docs
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sysinternals.com0
              Source: jsc.exe, 00000024.00000003.358269924.0000000005F65000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.531160900.0000000005F63000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358124125.0000000005F5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/0m
              Source: unknownDNS traffic detected: queries for: mail.itzayanaland.com
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15AJump to dropped file

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.Pago__2023031700.pdf.exe.24680460328.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
              Source: 0.2.Pago__2023031700.pdf.exe.24680460328.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: Pago__2023031700.pdf.exe
              Source: 0.2.Pago__2023031700.pdf.exe.24680460328.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
              Source: 0.2.Pago__2023031700.pdf.exe.24680460328.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeCode function: 0_2_00007FFBB01F5519
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeCode function: 0_2_00007FFBB01E3D68
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeCode function: 0_2_00007FFBB01E6628
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeCode function: 0_2_00007FFBB01F6A71
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeCode function: 0_2_00007FFBB01E8B88
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeCode function: 0_2_00007FFBB01E3C70
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeCode function: 0_2_00007FFBB01E6598
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeCode function: 0_2_00007FFBB01E3D20
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeCode function: 0_2_00007FFBB01EDEF5
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeCode function: 0_2_00007FFBB01EF7CF
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeCode function: 36_2_02BBC998
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeCode function: 36_2_02BBA9D8
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeCode function: 36_2_02BB9DC0
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeCode function: 36_2_02BBA108
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeCode function: 36_2_053AC914
              Source: Pago__2023031700.pdf.exeStatic PE information: No import functions for PE file found
              Source: Pago__2023031700.pdf.exeBinary or memory string: OriginalFilename vs Pago__2023031700.pdf.exe
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.325425902.00000246EFA30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs Pago__2023031700.pdf.exe
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.321896717.0000024690011000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename529fad16-02a2-4f78-a5e9-0893c5783a19.exe4 vs Pago__2023031700.pdf.exe
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.321896717.00000246901BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs Pago__2023031700.pdf.exe
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680044000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename529fad16-02a2-4f78-a5e9-0893c5783a19.exe4 vs Pago__2023031700.pdf.exe
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.323944606.00000246EDE99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Pago__2023031700.pdf.exe
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprocexp.SysB vs Pago__2023031700.pdf.exe
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.321896717.000002469029C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs Pago__2023031700.pdf.exe
              Source: Pago__2023031700.pdf.exeBinary or memory string: OriginalFilenameGemstones.exe4 vs Pago__2023031700.pdf.exe
              Source: Pago__2023031700.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: Pago__2023031700.pdf.exeReversingLabs: Detection: 46%
              Source: Pago__2023031700.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Users\user\Desktop\Pago__2023031700.pdf.exe C:\Users\user\Desktop\Pago__2023031700.pdf.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Pago__2023031700.pdf.exe.logJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@53/5@2/2
              Source: Pago__2023031700.pdf.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: Pago__2023031700.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Pago__2023031700.pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Pago__2023031700.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: C:\Users\Allah\sources\Gemstones-master\obj\x86\Debug\Gemstones.pdb source: Pago__2023031700.pdf.exe
              Source: Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeCode function: 0_2_00007FFBB01E0360 push eax; retn B00Ch
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeCode function: 0_2_00007FFBB01E9021 pushad ; retf
              Source: initial sampleStatic PE information: section name: .text entropy: 7.961630902096703

              Hooking and other Techniques for Hiding and Protection

              barindex
              Uses an obfuscated file name to hide its real file extension (double extension)
              Source: Possible double extension: pdf.exeStatic PE information: Pago__2023031700.pdf.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: Pago__2023031700.pdf.exe PID: 4956, type: MEMORYSTR
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exe TID: 4936Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5540Thread sleep count: 9652 > 30
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -21213755684765971s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -100000s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -99859s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -99749s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -99640s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -99531s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -99421s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -99310s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -99190s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -99047s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -98906s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -98748s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -98640s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -98530s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -98415s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -98290s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -98171s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -98039s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -97906s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5656Thread sleep time: -30000s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -97776s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -97667s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -97500s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -97357s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -97249s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -97140s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -96906s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -96770s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -96595s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -96453s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -96343s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -96218s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -96108s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -95997s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -95890s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -95781s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -95671s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -95562s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -95453s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -95343s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -95234s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -95124s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -95014s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -94906s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -94796s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -94687s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -94578s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -94465s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -94312s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe TID: 5660Thread sleep time: -94203s >= -30000s
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeWindow / User API: threadDelayed 9652
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeCode function: 0_2_00000246EDC4FE52 sldt word ptr [rax]
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess information queried: ProcessInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 100000
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 99859
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 99749
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 99640
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 99531
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 99421
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 99310
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 99190
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 99047
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 98906
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 98748
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 98640
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 98530
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 98415
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 98290
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 98171
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 98039
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 97906
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 97776
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 97667
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 97500
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 97357
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 97249
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 97140
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 96906
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 96770
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 96595
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 96453
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 96343
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 96218
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 96108
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 95997
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 95890
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 95781
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 95671
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 95562
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 95453
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 95343
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 95234
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 95124
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 95014
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 94906
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 94796
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 94687
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 94578
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 94465
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 94312
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeThread delayed: delay time: 94203
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
              Source: jsc.exe, 00000024.00000002.531160900.0000000005FB3000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.350357232.0000000005FB1000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.357919260.0000000005FB3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
              Source: jsc.exe, 00000024.00000002.531160900.0000000005EC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`H
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: Pago__2023031700.pdf.exe, 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess token adjusted: Debug
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 400000
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 402000
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 42C000
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 42E000
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: D3A008
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Users\user\Desktop\Pago__2023031700.pdf.exe VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pago__2023031700.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeCode function: 36_2_02BBF6F0 GetUserNameW,

              Stealing of Sensitive Information

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 00000024.00000002.526757689.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 5456, type: MEMORYSTR
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: Yara matchFile source: 00000024.00000002.526757689.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 5456, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 00000024.00000002.526757689.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 5456, type: MEMORYSTR

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts211
              Windows Management Instrumentation              		Path Interception211
              Process Injection              		11
              Masquerading              		1
              OS Credential Dumping              		211
              Security Software Discovery              		Remote Services1
              Email Collection              		Exfiltration Over Other Network Medium1
              Encrypted Channel              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
              Disable or Modify Tools              		1
              Credentials in Registry              		1
              Process Discovery              		Remote Desktop Protocol1
              Archive Collected Data              		Exfiltration Over Bluetooth1
              Non-Standard Port              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)141
              Virtualization/Sandbox Evasion              		Security Account Manager141
              Virtualization/Sandbox Evasion              		SMB/Windows Admin Shares1
              Data from Local System              		Automated Exfiltration1
              Non-Application Layer Protocol              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)211
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput CaptureScheduled Transfer11
              Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script12
              Obfuscated Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common3
              Software Packing              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
              Remote System Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem114
              System Information Discovery              		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Pago__2023031700.pdf.exe46%ReversingLabsWin64.Trojan.Leonem
              Pago__2023031700.pdf.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              36.2.jsc.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
              http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
              http://ocsp.suscerte.gob.ve00%URL Reputationsafe
              http://crl.dhimyotis.com/certignarootca.crl00%URL Reputationsafe
              http://www.chambersign.org10%URL Reputationsafe
              http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz00%URL Reputationsafe
              http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
              http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
              http://www.suscerte.gob.ve/dpc00%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/80%URL Reputationsafe
              http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/(0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://policy.camerfirma.com00%URL Reputationsafe
              http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/jp0%URL Reputationsafe
              http://cps.letsencrypt.org00%URL Reputationsafe
              http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G0%URL Reputationsafe
              https://wwww.certigna.fr/autorites/0m0%URL Reputationsafe
              http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf00%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/H0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/F0%URL Reputationsafe
              http://www.globaltrust.info00%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://ac.economia.gob.mx/last.crl0G0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/x0%URL Reputationsafe
              http://crl.oces.trust2408.com/oces.crl00%URL Reputationsafe
              http://certs.oaticerts.com/repository/OATICA2.crl0%URL Reputationsafe
              http://certs.oati.net/repository/OATICA2.crt00%URL Reputationsafe
              http://www.accv.es000%URL Reputationsafe
              http://web.ncdc.gov.sa/crl/nrcaparta1.crl0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.acabogacia.org00%URL Reputationsafe
              http://crl.securetrust.com/SGCA.crl00%URL Reputationsafe
              http://www.agesic.gub.uy/acrn/acrn.crl0)0%URL Reputationsafe
              http://www.rcsc.lt/repository00%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netF0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://x1.c.lencr.org/00%URL Reputationsafe
              http://x1.i.lencr.org/00%URL Reputationsafe
              http://www.correo.com.uy/correocert/cps.pdf00%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.urwpp.de0%URL Reputationsafe
              http://certs.oaticerts.com/repository/OATICA2.crt080%URL Reputationsafe
              http://cps.chambersign.org/cps/chambersignroot.html00%URL Reputationsafe
              http://www.oaticerts.com/repository.0%URL Reputationsafe
              http://www.ancert.com/cps00%URL Reputationsafe
              http://ocsp.accv.es00%URL Reputationsafe
              http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl00%URL Reputationsafe
              http://www.echoworx.com/ca/root2/cps.pdf00%URL Reputationsafe
              http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz030%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
              http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl00%URL Reputationsafe
              http://www.sakkal.comtrI0%Avira URL Cloudsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.monotype.0%URL Reputationsafe
              http://crl.defence.gov.au/pki00%URL Reputationsafe
              http://www.agesic.gub.uy/acrn/cps_acrn.pdf00%URL Reputationsafe
              http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl00%URL Reputationsafe
              https://www.catcert.net/verarrel050%URL Reputationsafe
              http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c00%URL Reputationsafe
              http://www.zhongyicts.com.cnFF0%Avira URL Cloudsafe
              http://itzayanaland.com0%Avira URL Cloudsafe
              http://www.sandoll.co.krFF0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/jpH0%Avira URL Cloudsafe
              http://www.fontbureau.comFF0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/jp/FF0%Avira URL Cloudsafe
              http://mail.itzayanaland.com0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/FF0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              itzayanaland.com
              		107.161.75.133
              		truefalse
                		unknown
                windowsupdatebg.s.llnwi.net
                		178.79.225.0
                		truefalse
                  		unknown
                  mail.itzayanaland.com
                  		unknown
                  		unknownfalse
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.certplus.com/CRL/class3.crl0jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://ocsp.suscerte.gob.ve0jsc.exe, 00000024.00000003.358269924.0000000005F5A000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358602357.00000000071CA000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://crl.dhimyotis.com/certignarootca.crl0jsc.exe, 00000024.00000003.358269924.0000000005F65000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.531160900.0000000005F63000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358124125.0000000005F5E000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://www.chambersign.org1jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358124125.0000000005F5E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://repository.swisssign.com/0jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersPago__2023031700.pdf.exe, 00000000.00000003.266421432.00000246F0274000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.265627536.00000246F0274000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.266883102.00000246F0283000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://crl.ssc.lt/root-c/cacrl.crl0jsc.exe, 00000024.00000002.531160900.0000000005EE6000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://ca.disig.sk/ca/crl/ca_disig.crl0jsc.exe, 00000024.00000002.532091713.00000000071A0000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.suscerte.gob.ve/dpc0jsc.exe, 00000024.00000003.358269924.0000000005F5A000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358602357.00000000071CA000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/8Pago__2023031700.pdf.exe, 00000000.00000003.264075136.00000246F028B000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264149744.00000246F0273000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersrsivoPago__2023031700.pdf.exe, 00000000.00000002.326471766.00000246F0270000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.273782371.00000246F0283000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.319343765.00000246F0270000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://www.disig.sk/ca/crl/ca_disig.crl0jsc.exe, 00000024.00000002.532091713.00000000071A0000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleasePago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/jpHPago__2023031700.pdf.exe, 00000000.00000003.264075136.00000246F028B000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264149744.00000246F0273000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263938181.00000246F028A000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263854181.00000246F028C000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/(Pago__2023031700.pdf.exe, 00000000.00000003.264075136.00000246F028B000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://mail.itzayanaland.comjsc.exe, 00000024.00000002.526757689.0000000002DD9000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.zhongyicts.com.cnPago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://pki.registradores.org/normativa/index.htm0jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://policy.camerfirma.com0jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.532091713.00000000071B9000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358426161.00000000071B9000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.anf.es/es/address-direccion.htmljsc.exe, 00000024.00000003.358365892.0000000005F47000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://www.anf.es/address/)1(0&jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jpPago__2023031700.pdf.exe, 00000000.00000003.263667188.00000246F0289000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263522721.00000246F0288000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://cps.letsencrypt.org0jsc.exe, 00000024.00000002.526757689.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.certicamara.com/dpc/0Zjsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0Gjsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://crl.pki.wellsfargo.com/wsprca.crl0jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://wwww.certigna.fr/autorites/0mjsc.exe, 00000024.00000003.358269924.0000000005F65000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.531160900.0000000005F63000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358124125.0000000005F5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.anf.es/AC/ANFServerCA.crl0jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/HPago__2023031700.pdf.exe, 00000000.00000003.263522721.00000246F0288000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263854181.00000246F028C000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/jp/FFPago__2023031700.pdf.exe, 00000000.00000003.263440133.00000246F028C000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/FPago__2023031700.pdf.exe, 00000000.00000003.263854181.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263739502.00000246F028A000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.globaltrust.info0jsc.exe, 00000024.00000003.357919260.0000000005FAE000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.531160900.0000000005FAE000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comlPago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://ac.economia.gob.mx/last.crl0Gjsc.exe, 00000024.00000003.358124125.0000000005F5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/xPago__2023031700.pdf.exe, 00000000.00000003.263667188.00000246F0289000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264075136.00000246F028B000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263522721.00000246F0288000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264149744.00000246F0273000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263440133.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263938181.00000246F028A000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263854181.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263739502.00000246F028A000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264202253.00000246F0289000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://crl.oces.trust2408.com/oces.crl0jsc.exe, 00000024.00000003.358365892.0000000005F47000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://eca.hinet.net/repository0jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.jiyu-kobo.co.jp/hPago__2023031700.pdf.exe, 00000000.00000003.264149744.00000246F0273000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264289608.00000246F028A000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264202253.00000246F0289000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://certs.oaticerts.com/repository/OATICA2.crljsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://certs.oati.net/repository/OATICA2.crt0jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.accv.es00jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://web.ncdc.gov.sa/crl/nrcaparta1.crljsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.datev.de/zertifikat-policy-int0jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cn/bThePago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.acabogacia.org0jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.firmaprofesional.com/cps0jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.comFFPago__2023031700.pdf.exe, 00000000.00000003.265826059.00000246F0273000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://crl.securetrust.com/SGCA.crl0jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.agesic.gub.uy/acrn/acrn.crl0)jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.rcsc.lt/repository0jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.typography.netDPago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.typography.netFPago__2023031700.pdf.exe, 00000000.00000003.259062093.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.259099145.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.259189619.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.259176812.00000246F028C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://fontfabrik.comPago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://web.certicamara.com/marco-legal0Zjsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.quovadisglobal.com/cps0jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://x1.c.lencr.org/0jsc.exe, 00000024.00000002.526757689.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://x1.i.lencr.org/0jsc.exe, 00000024.00000002.526757689.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.525913170.0000000000F43000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.correo.com.uy/correocert/cps.pdf0jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fonts.comPago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.sandoll.co.krPago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.urwpp.dePago__2023031700.pdf.exe, 00000000.00000003.265508570.00000246F0274000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://certs.oaticerts.com/repository/OATICA2.crt08jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://cps.chambersign.org/cps/chambersignroot.html0jsc.exe, 00000024.00000003.358124125.0000000005F5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.sakkal.comtrIPago__2023031700.pdf.exe, 00000000.00000003.264345593.00000246F02B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.anf.es/AC/RC/ocsp0cjsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.oaticerts.com/repository.jsc.exe, 00000024.00000003.358338782.0000000005F4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.ancert.com/cps0jsc.exe, 00000024.00000003.358098755.0000000007249000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://ocsp.accv.es0jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.echoworx.com/ca/root2/cps.pdf0jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://rca.e-szigno.hu/ocsp0-jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.zhongyicts.com.cnFFPago__2023031700.pdf.exe, 00000000.00000003.261532654.00000246F028B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://eca.hinet.net/repository/CRL2/CA.crl0jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.datev.de/zertifikat-policy-std0jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358098755.0000000007249000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.jiyu-kobo.co.jp/jp/Pago__2023031700.pdf.exe, 00000000.00000003.264149744.00000246F0273000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263854181.00000246F028C000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.264202253.00000246F0289000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers/cabarga.htmlNPago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.founder.com.cn/cnPago__2023031700.pdf.exe, 00000000.00000002.327306243.00000246F1502000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.fontbureau.com/designers/cabarga.htmlPago__2023031700.pdf.exe, 00000000.00000003.266586944.00000246F02B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.monotype.Pago__2023031700.pdf.exe, 00000000.00000003.269016971.00000246F0286000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.269159707.00000246F0273000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://crl.defence.gov.au/pki0jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.agesic.gub.uy/acrn/cps_acrn.pdf0jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0jsc.exe, 00000024.00000003.358243192.00000000071B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://www.catcert.net/verarrel05jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0jsc.exe, 00000024.00000003.358426161.00000000071A5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.sandoll.co.krFFPago__2023031700.pdf.exe, 00000000.00000003.260309818.00000246F0288000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.260251424.00000246F0282000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://itzayanaland.comjsc.exe, 00000024.00000002.526757689.0000000002DD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.pki.gva.es/cps0%jsc.exe, 00000024.00000002.532091713.00000000071A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.jiyu-kobo.co.jp/FFPago__2023031700.pdf.exe, 00000000.00000003.263522721.00000246F0288000.00000004.00000020.00020000.00000000.sdmp, Pago__2023031700.pdf.exe, 00000000.00000003.263223347.00000246F028C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.cert.fnmt.es/dpcs/0jsc.exe, 00000024.00000003.358379304.00000000071CD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.357919260.0000000005F66000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.datev.de/zertifikat-policy-bt0jsc.exe, 00000024.00000003.358269924.0000000005F5A000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000002.532147030.00000000071C7000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358143575.00000000071BD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000024.00000003.358602357.00000000071CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high

                                                                              World Map of Contacted IPs

                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs

                                                                              Public IPs

                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              107.161.75.133
                                                                              		itzayanaland.comCanada
                                                                              		32613IWEB-ASCAfalse

                                                                              Private

                                                                              IP
                                                                              192.168.2.1

                                                                              General Information

                                                                              Joe Sandbox Version:37.0.0 Beryl
                                                                              Analysis ID:830621
                                                                              Start date and time:2023-03-20 14:48:23 +01:00
                                                                              Joe Sandbox Product:CloudBasic
                                                                              Overall analysis duration:0h 8m 49s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:light
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                              Number of analysed new started processes analysed:39
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:0
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • HDC enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Sample file name:Pago__2023031700.pdf.exe
                                                                              Detection:MAL
                                                                              Classification:mal100.troj.spyw.expl.evad.winEXE@53/5@2/2
                                                                              EGA Information:
                                                                              • Successful, ratio: 100%
                                                                              HDC Information:
                                                                              • Successful, ratio: 6.6% (good quality ratio 6.5%)
                                                                              • Quality average: 66.5%
                                                                              • Quality standard deviation: 24.4%
                                                                              HCA Information:
                                                                              • Successful, ratio: 97%
                                                                              • Number of executed functions: 0
                                                                              • Number of non-executed functions: 0
                                                                              Cookbook Comments:
                                                                              • Found application associated with file extension: .exe

                                                                              Warnings

                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                              • Excluded IPs from analysis (whitelisted): 23.211.4.90, 204.79.197.200, 13.107.21.200, 178.79.225.0, 209.197.3.8, 8.238.85.126, 67.26.73.254, 67.26.137.254, 8.238.191.126, 8.248.131.254, 8.248.113.254, 8.238.190.126, 8.238.88.248, 23.0.174.24, 23.0.174.17
                                                                              • Excluded domains from analysis (whitelisted): www.bing.com, fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, identrust.edgesuite.net, dual-a-0001.a-msedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, www-www.bing.com.trafficmanager.net, wu-bg-shim.trafficmanager.net, a1952.dscq.akamai.net, e16604.g.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, prod.fs.microsoft.com.akadns.net, apps.identrust.com
                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                              • VT rate limit hit for: Pago__2023031700.pdf.exe

                                                                              Simulations

                                                                              Behavior and APIs

                                                                              TimeTypeDescription
                                                                              14:50:03API Interceptor57x Sleep call for process: jsc.exe modified

                                                                              Joe Sandbox View / Context

                                                                              IPs

                                                                              No context

                                                                              Domains

                                                                              No context

                                                                              ASNs

                                                                              No context

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
                                                                              File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 62582 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                              Category:dropped
                                                                              Size (bytes):62582
                                                                              Entropy (8bit):7.996063107774368
                                                                              Encrypted:true
                                                                              SSDEEP:1536:Jk3XPi43VgGp0gB2itudTSRAn/TWTdWftu:CHa43V5p022iZ4CgA
                                                                              MD5:E71C8443AE0BC2E282C73FAEAD0A6DD3
                                                                              SHA1:0C110C1B01E68EDFACAEAE64781A37B1995FA94B
                                                                              SHA-256:95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72
                                                                              SHA-512:B38458C7FA2825AFB72794F374827403D5946B1132E136A0CE075DFD351277CF7D957C88DC8A1E4ADC3BCAE1FA8010DAE3831E268E910D517691DE24326391A6
                                                                              Malicious:false
                                                                              Preview:MSCF....v.......,...................I.................BVrl .authroot.stl....oJ5..CK..8U....a..3.1.P. J.".t..2F2e.dHH......$E.KB.2D..-SJE....^..'..y.}..,{m.....\...]4.G.......h....148...e.gr.....48:.L...g.....Xef.x:..t...J...6-....kW6Z>....&......ye.U.Q&z:.vZ..._....a...]..T.E.....B.h.,...[....V.O.3..EW.x.?.Q..$.@.W..=.B.f..8a.Y.JK..g./%p..C.4CD.s..Jd.u..@.g=...a.. .h%..'.xjy7.E..\.....A..':.4TdW?Ko3$.Hg.z.d~....../q..C.....`...A[ W(.........9...GZ.;....l&?........F...p?... .p.....{S.L4..v.+...7.T?.....p..`..&..9.......f...0+.L.....1.2b)..vX5L'.~....2vz.,E.Ni.{#...o..w.?.#.3..h.v<.S%.].tD@!Le.w.q.7.8....QW.FT.....hE.........Y............./.%Q...k...*.Y.n..v.A..../...>B..5\..-Ko.......O<.b.K.{.O.b...._.7...4.;%9N..K.X>......kg-9..r.c.g.G|.*[.-...HT...",?.q...ad....7RE.......!f..#../....?.-.^.K.c^...+{.g......]<..$.=.O....ii7.wJ+S..Z..d.....>..J*...T..Q7..`.r,<$....\d:K`..T.n....N.....C..j.;.1SX..j....1...R....+....Yg....]....3..9..S..D..`.

                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):893
                                                                              Entropy (8bit):7.366016576663508
                                                                              Encrypted:false
                                                                              SSDEEP:24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
                                                                              MD5:D4AE187B4574036C2D76B6DF8A8C1A30
                                                                              SHA1:B06F409FA14BAB33CBAF4A37811B8740B624D9E5
                                                                              SHA-256:A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
                                                                              SHA-512:1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
                                                                              Malicious:false
                                                                              Preview:0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.2....w..{........s.z..2..~..0....*8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.*....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i....*.)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0...*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..|.Wv..(9..e...w.j..w.......)...55.1.

                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):328
                                                                              Entropy (8bit):3.1335351732898324
                                                                              Encrypted:false
                                                                              SSDEEP:6:kKeAry/7UN+SkQlPlEGYRMY9z+4KlDA3RUecZUt:1CvkPlE99SNxAhUext
                                                                              MD5:A3364DEAEDA04E1720E71272FBDF14BD
                                                                              SHA1:B0054425AE22C2EF7F82F392B07ABA0CDF4FC7C2
                                                                              SHA-256:0015329A3BA84939129A69AF574F633FFCA145FAF82A0FDEC3EEDA486DF85317
                                                                              SHA-512:4795F8594CFC70DFC6151A4DB77056669CB27621C323421EBDAD5C79245A89451798A97981C883E4FA0B139382A6984B9C8426240852DE4A5D24356251999DC7
                                                                              Malicious:false
                                                                              Preview:p...... ...........y[..(....................................................... ..........).K......&...........v...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.2.f.9.2.9.a.7.4.b.d.9.1.:.0."...

                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

                                                                              Download File
                                                                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
                                                                              File Type:data
                                                                              Category:modified
                                                                              Size (bytes):252
                                                                              Entropy (8bit):2.960629782007402
                                                                              Encrypted:false
                                                                              SSDEEP:3:kkFkl5knAfllXlE/Bi9llPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB15RNU2UPlN:kKRiZliBAIdQZV742MN
                                                                              MD5:2DB4826B413510329DC456C0BC347236
                                                                              SHA1:520EA8EBCEB109C7B48AB3C8E9938EC486CAD765
                                                                              SHA-256:A355979FC6B012B30262653A19D00C6201E88BDCB45265C1291A7A3493259337
                                                                              SHA-512:F03CAB919715E7B3B7A1AF52B67CAE57C05A922F65FB26E9D30F62684E7970CAAD8290DF4B28DE59E90AEB45BC8FAEA27AF9EB3E36CAC7D9940DEC94F34F3926
                                                                              Malicious:false
                                                                              Preview:p...... ....`....s...[..(....................................................... ........$...;......(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.f.4.3.3.1.8.8.d.a.a.0.0."...

                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Pago__2023031700.pdf.exe.log

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\Pago__2023031700.pdf.exe
                                                                              File Type:CSV text
                                                                              Category:dropped
                                                                              Size (bytes):1281
                                                                              Entropy (8bit):5.367899416177239
                                                                              Encrypted:false
                                                                              SSDEEP:24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKhPKIE4TKD1KoZAE4KKPz:MxHKn1qHGiD0HKeGiYHKGD8AoPtHTG1Q
                                                                              MD5:7115A3215A4C22EF20AB9AF4160EE8F5
                                                                              SHA1:A4CAB34355971C1FBAABECEFA91458C4936F2C24
                                                                              SHA-256:A4A689E8149166591F94A8C84E99BE744992B9E80BDB7A0713453EB6C59BBBB2
                                                                              SHA-512:2CEF2BCD284265B147ABF300A4D26AD1AAC743EFE0B47A394FB614B6843A60B9F918E56261A56334078D0D9681132F3403FB734EE66E1915CF76F29411D5CE20
                                                                              Malicious:true
                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                              Entropy (8bit):7.956982836929551
                                                                              TrID:
                                                                              • Win64 Executable GUI Net Framework (217006/5) 49.88%
                                                                              • Win64 Executable GUI (202006/5) 46.43%
                                                                              • Win64 Executable (generic) (12005/4) 2.76%
                                                                              • Generic Win/DOS Executable (2004/3) 0.46%
                                                                              • DOS Executable Generic (2002/1) 0.46%
                                                                              File name:Pago__2023031700.pdf.exe
                                                                              File size:530944
                                                                              MD5:2890be155f76dae747449063116b030e
                                                                              SHA1:5e5e5aa5b011fe2997362b3980ce6a0fc7cb06e2
                                                                              SHA256:aceda5af117eafde721c3e286dca3fab79b6acab63c96036ede208fb7359085f
                                                                              SHA512:7e65216af0216b4fc8b19652b8137c3d9fde6b979658a61e462c7a3616461ae923bb777f3321ed9eebf38ae6dc43c43b6bf2752e43de14ed4ecc5c17777540e5
                                                                              SSDEEP:12288:rHX72XRH0IQQoHCcJg44Wmtr2wNgOejgs8I0phlIwjuMAv3npMovInfdqrlb:DXERUHfL4W5wjFH3lJjmhb
                                                                              TLSH:46B423243444A117DDD97BFE405A174327B43E2D32B6D30AA9B037B289BAE93DE4C49D
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...}8.d.........."...0.Y................ ....@...... .......................`............`................................

                                                                              File Icon

                                                                              Icon Hash:00828e8e8686b000

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x400000
                                                                              Entrypoint Section:
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x6414387D [Fri Mar 17 09:53:01 2023 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              dec ebp
                                                                              pop edx
                                                                              nop
                                                                              add byte ptr [ebx], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax+eax], al
                                                                              add byte ptr [eax], al

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x840000x5a6.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x82fe00x1c.text
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x20000x810590x81200False0.947027392909003data7.961630902096703IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rsrc0x840000x5a60x600False0.4153645833333333data4.058644514909176IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountry
                                                                              RT_VERSION0x840a00x31cdata
                                                                              RT_MANIFEST0x843bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                                              Network Behavior

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Mar 20, 2023 14:50:04.271550894 CET49685587192.168.2.3107.161.75.133
                                                                              Mar 20, 2023 14:50:04.380311966 CET58749685107.161.75.133192.168.2.3
                                                                              Mar 20, 2023 14:50:04.380443096 CET49685587192.168.2.3107.161.75.133
                                                                              Mar 20, 2023 14:50:04.529057980 CET58749685107.161.75.133192.168.2.3
                                                                              Mar 20, 2023 14:50:04.530910969 CET49685587192.168.2.3107.161.75.133
                                                                              Mar 20, 2023 14:50:04.639633894 CET58749685107.161.75.133192.168.2.3
                                                                              Mar 20, 2023 14:50:04.643004894 CET49685587192.168.2.3107.161.75.133
                                                                              Mar 20, 2023 14:50:04.753875971 CET58749685107.161.75.133192.168.2.3
                                                                              Mar 20, 2023 14:50:04.877150059 CET49685587192.168.2.3107.161.75.133
                                                                              Mar 20, 2023 14:50:04.888812065 CET49685587192.168.2.3107.161.75.133
                                                                              Mar 20, 2023 14:50:05.005218029 CET58749685107.161.75.133192.168.2.3
                                                                              Mar 20, 2023 14:50:05.005265951 CET58749685107.161.75.133192.168.2.3
                                                                              Mar 20, 2023 14:50:05.005280018 CET58749685107.161.75.133192.168.2.3
                                                                              Mar 20, 2023 14:50:05.005299091 CET58749685107.161.75.133192.168.2.3
                                                                              Mar 20, 2023 14:50:05.005470991 CET49685587192.168.2.3107.161.75.133
                                                                              Mar 20, 2023 14:50:05.007200003 CET58749685107.161.75.133192.168.2.3
                                                                              Mar 20, 2023 14:50:05.040859938 CET49685587192.168.2.3107.161.75.133
                                                                              Mar 20, 2023 14:50:05.149967909 CET58749685107.161.75.133192.168.2.3
                                                                              Mar 20, 2023 14:50:05.377163887 CET49685587192.168.2.3107.161.75.133
                                                                              Mar 20, 2023 14:50:10.181471109 CET49685587192.168.2.3107.161.75.133
                                                                              Mar 20, 2023 14:50:10.290236950 CET58749685107.161.75.133192.168.2.3
                                                                              Mar 20, 2023 14:50:10.290447950 CET49685587192.168.2.3107.161.75.133
                                                                              Mar 20, 2023 14:50:10.290986061 CET58749685107.161.75.133192.168.2.3
                                                                              Mar 20, 2023 14:50:10.291098118 CET49685587192.168.2.3107.161.75.133
                                                                              Mar 20, 2023 14:51:22.325768948 CET80496908.253.207.121192.168.2.3
                                                                              Mar 20, 2023 14:51:22.325910091 CET4969080192.168.2.38.253.207.121

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Mar 20, 2023 14:50:03.776485920 CET5897453192.168.2.38.8.8.8
                                                                              Mar 20, 2023 14:50:03.975155115 CET53589748.8.8.8192.168.2.3
                                                                              Mar 20, 2023 14:50:04.043807983 CET6372253192.168.2.38.8.8.8
                                                                              Mar 20, 2023 14:50:04.245074987 CET53637228.8.8.8192.168.2.3

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Mar 20, 2023 14:50:03.776485920 CET192.168.2.38.8.8.80x4463Standard query (0)mail.itzayanaland.comA (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 14:50:04.043807983 CET192.168.2.38.8.8.80x69aaStandard query (0)mail.itzayanaland.comA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Mar 20, 2023 14:49:44.250356913 CET8.8.8.8192.168.2.30x32afNo error (0)windowsupdatebg.s.llnwi.net178.79.225.0A (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 14:49:44.250356913 CET8.8.8.8192.168.2.30x32afNo error (0)windowsupdatebg.s.llnwi.net95.140.230.128A (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 14:50:03.975155115 CET8.8.8.8192.168.2.30x4463No error (0)mail.itzayanaland.comitzayanaland.comCNAME (Canonical name)IN (0x0001)false
                                                                              Mar 20, 2023 14:50:03.975155115 CET8.8.8.8192.168.2.30x4463No error (0)itzayanaland.com107.161.75.133A (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 14:50:04.245074987 CET8.8.8.8192.168.2.30x69aaNo error (0)mail.itzayanaland.comitzayanaland.comCNAME (Canonical name)IN (0x0001)false
                                                                              Mar 20, 2023 14:50:04.245074987 CET8.8.8.8192.168.2.30x69aaNo error (0)itzayanaland.com107.161.75.133A (IP address)IN (0x0001)false

                                                                              SMTP Packets

                                                                              TimestampSource PortDest PortSource IPDest IPCommands
                                                                              Mar 20, 2023 14:50:04.529057980 CET58749685107.161.75.133192.168.2.3220-server.hostingbricks.com ESMTP Exim 4.96 #2 Mon, 20 Mar 2023 07:50:04 -0600
                                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                                              220 and/or bulk e-mail.
                                                                              Mar 20, 2023 14:50:04.530910969 CET49685587192.168.2.3107.161.75.133EHLO 066656
                                                                              Mar 20, 2023 14:50:04.639633894 CET58749685107.161.75.133192.168.2.3250-server.hostingbricks.com Hello 066656 [84.17.52.9]
                                                                              250-SIZE 52428800
                                                                              250-8BITMIME
                                                                              250-PIPELINING
                                                                              250-PIPECONNECT
                                                                              250-AUTH PLAIN LOGIN
                                                                              250-STARTTLS
                                                                              250 HELP
                                                                              Mar 20, 2023 14:50:04.643004894 CET49685587192.168.2.3107.161.75.133STARTTLS
                                                                              Mar 20, 2023 14:50:04.753875971 CET58749685107.161.75.133192.168.2.3220 TLS go ahead
                                                                              Mar 20, 2023 14:50:10.290236950 CET58749685107.161.75.133192.168.2.3421 server.hostingbricks.com lost input connection

                                                                              Statistics

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:14:49:21
                                                                              Start date:20/03/2023
                                                                              Path:C:\Users\user\Desktop\Pago__2023031700.pdf.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Users\user\Desktop\Pago__2023031700.pdf.exe
                                                                              Imagebase:0x246edbe0000
                                                                              File size:530944 bytes
                                                                              MD5 hash:2890BE155F76DAE747449063116B030E
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.319756030.0000024680108000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:low

                                                                              General

                                                                              Target ID:10
                                                                              Start time:14:49:46
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                              Imagebase:0x7ff7f1f30000
                                                                              File size:47280 bytes
                                                                              MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate

                                                                              General

                                                                              Target ID:12
                                                                              Start time:14:49:47
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
                                                                              Imagebase:0x23ecc510000
                                                                              File size:42080 bytes
                                                                              MD5 hash:11D8A500C4C0FBAF20EBDB8CDF6EA452
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate

                                                                              General

                                                                              Target ID:13
                                                                              Start time:14:49:47
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
                                                                              Imagebase:0x22aa9eb0000
                                                                              File size:71776 bytes
                                                                              MD5 hash:CCDF8F3B189FFB839B390F695FAE2A6D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate

                                                                              General

                                                                              Target ID:14
                                                                              Start time:14:49:47
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
                                                                              Imagebase:0x29a7b920000
                                                                              File size:173672 bytes
                                                                              MD5 hash:2778AE0EB674B74FF8028BF4E51F1DF5
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate

                                                                              General

                                                                              Target ID:15
                                                                              Start time:14:49:48
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                              Imagebase:0x7ff6b5da0000
                                                                              File size:128584 bytes
                                                                              MD5 hash:B00E9325AC7356A3F4864EAAAD48E13F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate

                                                                              General

                                                                              Target ID:16
                                                                              Start time:14:49:48
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
                                                                              Imagebase:0x1e5a40f0000
                                                                              File size:32872 bytes
                                                                              MD5 hash:D91462AE31562E241AF5595BA5E1A3C4
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate

                                                                              General

                                                                              Target ID:17
                                                                              Start time:14:49:48
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
                                                                              Imagebase:0x1b1fda20000
                                                                              File size:258144 bytes
                                                                              MD5 hash:8B9E68304AF4B81C9AB70CB2220EBA74
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:18
                                                                              Start time:14:49:48
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
                                                                              Imagebase:0x269070d0000
                                                                              File size:84576 bytes
                                                                              MD5 hash:AA98E294A0210BDA5F79A7288F91B78C
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:19
                                                                              Start time:14:49:48
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
                                                                              Imagebase:0x7ff63ed90000
                                                                              File size:174184 bytes
                                                                              MD5 hash:FBA5E8D94C9EADC279BC06B9CF041A9A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:20
                                                                              Start time:14:49:48
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
                                                                              Imagebase:0x1b0d44a0000
                                                                              File size:126560 bytes
                                                                              MD5 hash:F31014EE4DE7FE48E9B7C9BE94CFB45F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:21
                                                                              Start time:14:49:48
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                              Imagebase:0x21cd32a0000
                                                                              File size:24160 bytes
                                                                              MD5 hash:48FD4DD682051712E3E7757C525DED71
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:22
                                                                              Start time:14:49:48
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
                                                                              Imagebase:0x2e0000
                                                                              File size:42080 bytes
                                                                              MD5 hash:F2A47587431C466535F3C3D3427724BE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:23
                                                                              Start time:14:49:48
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
                                                                              Imagebase:0x1f4dd400000
                                                                              File size:107112 bytes
                                                                              MD5 hash:CB86BA6B2759BF478ADD7A1612C183D5
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:24
                                                                              Start time:14:49:48
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
                                                                              Imagebase:0x7ff611820000
                                                                              File size:3226720 bytes
                                                                              MD5 hash:AC610BC00AF71E7C5B89F5AC0F65DAFA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:25
                                                                              Start time:14:49:49
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                                                                              Imagebase:0x2207b9d0000
                                                                              File size:54888 bytes
                                                                              MD5 hash:7809A19AA8DA1A41F36B60B0664C4E20
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:26
                                                                              Start time:14:49:49
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                                                                              Imagebase:0x18399d10000
                                                                              File size:40552 bytes
                                                                              MD5 hash:6EE3F830099ADD53C26DF5739B44D608
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:27
                                                                              Start time:14:49:49
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
                                                                              Imagebase:0x7ff694b60000
                                                                              File size:365664 bytes
                                                                              MD5 hash:155758025B42F1804E1429483BA53553
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:28
                                                                              Start time:14:49:49
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
                                                                              Imagebase:0x1d6f2320000
                                                                              File size:136296 bytes
                                                                              MD5 hash:7EC8B56348F9298BCCA7A745C7F70E2C
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:29
                                                                              Start time:14:49:49
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
                                                                              Imagebase:0x7ff7d6df0000
                                                                              File size:50784 bytes
                                                                              MD5 hash:3F68BCF536EEAE067038C67022CDF6D8
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:30
                                                                              Start time:14:49:49
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
                                                                              Imagebase:0x18526c10000
                                                                              File size:152680 bytes
                                                                              MD5 hash:EDA1875528E99782E9A2C0001BB4C5A9
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:31
                                                                              Start time:14:49:50
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
                                                                              Imagebase:0x7ff716570000
                                                                              File size:52832 bytes
                                                                              MD5 hash:9EDC7F9BB19D3F12EB05437BD5687C8A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:32
                                                                              Start time:14:49:50
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
                                                                              Imagebase:0x2c691ad0000
                                                                              File size:42600 bytes
                                                                              MD5 hash:65D30D747EB31E108A36EBC966C1227D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:33
                                                                              Start time:14:49:50
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
                                                                              Imagebase:0x1f3094f0000
                                                                              File size:96864 bytes
                                                                              MD5 hash:2B6A31DFD7C9ED8B413DBDAB800F10F3
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:34
                                                                              Start time:14:49:50
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
                                                                              Imagebase:0x2865ece0000
                                                                              File size:44640 bytes
                                                                              MD5 hash:59FCE79E9D81AB9E2ED4C3561205F5DF
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:35
                                                                              Start time:14:49:50
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
                                                                              Imagebase:0x7ff71a7b0000
                                                                              File size:119904 bytes
                                                                              MD5 hash:98A8F518B66BA43DF38821C364C3B791
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:36
                                                                              Start time:14:49:50
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
                                                                              Imagebase:0xa50000
                                                                              File size:46688 bytes
                                                                              MD5 hash:2B40A449D6034F41771A460DADD53A60
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000024.00000002.526757689.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000024.00000002.526757689.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                                                                              Disassembly

                                                                              No disassembly