Windows Analysis Report Cab_Invoice_pdf.bin

Overview

General Information

Sample Name:	Cab_Invoice_pdf.bin (renamed file extension from bin to exe)
Analysis ID:	534002
MD5:	e5dc6a7459fd6ef46afee60318470b03
SHA1:	c0a036def9b2d42804c164b156aaf007d9fffa02
SHA256:	ea0fd73223e8313da714a6924c1dfae72f2c976935c2b323a6b192c063b0063a
Infos:
Most interesting Screenshot:
Errors Sigma runtime error: Invalid condition: all of selection* Rule: Conti Backup Database Sigma runtime error: Invalid condition: all of selection* Rule: Stop Or Remove Antivirus Service Sigma runtime error: Invalid condition: all of selection* Rule: Conti Volume Shadow Listing Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With 7-ZIP Sigma runtime error: Invalid condition: all of selection* Rule: Disable or Delete Windows Eventlog Sigma runtime error: Invalid condition: all of selection* Rule: PowerShell SAM Copy Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With WINZIP

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Sigma detected: System File Execution Location Anomaly

Initial sample is a PE file and has a suspicious name

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Drops PE files with benign system names

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to get notified if a device is plugged in / out

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Direct Autorun Keys Modification

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

AV process strings found (often used to terminate AV products)

PE file does not import any functions

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Sigma detected: Reg Add RUN Key

Detected TCP or UDP traffic on non-standard ports

Binary contains a suspicious time stamp

Uses SMTP (mail sending)

Uses reg.exe to modify the Windows registry

Contains functionality to retrieve information about pressed keystrokes

Queries disk information (often used to detect virtual machines)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to simulate mouse events

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: Cab_Invoice_pdf.exe	Virustotal: Detection: 62%	Perma Link
Source: Cab_Invoice_pdf.exe	Metadefender: Detection: 33%	Perma Link
Source: Cab_Invoice_pdf.exe	ReversingLabs: Detection: 58%

Antivirus / Scanner detection for submitted sample

Source: Cab_Invoice_pdf.exe

Avira: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.3.Cab_Invoice_pdf.exe.10695b0.14.unpack

Avira: Label: TR/Patched.Ren.Gen

Compliance:

Uses 32bit PE files

Source: Cab_Invoice_pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source: Cab_Invoice_pdf.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.428528477.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.433779342.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_multiprocessing.pdb source: svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.566821598.000000006E801000.00000020.00020000.sdmp, svchost.exe, 0000000B.00000003.461345666.0000000002B00000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.489294757.0000000003600000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: svchost.exe, 0000000B.00000003.394749545.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_decimal.pdb%% source: svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.398010798.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.393554815.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_ssl.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567499040.000000006EC0E000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.412809412.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.425322367.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.435730972.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: d:\agent\_work\9\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.569291136.0000000072F21000.00000020.00020000.sdmp, svchost.exe, 0000000B.00000003.386396710.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.485296621.0000000070131000.00000020.00020000.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\pywintypes.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568991542.000000006F30E000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.459130908.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.396174179.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.418168798.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.410176305.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.423854182.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\pyexpat.pdb source: svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.393935792.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\win32api.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567031750.000000006EADF000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.464053217.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.401443735.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.392740878.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: Cab_Invoice_pdf.exe, 00000003.00000002.568469462.000000006EDAC000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.449130672.0000000002B7A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.482692912.000000000377A000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\win32api.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567031750.000000006EADF000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.464053217.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_bz2.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567266133.000000006EB5E000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.394362827.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_ctypes.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.569245523.00000000703D3000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.421932016.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_asyncio.pdb source: svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\win32gui.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567116932.000000006EB0B000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.467080000.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp
Source:	Binary string: ta.pdb source: Cab_Invoice_pdf.exe
Source:	Binary string: D:\a\1\b\bin\win32\unicodedata.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567385268.000000006EBD0000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: Cab_Invoice_pdf.exe, 00000003.00000002.566821598.000000006E801000.00000020.00020000.sdmp, svchost.exe, 0000000B.00000003.461345666.0000000002B00000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.489294757.0000000003600000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.405860680.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_socket.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.569068056.000000006F339000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\python38.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.566602937.000000006E713000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.439490901.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.395552475.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_lzma.pdbOO source: Cab_Invoice_pdf.exe, 00000003.00000002.567205585.000000006EB3B000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.481773795.000000006DAEB000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: svchost.exe, 0000000B.00000003.411685579.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.399919805.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_queue.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568924352.000000006F2F3000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_lzma.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567205585.000000006EB3B000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.481773795.000000006DAEB000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.393149261.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 1.1.1i 8 Dec 2020built on: Tue Jan 5 20:17:31 2021 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not available source: Cab_Invoice_pdf.exe, 00000003.00000002.568469462.000000006EDAC000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.449130672.0000000002B7A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.482692912.000000000377A000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.420047349.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: svchost.exe, 0000000B.00000003.397576219.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.430416405.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_overlapped.pdb source: svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: svchost.exe, 0000000B.00000003.403125486.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.399119703.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.441941698.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.407177237.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: C:\A\6\b\libcrypto-1_1.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568546215.000000006EDF8000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.414456474.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.408682511.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: svchost.exe, 0000000B.00000003.395157867.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\pywintypes.pdb+ source: Cab_Invoice_pdf.exe, 00000003.00000002.568991542.000000006F30E000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.459130908.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.432280344.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.397132347.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\select.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.569138282.0000000070283000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb@@ source: Cab_Invoice_pdf.exe, 00000003.00000002.567385268.000000006EBD0000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_hashlib.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568820397.000000006F2E5000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_decimal.pdb source: svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\win32event.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568721354.000000006F2D4000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.465540156.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.396644442.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.426625427.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.437644496.0000000000E1B000.00000004.00000001.sdmp

Spreading:

Contains functionality to get notified if a device is plugged in / out

Source: C:\Users\user\AppData\Roaming\svchost.exe

Code function: 19_2_6DAAD570 PyArg_ParseTuple,?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z,PyObject_AsReadBuffer,PyExc_ValueError,PyExc_ValueError,PyErr_Format,PyEval_SaveThread,RegisterDeviceNotificationW,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,

19_2_6DAAD570

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_0132715E FindFirstFileExW,	1_2_0132715E
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_0131E260 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,	1_2_0131E260
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_0132715E FindFirstFileExW,	3_2_0132715E
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_0131E260 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,	3_2_0131E260
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BCE260 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,	11_2_00BCE260
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BD715E FindFirstFileExW,	11_2_00BD715E
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BD715E FindFirstFileExW,	19_2_00BD715E
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BCE260 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,	19_2_00BCE260
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DA72F40 PyArg_ParseTuple,?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z,PyList_New,_Py_Dealloc,FindFirstFileW,GetLastError,?PyObject_FromWIN32_FIND_DATAW@@YAPAU_object@@PAU_WIN32_FIND_DATAW@@@Z,PyList_Append,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,FindNextFileW,GetLastError,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,?PyWinObject_FreeWCHAR@@YAXPA_W@Z,FindClose,_Py_Dealloc,	19_2_6DA72F40

Source: C:\Users\user\AppData\Roaming\svchost.exe

Code function: 19_2_6DA747B0 PyArg_ParseTuple,GetLogicalDriveStringsW,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,GetLogicalDriveStringsW,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,?PyWinObject_FromOLECHAR@@YAPAU_object@@PB_WH@Z,

19_2_6DA747B0

Networking:

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.3:49751 -> 142.250.145.108:587
Source: global traffic	TCP traffic: 192.168.2.3:49775 -> 142.250.145.109:587

Uses SMTP (mail sending)

Source: global traffic	TCP traffic: 192.168.2.3:49751 -> 142.250.145.108:587
Source: global traffic	TCP traffic: 192.168.2.3:49775 -> 142.250.145.109:587

Source: svchost.exe, 0000000C.00000003.394282413.0000020D18391000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000C.00000003.394282413.0000020D18391000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000C.00000003.394303683.0000020D183A2000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.394282413.0000020D18391000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z\|\|.\|\|6f0c105d-3db6-47de-894d-fd95973349e2\|\|1152921505694224549\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000C.00000003.394303683.0000020D183A2000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.394282413.0000020D18391000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z\|\|.\|\|6f0c105d-3db6-47de-894d-fd95973349e2\|\|1152921505694224549\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"

Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: svchost.exe, 0000000C.00000002.410422151.0000020D17AE9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563859154.00000000030A5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.p
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crldn
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563409089.000000000303B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crle
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563409089.000000000303B000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563859154.00000000030A5000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563409089.000000000303B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl:
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crlACE
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crlR
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crlT
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crlXx
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563409089.000000000303B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crlb
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crld
Source: svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 0000000C.00000002.410422151.0000020D17AE9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563859154.00000000030A5000.00000004.00000001.sdmp	String found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crl
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563409089.000000000303B000.00000004.00000001.sdmp	String found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crl#
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563409089.000000000303B000.00000004.00000001.sdmp	String found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crl(
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.565635823.0000000003357000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crl0
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp	String found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crla
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp	String found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crlc
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp	String found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crlr
Source: svchost.exe, 0000000C.00000003.389695797.0000020D18381000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.389793962.0000020D183A2000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.565635823.0000000003357000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1c301
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gtsr100
Source: svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr1/gsr1.crt
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr1/gsr1.crte
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr1/gsr1.crtloc
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gts1c3.der
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.565635823.0000000003357000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gts1c3.derB2
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gts1c3.dere2
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gts1c3.dery1
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der$
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der81
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gtsr1.derv2
Source: svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp	String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Cab_Invoice_pdf.exe, 00000003.00000003.327450088.0000000002FD1000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.327365430.0000000000EE5000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563024174.0000000002F90000.00000004.00000001.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: Cab_Invoice_pdf.exe, 00000003.00000003.329270034.000000000301F000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563150895.0000000002FF4000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.329242201.0000000002FF9000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.475545199.000000000107C000.00000004.00000001.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: Cab_Invoice_pdf.exe, 00000003.00000003.327450088.0000000002FD1000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.327365430.0000000000EE5000.00000004.00000001.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: Cab_Invoice_pdf.exe, 00000003.00000002.562902379.0000000002F00000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.327450088.0000000002FD1000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.327365430.0000000000EE5000.00000004.00000001.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: Cab_Invoice_pdf.exe, 00000003.00000003.327138689.0000000000EA7000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.562961812.0000000002F40000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.470092422.0000000002900000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.493118134.0000000003500000.00000004.00000001.sdmp	String found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: Cab_Invoice_pdf.exe, 00000003.00000003.324419871.0000000000EC7000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.562792705.0000000002D90000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.470092422.0000000002900000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.493118134.0000000003500000.00000004.00000001.sdmp	String found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: svchost.exe, 0000000C.00000003.389695797.0000020D18381000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.389793962.0000020D183A2000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: Cab_Invoice_pdf.exe, 00000003.00000002.565049121.00000000031C0000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563024174.0000000002F90000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.481183510.00000000036C0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/BoboTiG/python-mss
Source: Cab_Invoice_pdf.exe, 00000003.00000002.569019026.000000006F31E000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.567155238.000000006EB1A000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.567064488.000000006EAEB000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.568756682.000000006F2D8000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.467080000.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.464053217.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.459130908.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.465540156.0000000000E1B000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/mhammond/pywin32
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/mail/?p=BadCredentials
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: svchost.exe, 0000000C.00000003.389695797.0000020D18381000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.389793962.0000020D183A2000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000000C.00000003.389695797.0000020D18381000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.389793962.0000020D183A2000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: Cab_Invoice_pdf.exe, 00000003.00000002.567452427.000000006EBF1000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.568654900.000000006EE48000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.449203486.0000000002C0C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.482937530.000000000380C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: svchost.exe, 0000000C.00000003.391546190.0000020D18389000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.c
Source: svchost.exe, 0000000C.00000003.391558399.0000020D1839A000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.391525038.0000020D183B1000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.391498040.0000020D183B1000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.391546190.0000020D18389000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.391580111.0000020D18802000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: unknown

DNS traffic detected: queries for: smtp.gmail.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Roaming\svchost.exe

Code function: 19_2_6DA74420 PyArg_ParseTuple,PyEval_SaveThread,GetKeyboardState,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,PyBytes_FromStringAndSize,

19_2_6DA74420

System Summary:

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: Cab_Invoice_pdf.exe
Source: initial sample	Static PE information: Filename: Cab_Invoice_pdf.exe

Uses 32bit PE files

Source: Cab_Invoice_pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DA74C50 PyArg_ParseTuple,PyEval_SaveThread,ExitWindowsEx,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,_Py_NoneStruct,_Py_NoneStruct,		19_2_6DA74C50
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DA74BD0 PyArg_ParseTuple,PyEval_SaveThread,ExitWindowsEx,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,_Py_NoneStruct,_Py_NoneStruct,		19_2_6DA74BD0

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_0131B912	1_2_0131B912
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_0132E8DF	1_2_0132E8DF
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_013158C2	1_2_013158C2
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_0131BB41	1_2_0131BB41
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_013292A0	1_2_013292A0
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_01317440	1_2_01317440
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_01316CA0	1_2_01316CA0
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_0132974E	1_2_0132974E
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_01314E60	1_2_01314E60
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_0131B912	3_2_0131B912
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_0132E8DF	3_2_0132E8DF
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_013158C2	3_2_013158C2
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_0131BB41	3_2_0131BB41
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_013292A0	3_2_013292A0
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_01317440	3_2_01317440
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_01316CA0	3_2_01316CA0
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_0132974E	3_2_0132974E
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_01314E60	3_2_01314E60
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_6E2F2A70	3_2_6E2F2A70
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_6E2F3030	3_2_6E2F3030
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BDE8DF	11_2_00BDE8DF
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BC58C2	11_2_00BC58C2
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BCB912	11_2_00BCB912
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BD92A0	11_2_00BD92A0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BCBB41	11_2_00BCBB41
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BC6CA0	11_2_00BC6CA0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BC7440	11_2_00BC7440
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BC4E60	11_2_00BC4E60
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BD974E	11_2_00BD974E
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BDE8DF	19_2_00BDE8DF
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BC58C2	19_2_00BC58C2
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BCB912	19_2_00BCB912
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BD92A0	19_2_00BD92A0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BCBB41	19_2_00BCBB41
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BC6CA0	19_2_00BC6CA0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BC7440	19_2_00BC7440
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BC4E60	19_2_00BC4E60
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BD974E	19_2_00BD974E
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAD8590	22_2_6DAD8590
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAE6DF0	22_2_6DAE6DF0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADD1CB	22_2_6DADD1CB
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADB1C0	22_2_6DADB1C0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAD61D5	22_2_6DAD61D5
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAD69D0	22_2_6DAD69D0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADE138	22_2_6DADE138
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADD108	22_2_6DADD108
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAE3910	22_2_6DAE3910
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADDCB7	22_2_6DADDCB7
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADC8ED	22_2_6DADC8ED
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAD5CC0	22_2_6DAD5CC0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADC430	22_2_6DADC430
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAE6470	22_2_6DAE6470
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADD045	22_2_6DADD045
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADD843	22_2_6DADD843
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAE73A9	22_2_6DAE73A9
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAE67D0	22_2_6DAE67D0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAE5730	22_2_6DAE5730
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAE7308	22_2_6DAE7308
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADAF10	22_2_6DADAF10
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADC340	22_2_6DADC340
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAD4B40	22_2_6DAD4B40
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADDADB	22_2_6DADDADB
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAE62D0	22_2_6DAE62D0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADDA7C	22_2_6DADDA7C
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAD9270	22_2_6DAD9270
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB055F9	22_2_6DB055F9
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB031E0	22_2_6DB031E0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB071C0	22_2_6DB071C0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB028A0	22_2_6DB028A0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB050C0	22_2_6DB050C0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB02460	22_2_6DB02460
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB07457	22_2_6DB07457
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB07459	22_2_6DB07459
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB0A398	22_2_6DB0A398
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB03729	22_2_6DB03729
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB04B60	22_2_6DB04B60
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB036C0	22_2_6DB036C0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB09E6D	22_2_6DB09E6D

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: String function: 01317880 appears 36 times
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: String function: 01311860 appears 126 times
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: String function: 01318310 appears 88 times
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: String function: 01326046 appears 58 times
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: String function: 01311910 appears 68 times
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: String function: 00BD6046 appears 58 times
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: String function: 00BC1860 appears 126 times
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: String function: 00BC7880 appears 36 times
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: String function: 00BC1910 appears 68 times
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: String function: 00BC8310 appears 88 times

PE file does not import any functions

Source: api-ms-win-core-handle-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: Cab_Invoice_pdf.exe	Binary or memory string: OriginalFilename vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe	Binary or memory string: OriginalFilename vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.569268710.00000000703DB000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.569019026.000000006F31E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamepywintypes38.dll0 vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.567548434.000000006EC21000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.567452427.000000006EBF1000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.569098530.000000006F340000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.569320710.0000000072F31000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.568654900.000000006EE48000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.567155238.000000006EB1A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamewin32gui.pyd0 vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.567230692.000000006EB45000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.566773964.000000006E7D1000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamepython38.dll. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.566980302.000000006E909000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.568866175.000000006F2E9000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.568948486.000000006F2F6000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.567295169.000000006EB63000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.569160937.0000000070286000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.567064488.000000006EAEB000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamewin32api.pyd0 vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.568756682.000000006F2D8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamewin32event.pyd0 vs Cab_Invoice_pdf.exe

PE file contains strange resources

Source: Cab_Invoice_pdf.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svchost.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: python3.dll	Jump to behavior

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe"

Source: Cab_Invoice_pdf.exe	Virustotal: Detection: 62%
Source: Cab_Invoice_pdf.exe	Metadefender: Detection: 33%
Source: Cab_Invoice_pdf.exe	ReversingLabs: Detection: 58%

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

File read: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

Jump to behavior

Source: Cab_Invoice_pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Cab_Invoice_pdf.exe "C:\Users\user\Desktop\Cab_Invoice_pdf.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Process created: C:\Users\user\Desktop\Cab_Invoice_pdf.exe "C:\Users\user\Desktop\Cab_Invoice_pdf.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Process created: C:\Users\user\Desktop\Cab_Invoice_pdf.exe "C:\Users\user\Desktop\Cab_Invoice_pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to behavior

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI24122

Jump to behavior

Source: classification engine

Classification label: mal72.evad.winEXE@19/204@7/4

Source: C:\Users\user\AppData\Roaming\svchost.exe

Code function: 19_2_6DA74150 _Py_NoneStruct,PyArg_ParseTuple,?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z,PyEval_SaveThread,GetDiskFreeSpaceW,PyEval_RestoreThread,?PyWinObject_FreeWCHAR@@YAXPA_W@Z,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,Py_BuildValue,

19_2_6DA74150

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

Code function: 1_2_01314860 GetLastError,FormatMessageW,

1_2_01314860

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\mutex_var_xboz
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_01

Source: C:\Users\user\AppData\Roaming\svchost.exe

Code function: 19_2_6DA7A5B0 PyArg_ParseTuple,?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z,?PyWinObject_AsResourceIdW@@YAHPAU_object@@PAPA_WH@Z,?PyWinObject_AsResourceIdW@@YAHPAU_object@@PAPA_WH@Z,?PyWinObject_AsResourceIdW@@YAHPAU_object@@PAPA_WH@Z,FindResourceExW,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,SizeofResource,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,LoadResource,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,LockResource,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,PyBytes_FromStringAndSize,?PyWinObject_FreeResourceId@@YAXPA_W@Z,?PyWinObject_FreeResourceId@@YAXPA_W@Z,?PyWinObject_FreeResourceId@@YAXPA_W@Z,

19_2_6DA7A5B0

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

File opened: C:\Users\user\Desktop\pyvenv.cfg

Jump to behavior

Source: Cab_Invoice_pdf.exe

Static file information: File size 7399848 > 1048576

Source: Cab_Invoice_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Cab_Invoice_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Cab_Invoice_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Cab_Invoice_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Cab_Invoice_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Cab_Invoice_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Cab_Invoice_pdf.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Cab_Invoice_pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.428528477.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.433779342.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_multiprocessing.pdb source: svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.566821598.000000006E801000.00000020.00020000.sdmp, svchost.exe, 0000000B.00000003.461345666.0000000002B00000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.489294757.0000000003600000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: svchost.exe, 0000000B.00000003.394749545.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_decimal.pdb%% source: svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.398010798.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.393554815.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_ssl.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567499040.000000006EC0E000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.412809412.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.425322367.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.435730972.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: d:\agent\_work\9\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.569291136.0000000072F21000.00000020.00020000.sdmp, svchost.exe, 0000000B.00000003.386396710.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.485296621.0000000070131000.00000020.00020000.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\pywintypes.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568991542.000000006F30E000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.459130908.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.396174179.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.418168798.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.410176305.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.423854182.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\pyexpat.pdb source: svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.393935792.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\win32api.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567031750.000000006EADF000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.464053217.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.401443735.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.392740878.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: Cab_Invoice_pdf.exe, 00000003.00000002.568469462.000000006EDAC000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.449130672.0000000002B7A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.482692912.000000000377A000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\win32api.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567031750.000000006EADF000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.464053217.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_bz2.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567266133.000000006EB5E000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.394362827.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_ctypes.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.569245523.00000000703D3000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.421932016.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_asyncio.pdb source: svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\win32gui.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567116932.000000006EB0B000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.467080000.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp
Source:	Binary string: ta.pdb source: Cab_Invoice_pdf.exe
Source:	Binary string: D:\a\1\b\bin\win32\unicodedata.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567385268.000000006EBD0000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: Cab_Invoice_pdf.exe, 00000003.00000002.566821598.000000006E801000.00000020.00020000.sdmp, svchost.exe, 0000000B.00000003.461345666.0000000002B00000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.489294757.0000000003600000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.405860680.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_socket.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.569068056.000000006F339000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\python38.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.566602937.000000006E713000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.439490901.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.395552475.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_lzma.pdbOO source: Cab_Invoice_pdf.exe, 00000003.00000002.567205585.000000006EB3B000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.481773795.000000006DAEB000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: svchost.exe, 0000000B.00000003.411685579.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.399919805.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_queue.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568924352.000000006F2F3000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_lzma.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567205585.000000006EB3B000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.481773795.000000006DAEB000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.393149261.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 1.1.1i 8 Dec 2020built on: Tue Jan 5 20:17:31 2021 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not available source: Cab_Invoice_pdf.exe, 00000003.00000002.568469462.000000006EDAC000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.449130672.0000000002B7A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.482692912.000000000377A000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.420047349.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: svchost.exe, 0000000B.00000003.397576219.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.430416405.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_overlapped.pdb source: svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: svchost.exe, 0000000B.00000003.403125486.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.399119703.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.441941698.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.407177237.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: C:\A\6\b\libcrypto-1_1.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568546215.000000006EDF8000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.414456474.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.408682511.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: svchost.exe, 0000000B.00000003.395157867.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\pywintypes.pdb+ source: Cab_Invoice_pdf.exe, 00000003.00000002.568991542.000000006F30E000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.459130908.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.432280344.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.397132347.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\select.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.569138282.0000000070283000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb@@ source: Cab_Invoice_pdf.exe, 00000003.00000002.567385268.000000006EBD0000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_hashlib.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568820397.000000006F2E5000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_decimal.pdb source: svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\win32event.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568721354.000000006F2D4000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.465540156.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.396644442.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.426625427.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.437644496.0000000000E1B000.00000004.00000001.sdmp

Source: Cab_Invoice_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Cab_Invoice_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Cab_Invoice_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Cab_Invoice_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Cab_Invoice_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_01318356 push ecx; ret	1_2_01318369
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_01318356 push ecx; ret	3_2_01318369
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_6E2F50D4 push ecx; ret	3_2_6E2F50E6
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BC8356 push ecx; ret	11_2_00BC8369
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BC8356 push ecx; ret	19_2_00BC8369
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DA7DF66 push ecx; ret	19_2_6DA7DF79
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DA93266 push ecx; ret	19_2_6DA93279
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DABA456 push ecx; ret	19_2_6DABA469
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAEA8D4 push ecx; ret	22_2_6DAEA8E6
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB0D4C4 push ecx; ret	22_2_6DB0D4D6

PE file contains sections with non-standard names

Source: libcrypto-1_1.dll.1.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.1.dr	Static PE information: section name: .00cfg
Source: libcrypto-1_1.dll.11.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.11.dr	Static PE information: section name: .00cfg

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

Code function: 1_2_01314740 MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_01314740

Binary contains a suspicious time stamp

Source: api-ms-win-core-console-l1-1-0.dll.1.dr

Static PE information: 0xAC22BA81 [Thu Jul 7 10:18:41 2061 UTC]

Persistence and Installation Behavior:

Drops PE files with benign system names

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to dropped file

Drops PE files

Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\win32event.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\pywintypes38.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\win32event.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\pywintypes38.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\pywintypes38.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\win32event.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\win32gui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\win32gui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Roaming\svchost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\win32gui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\python38.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\python38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\python38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run svchost			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run svchost			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Roaming\svchost.exe

Code function: 19_2_6DAB7880 PyArg_ParseTuple,?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z,PyEval_SaveThread,IsIconic,PyEval_RestoreThread,Py_BuildValue,

19_2_6DAB7880

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

Code function: 1_2_013129F0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_013129F0

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: OLLYDBG.EXE
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: OLLYDBG.EXE C

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 1876	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6360	Thread sleep time: -30000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Roaming\svchost.exe

API coverage: 3.6 %

Source: C:\Users\user\AppData\Roaming\svchost.exe

Code function: 19_2_6DA755C0 PyArg_ParseTuple,GetSystemInfo,PyLong_FromUnsignedLongLong,?PyWinLong_FromVoidPtr@@YAPAU_object@@PBX@Z,?PyWinLong_FromVoidPtr@@YAPAU_object@@PBX@Z,Py_BuildValue,

19_2_6DA755C0

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_0132715E FindFirstFileExW,	1_2_0132715E
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_0131E260 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,	1_2_0131E260
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_0132715E FindFirstFileExW,	3_2_0132715E
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_0131E260 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,	3_2_0131E260
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BCE260 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,	11_2_00BCE260
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BD715E FindFirstFileExW,	11_2_00BD715E
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BD715E FindFirstFileExW,	19_2_00BD715E
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BCE260 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,	19_2_00BCE260
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DA72F40 PyArg_ParseTuple,?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z,PyList_New,_Py_Dealloc,FindFirstFileW,GetLastError,?PyObject_FromWIN32_FIND_DATAW@@YAPAU_object@@PAU_WIN32_FIND_DATAW@@@Z,PyList_Append,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,FindNextFileW,GetLastError,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,?PyWinObject_FreeWCHAR@@YAXPA_W@Z,FindClose,_Py_Dealloc,	19_2_6DA72F40

Source: C:\Users\user\AppData\Roaming\svchost.exe

19_2_6DA747B0

Source: svchost.exe, 0000000C.00000002.410422151.0000020D17AE9000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.410442915.0000020D17AF8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000C.00000002.410368973.0000020D17AA8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW@
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.327131318.0000000000F38000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.329527559.0000000000F01000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.329669205.0000000000F2A000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.326143603.0000000000F38000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.357303459.0000000000F38000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

Code function: 1_2_01318111 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_01318111

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

Code function: 1_2_01314740 MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_01314740

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

Code function: 1_2_01328587 GetProcessHeap,

1_2_01328587

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_01320158 mov eax, dword ptr fs:[00000030h]	1_2_01320158
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_01320158 mov eax, dword ptr fs:[00000030h]	3_2_01320158
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BD0158 mov eax, dword ptr fs:[00000030h]	11_2_00BD0158
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BD0158 mov eax, dword ptr fs:[00000030h]	19_2_00BD0158

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_0131825F SetUnhandledExceptionFilter,	1_2_0131825F
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_01318111 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_01318111
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_01317B8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_01317B8A
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_013215BE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_013215BE
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_01318111 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_01318111
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_01317B8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_01317B8A
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_0131825F SetUnhandledExceptionFilter,	3_2_0131825F
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_013215BE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_013215BE
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_6E2F4E29 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E2F4E29
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_6E2F4695 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6E2F4695
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_6E2F4FBF SetUnhandledExceptionFilter,	3_2_6E2F4FBF
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BC8111 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00BC8111
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BC825F SetUnhandledExceptionFilter,	11_2_00BC825F
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BC7B8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00BC7B8A
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BD15BE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00BD15BE
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BC8111 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00BC8111
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BC825F SetUnhandledExceptionFilter,	19_2_00BC825F
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BC7B8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_00BC7B8A
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BD15BE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00BD15BE
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DA7DCD2 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_6DA7DCD2
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DA7DF9E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_6DA7DF9E
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DA7DE67 SetUnhandledExceptionFilter,	19_2_6DA7DE67
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DA9346C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_6DA9346C
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DA92FD7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_6DA92FD7
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DA9316C SetUnhandledExceptionFilter,	19_2_6DA9316C
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DABA65C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_6DABA65C
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DABA1C6 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_6DABA1C6
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DABA35B SetUnhandledExceptionFilter,	19_2_6DABA35B
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAEA7BD SetUnhandledExceptionFilter,	22_2_6DAEA7BD
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAE9E8B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_6DAE9E8B
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAEA627 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_6DAEA627
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB0D3B7 SetUnhandledExceptionFilter,	22_2_6DB0D3B7
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB0C721 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_6DB0C721
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB0D221 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_6DB0D221

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Roaming\svchost.exe

Code function: 19_2_6DA7B330 PyArg_ParseTuple,PyEval_SaveThread,keybd_event,PyEval_RestoreThread,_Py_NoneStruct,_Py_NoneStruct,

19_2_6DA7B330

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Process created: C:\Users\user\Desktop\Cab_Invoice_pdf.exe "C:\Users\user\Desktop\Cab_Invoice_pdf.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Roaming\svchost.exe

Code function: 19_2_6DA7B3B0 PyArg_ParseTuple,PyEval_SaveThread,mouse_event,PyEval_RestoreThread,_Py_NoneStruct,_Py_NoneStruct,

19_2_6DA7B3B0

Source: Cab_Invoice_pdf.exe, 00000001.00000002.562024943.00000000017F0000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.562432429.0000000001360000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: Cab_Invoice_pdf.exe, 00000001.00000002.562024943.00000000017F0000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.562432429.0000000001360000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Cab_Invoice_pdf.exe, 00000003.00000002.565410673.0000000003260000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.564851419.0000000003180000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.565254568.0000000003210000.00000004.00000001.sdmp	Binary or memory string: [OnWard Data Entered In : Program Manager]
Source: Cab_Invoice_pdf.exe, 00000001.00000002.562024943.00000000017F0000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.562432429.0000000001360000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Cab_Invoice_pdf.exe, 00000001.00000002.562024943.00000000017F0000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.562432429.0000000001360000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\pywintypes38.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\win32gui.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\win32event.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\win32api.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\4y2igpme VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\pywintypes38.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\win32gui.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\win32event.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\win32api.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\pywintypes38.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\win32gui.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\win32event.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\win32api.pyd VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

Code function: 1_2_0131836B cpuid

1_2_0131836B

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

Code function: 1_2_01317FF1 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_01317FF1

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

Code function: 1_2_0132B193 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

1_2_0132B193

Source: C:\Users\user\AppData\Roaming\svchost.exe

Code function: 19_2_6DA76470 PyArg_ParseTuple,GetVersionExW,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,?PyWinObject_FromOLECHAR@@YAPAU_object@@PB_W@Z,Py_BuildValue,GetVersionExW,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,?PyWinObject_FromOLECHAR@@YAPAU_object@@PB_W@Z,Py_BuildValue,PyExc_ValueError,PyExc_ValueError,PyErr_Format,

19_2_6DA76470

Source: C:\Users\user\AppData\Roaming\svchost.exe

Code function: 19_2_6DA739F0 PyArg_ParseTuple,GetUserNameW,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,?PyWinObject_FromOLECHAR@@YAPAU_object@@PB_W@Z,

19_2_6DA739F0

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fprot.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: mcagent.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: mcvsrte.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fsmb32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: avgrsx.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fsaa.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fsgk32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: guard.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: portmonitor.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fnrb32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: portdetective.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fih32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: mcshield.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: nod32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: rtvscan.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fsm32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fsav32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: apvxdwin.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: f-stopw.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: defwatch.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fsav.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: avgemc.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: vsmon.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: mcupdate.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: nmain.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fsma32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: processmonitor.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: procdump.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fp-win.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: MSASCui.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: avguard.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: f-prot.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: avp.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fsav530stbyb.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fsav530wtbyb.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fast.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fameh32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: lordpe.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: avkservice.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fch32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: spf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: avgnt.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fsav95.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: mcvsshld.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: ollydbg.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: f-prot95.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.145.109	unknown	United States		15169	GOOGLEUS	false
142.250.145.108	smtp.gmail.com	United States		15169	GOOGLEUS	false

Private

IP
192.168.2.1
127.0.0.1

Contacted Domains

Name	IP	Active
smtp.gmail.com	142.250.145.108	true

AV Detection:

Multi AV Scanner detection for submitted file

Source: Cab_Invoice_pdf.exe	Virustotal: Detection: 62%	Perma Link
Source: Cab_Invoice_pdf.exe	Metadefender: Detection: 33%	Perma Link
Source: Cab_Invoice_pdf.exe	ReversingLabs: Detection: 58%

Antivirus / Scanner detection for submitted sample

Source: Cab_Invoice_pdf.exe

Avira: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.3.Cab_Invoice_pdf.exe.10695b0.14.unpack

Avira: Label: TR/Patched.Ren.Gen

Compliance:

Uses 32bit PE files

Source: Cab_Invoice_pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source: Cab_Invoice_pdf.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.428528477.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.433779342.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_multiprocessing.pdb source: svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.566821598.000000006E801000.00000020.00020000.sdmp, svchost.exe, 0000000B.00000003.461345666.0000000002B00000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.489294757.0000000003600000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: svchost.exe, 0000000B.00000003.394749545.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_decimal.pdb%% source: svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.398010798.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.393554815.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_ssl.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567499040.000000006EC0E000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.412809412.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.425322367.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.435730972.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: d:\agent\_work\9\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.569291136.0000000072F21000.00000020.00020000.sdmp, svchost.exe, 0000000B.00000003.386396710.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.485296621.0000000070131000.00000020.00020000.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\pywintypes.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568991542.000000006F30E000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.459130908.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.396174179.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.418168798.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.410176305.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.423854182.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\pyexpat.pdb source: svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.393935792.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\win32api.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567031750.000000006EADF000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.464053217.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.401443735.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.392740878.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: Cab_Invoice_pdf.exe, 00000003.00000002.568469462.000000006EDAC000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.449130672.0000000002B7A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.482692912.000000000377A000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\win32api.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567031750.000000006EADF000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.464053217.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_bz2.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567266133.000000006EB5E000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.394362827.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_ctypes.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.569245523.00000000703D3000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.421932016.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_asyncio.pdb source: svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\win32gui.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567116932.000000006EB0B000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.467080000.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp
Source:	Binary string: ta.pdb source: Cab_Invoice_pdf.exe
Source:	Binary string: D:\a\1\b\bin\win32\unicodedata.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567385268.000000006EBD0000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: Cab_Invoice_pdf.exe, 00000003.00000002.566821598.000000006E801000.00000020.00020000.sdmp, svchost.exe, 0000000B.00000003.461345666.0000000002B00000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.489294757.0000000003600000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.405860680.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_socket.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.569068056.000000006F339000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\python38.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.566602937.000000006E713000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.439490901.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.395552475.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_lzma.pdbOO source: Cab_Invoice_pdf.exe, 00000003.00000002.567205585.000000006EB3B000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.481773795.000000006DAEB000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: svchost.exe, 0000000B.00000003.411685579.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.399919805.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_queue.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568924352.000000006F2F3000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_lzma.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567205585.000000006EB3B000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.481773795.000000006DAEB000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.393149261.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 1.1.1i 8 Dec 2020built on: Tue Jan 5 20:17:31 2021 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not available source: Cab_Invoice_pdf.exe, 00000003.00000002.568469462.000000006EDAC000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.449130672.0000000002B7A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.482692912.000000000377A000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.420047349.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: svchost.exe, 0000000B.00000003.397576219.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.430416405.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_overlapped.pdb source: svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: svchost.exe, 0000000B.00000003.403125486.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.399119703.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.441941698.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.407177237.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: C:\A\6\b\libcrypto-1_1.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568546215.000000006EDF8000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.414456474.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.408682511.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: svchost.exe, 0000000B.00000003.395157867.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\pywintypes.pdb+ source: Cab_Invoice_pdf.exe, 00000003.00000002.568991542.000000006F30E000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.459130908.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.432280344.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.397132347.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\select.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.569138282.0000000070283000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb@@ source: Cab_Invoice_pdf.exe, 00000003.00000002.567385268.000000006EBD0000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_hashlib.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568820397.000000006F2E5000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_decimal.pdb source: svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\win32event.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568721354.000000006F2D4000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.465540156.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.396644442.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.426625427.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.437644496.0000000000E1B000.00000004.00000001.sdmp

Spreading:

Contains functionality to get notified if a device is plugged in / out

Source: C:\Users\user\AppData\Roaming\svchost.exe

19_2_6DAAD570

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_0132715E FindFirstFileExW,	1_2_0132715E
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_0131E260 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,	1_2_0131E260
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_0132715E FindFirstFileExW,	3_2_0132715E
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_0131E260 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,	3_2_0131E260
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BCE260 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,	11_2_00BCE260
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BD715E FindFirstFileExW,	11_2_00BD715E
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BD715E FindFirstFileExW,	19_2_00BD715E
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BCE260 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,	19_2_00BCE260
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DA72F40 PyArg_ParseTuple,?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z,PyList_New,_Py_Dealloc,FindFirstFileW,GetLastError,?PyObject_FromWIN32_FIND_DATAW@@YAPAU_object@@PAU_WIN32_FIND_DATAW@@@Z,PyList_Append,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,FindNextFileW,GetLastError,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,?PyWinObject_FreeWCHAR@@YAXPA_W@Z,FindClose,_Py_Dealloc,	19_2_6DA72F40

Source: C:\Users\user\AppData\Roaming\svchost.exe

19_2_6DA747B0

Networking:

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.3:49751 -> 142.250.145.108:587
Source: global traffic	TCP traffic: 192.168.2.3:49775 -> 142.250.145.109:587

Uses SMTP (mail sending)

Source: global traffic	TCP traffic: 192.168.2.3:49751 -> 142.250.145.108:587
Source: global traffic	TCP traffic: 192.168.2.3:49775 -> 142.250.145.109:587

Source: svchost.exe, 0000000C.00000003.394282413.0000020D18391000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000C.00000003.394282413.0000020D18391000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000C.00000003.394303683.0000020D183A2000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.394282413.0000020D18391000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z\|\|.\|\|6f0c105d-3db6-47de-894d-fd95973349e2\|\|1152921505694224549\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000C.00000003.394303683.0000020D183A2000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.394282413.0000020D18391000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z\|\|.\|\|6f0c105d-3db6-47de-894d-fd95973349e2\|\|1152921505694224549\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"

Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: svchost.exe, 0000000C.00000002.410422151.0000020D17AE9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563859154.00000000030A5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.p
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crldn
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563409089.000000000303B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crle
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563409089.000000000303B000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563859154.00000000030A5000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563409089.000000000303B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl:
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crlACE
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crlR
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crlT
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crlXx
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563409089.000000000303B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crlb
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crld
Source: svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 0000000C.00000002.410422151.0000020D17AE9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563859154.00000000030A5000.00000004.00000001.sdmp	String found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crl
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563409089.000000000303B000.00000004.00000001.sdmp	String found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crl#
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563409089.000000000303B000.00000004.00000001.sdmp	String found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crl(
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.565635823.0000000003357000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crl0
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp	String found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crla
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp	String found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crlc
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp	String found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crlr
Source: svchost.exe, 0000000C.00000003.389695797.0000020D18381000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.389793962.0000020D183A2000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.565635823.0000000003357000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1c301
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gtsr100
Source: svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr1/gsr1.crt
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr1/gsr1.crte
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr1/gsr1.crtloc
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gts1c3.der
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.565635823.0000000003357000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gts1c3.derB2
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gts1c3.dere2
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gts1c3.dery1
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der$
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der81
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gtsr1.derv2
Source: svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp	String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Cab_Invoice_pdf.exe, 00000003.00000003.327450088.0000000002FD1000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.327365430.0000000000EE5000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563024174.0000000002F90000.00000004.00000001.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: Cab_Invoice_pdf.exe, 00000003.00000003.329270034.000000000301F000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563150895.0000000002FF4000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.329242201.0000000002FF9000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.475545199.000000000107C000.00000004.00000001.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: Cab_Invoice_pdf.exe, 00000003.00000003.327450088.0000000002FD1000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.327365430.0000000000EE5000.00000004.00000001.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: Cab_Invoice_pdf.exe, 00000003.00000002.562902379.0000000002F00000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.327450088.0000000002FD1000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.327365430.0000000000EE5000.00000004.00000001.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: Cab_Invoice_pdf.exe, 00000003.00000003.327138689.0000000000EA7000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.562961812.0000000002F40000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.470092422.0000000002900000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.493118134.0000000003500000.00000004.00000001.sdmp	String found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: Cab_Invoice_pdf.exe, 00000003.00000003.324419871.0000000000EC7000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.562792705.0000000002D90000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.470092422.0000000002900000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.493118134.0000000003500000.00000004.00000001.sdmp	String found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: svchost.exe, 0000000C.00000003.389695797.0000020D18381000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.389793962.0000020D183A2000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: Cab_Invoice_pdf.exe, 00000003.00000002.565049121.00000000031C0000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563024174.0000000002F90000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.481183510.00000000036C0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/BoboTiG/python-mss
Source: Cab_Invoice_pdf.exe, 00000003.00000002.569019026.000000006F31E000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.567155238.000000006EB1A000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.567064488.000000006EAEB000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.568756682.000000006F2D8000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.467080000.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.464053217.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.459130908.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.465540156.0000000000E1B000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/mhammond/pywin32
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563492402.000000000305D000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563701766.0000000003090000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: Cab_Invoice_pdf.exe, 00000003.00000002.563576377.000000000307D000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/mail/?p=BadCredentials
Source: svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.452020666.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.449217858.0000000002C1F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.483041978.000000000381F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: svchost.exe, 0000000C.00000003.389695797.0000020D18381000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.389793962.0000020D183A2000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000000C.00000003.389695797.0000020D18381000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.389793962.0000020D183A2000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: Cab_Invoice_pdf.exe, 00000003.00000002.567452427.000000006EBF1000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.568654900.000000006EE48000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.449203486.0000000002C0C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.482937530.000000000380C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: svchost.exe, 0000000C.00000003.391546190.0000020D18389000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.c
Source: svchost.exe, 0000000C.00000003.391558399.0000020D1839A000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.391525038.0000020D183B1000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.391498040.0000020D183B1000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.391546190.0000020D18389000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.391580111.0000020D18802000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: unknown

DNS traffic detected: queries for: smtp.gmail.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Roaming\svchost.exe

Code function: 19_2_6DA74420 PyArg_ParseTuple,PyEval_SaveThread,GetKeyboardState,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,PyBytes_FromStringAndSize,

19_2_6DA74420

System Summary:

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: Cab_Invoice_pdf.exe
Source: initial sample	Static PE information: Filename: Cab_Invoice_pdf.exe

Uses 32bit PE files

Source: Cab_Invoice_pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DA74C50 PyArg_ParseTuple,PyEval_SaveThread,ExitWindowsEx,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,_Py_NoneStruct,_Py_NoneStruct,		19_2_6DA74C50
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DA74BD0 PyArg_ParseTuple,PyEval_SaveThread,ExitWindowsEx,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,_Py_NoneStruct,_Py_NoneStruct,		19_2_6DA74BD0

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_0131B912	1_2_0131B912
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_0132E8DF	1_2_0132E8DF
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_013158C2	1_2_013158C2
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_0131BB41	1_2_0131BB41
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_013292A0	1_2_013292A0
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_01317440	1_2_01317440
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_01316CA0	1_2_01316CA0
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_0132974E	1_2_0132974E
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_01314E60	1_2_01314E60
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_0131B912	3_2_0131B912
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_0132E8DF	3_2_0132E8DF
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_013158C2	3_2_013158C2
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_0131BB41	3_2_0131BB41
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_013292A0	3_2_013292A0
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_01317440	3_2_01317440
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_01316CA0	3_2_01316CA0
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_0132974E	3_2_0132974E
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_01314E60	3_2_01314E60
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_6E2F2A70	3_2_6E2F2A70
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_6E2F3030	3_2_6E2F3030
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BDE8DF	11_2_00BDE8DF
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BC58C2	11_2_00BC58C2
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BCB912	11_2_00BCB912
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BD92A0	11_2_00BD92A0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BCBB41	11_2_00BCBB41
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BC6CA0	11_2_00BC6CA0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BC7440	11_2_00BC7440
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BC4E60	11_2_00BC4E60
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BD974E	11_2_00BD974E
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BDE8DF	19_2_00BDE8DF
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BC58C2	19_2_00BC58C2
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BCB912	19_2_00BCB912
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BD92A0	19_2_00BD92A0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BCBB41	19_2_00BCBB41
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BC6CA0	19_2_00BC6CA0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BC7440	19_2_00BC7440
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BC4E60	19_2_00BC4E60
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BD974E	19_2_00BD974E
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAD8590	22_2_6DAD8590
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAE6DF0	22_2_6DAE6DF0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADD1CB	22_2_6DADD1CB
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADB1C0	22_2_6DADB1C0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAD61D5	22_2_6DAD61D5
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAD69D0	22_2_6DAD69D0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADE138	22_2_6DADE138
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADD108	22_2_6DADD108
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAE3910	22_2_6DAE3910
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADDCB7	22_2_6DADDCB7
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADC8ED	22_2_6DADC8ED
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAD5CC0	22_2_6DAD5CC0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADC430	22_2_6DADC430
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAE6470	22_2_6DAE6470
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADD045	22_2_6DADD045
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADD843	22_2_6DADD843
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAE73A9	22_2_6DAE73A9
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAE67D0	22_2_6DAE67D0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAE5730	22_2_6DAE5730
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAE7308	22_2_6DAE7308
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADAF10	22_2_6DADAF10
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADC340	22_2_6DADC340
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAD4B40	22_2_6DAD4B40
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADDADB	22_2_6DADDADB
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAE62D0	22_2_6DAE62D0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DADDA7C	22_2_6DADDA7C
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAD9270	22_2_6DAD9270
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB055F9	22_2_6DB055F9
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB031E0	22_2_6DB031E0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB071C0	22_2_6DB071C0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB028A0	22_2_6DB028A0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB050C0	22_2_6DB050C0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB02460	22_2_6DB02460
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB07457	22_2_6DB07457
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB07459	22_2_6DB07459
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB0A398	22_2_6DB0A398
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB03729	22_2_6DB03729
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB04B60	22_2_6DB04B60
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB036C0	22_2_6DB036C0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB09E6D	22_2_6DB09E6D

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: String function: 01317880 appears 36 times
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: String function: 01311860 appears 126 times
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: String function: 01318310 appears 88 times
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: String function: 01326046 appears 58 times
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: String function: 01311910 appears 68 times
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: String function: 00BD6046 appears 58 times
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: String function: 00BC1860 appears 126 times
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: String function: 00BC7880 appears 36 times
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: String function: 00BC1910 appears 68 times
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: String function: 00BC8310 appears 88 times

PE file does not import any functions

Source: api-ms-win-core-handle-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.11.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: Cab_Invoice_pdf.exe	Binary or memory string: OriginalFilename vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe	Binary or memory string: OriginalFilename vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.569268710.00000000703DB000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.569019026.000000006F31E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamepywintypes38.dll0 vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.567548434.000000006EC21000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.567452427.000000006EBF1000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.569098530.000000006F340000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.569320710.0000000072F31000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.568654900.000000006EE48000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.567155238.000000006EB1A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamewin32gui.pyd0 vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.566086023.000000006E3F9000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.567230692.000000006EB45000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.566773964.000000006E7D1000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamepython38.dll. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.566980302.000000006E909000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.568866175.000000006F2E9000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.568948486.000000006F2F6000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.567295169.000000006EB63000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.569160937.0000000070286000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.567064488.000000006EAEB000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamewin32api.pyd0 vs Cab_Invoice_pdf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.568756682.000000006F2D8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamewin32event.pyd0 vs Cab_Invoice_pdf.exe

PE file contains strange resources

Source: Cab_Invoice_pdf.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svchost.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: python3.dll	Jump to behavior

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe"

Source: Cab_Invoice_pdf.exe	Virustotal: Detection: 62%
Source: Cab_Invoice_pdf.exe	Metadefender: Detection: 33%
Source: Cab_Invoice_pdf.exe	ReversingLabs: Detection: 58%

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

File read: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

Jump to behavior

Source: Cab_Invoice_pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Cab_Invoice_pdf.exe "C:\Users\user\Desktop\Cab_Invoice_pdf.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Process created: C:\Users\user\Desktop\Cab_Invoice_pdf.exe "C:\Users\user\Desktop\Cab_Invoice_pdf.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Process created: C:\Users\user\Desktop\Cab_Invoice_pdf.exe "C:\Users\user\Desktop\Cab_Invoice_pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to behavior

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI24122

Jump to behavior

Source: classification engine

Classification label: mal72.evad.winEXE@19/204@7/4

Source: C:\Users\user\AppData\Roaming\svchost.exe

19_2_6DA74150

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

Code function: 1_2_01314860 GetLastError,FormatMessageW,

1_2_01314860

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\mutex_var_xboz
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_01

Source: C:\Users\user\AppData\Roaming\svchost.exe

19_2_6DA7A5B0

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

File opened: C:\Users\user\Desktop\pyvenv.cfg

Jump to behavior

Source: Cab_Invoice_pdf.exe

Static file information: File size 7399848 > 1048576

Source: Cab_Invoice_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Cab_Invoice_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Cab_Invoice_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Cab_Invoice_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Cab_Invoice_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Cab_Invoice_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Cab_Invoice_pdf.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Cab_Invoice_pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.428528477.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.433779342.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_multiprocessing.pdb source: svchost.exe, 0000000B.00000003.389747907.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.566821598.000000006E801000.00000020.00020000.sdmp, svchost.exe, 0000000B.00000003.461345666.0000000002B00000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.489294757.0000000003600000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: svchost.exe, 0000000B.00000003.394749545.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_decimal.pdb%% source: svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.398010798.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.393554815.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_ssl.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567499040.000000006EC0E000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.391481591.0000000000E6C000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.412809412.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.425322367.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.435730972.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: d:\agent\_work\9\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.569291136.0000000072F21000.00000020.00020000.sdmp, svchost.exe, 0000000B.00000003.386396710.0000000000E28000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.485296621.0000000070131000.00000020.00020000.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\pywintypes.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568991542.000000006F30E000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.459130908.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.396174179.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.418168798.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.410176305.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.423854182.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\pyexpat.pdb source: svchost.exe, 0000000B.00000003.455016271.0000000000E6C000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.393935792.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\win32api.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567031750.000000006EADF000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.464053217.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.401443735.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.392740878.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: Cab_Invoice_pdf.exe, 00000003.00000002.568469462.000000006EDAC000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.449130672.0000000002B7A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.482692912.000000000377A000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\win32api.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567031750.000000006EADF000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.464053217.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_bz2.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567266133.000000006EB5E000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.387226711.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.394362827.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_ctypes.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.569245523.00000000703D3000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.387736451.0000000000E6C000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.421932016.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_asyncio.pdb source: svchost.exe, 0000000B.00000003.386815953.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\win32gui.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567116932.000000006EB0B000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.467080000.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.481665588.000000006DABB000.00000002.00020000.sdmp
Source:	Binary string: ta.pdb source: Cab_Invoice_pdf.exe
Source:	Binary string: D:\a\1\b\bin\win32\unicodedata.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.566048535.000000006E3F7000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.462814052.0000000002C05000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.490361561.0000000003705000.00000004.00000001.sdmp
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567385268.000000006EBD0000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: Cab_Invoice_pdf.exe, 00000003.00000002.566821598.000000006E801000.00000020.00020000.sdmp, svchost.exe, 0000000B.00000003.461345666.0000000002B00000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.489294757.0000000003600000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.405860680.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_socket.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.569068056.000000006F339000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.391001556.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\python38.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.566602937.000000006E713000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.457664564.000000000301A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.487589642.0000000003B1A000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.439490901.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.395552475.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_lzma.pdbOO source: Cab_Invoice_pdf.exe, 00000003.00000002.567205585.000000006EB3B000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.481773795.000000006DAEB000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: svchost.exe, 0000000B.00000003.411685579.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.399919805.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_queue.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568924352.000000006F2F3000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.390573271.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_lzma.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.567205585.000000006EB3B000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.389272849.0000000000E6C000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.481773795.000000006DAEB000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.393149261.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 1.1.1i 8 Dec 2020built on: Tue Jan 5 20:17:31 2021 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not available source: Cab_Invoice_pdf.exe, 00000003.00000002.568469462.000000006EDAC000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.449130672.0000000002B7A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.482692912.000000000377A000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.420047349.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: svchost.exe, 0000000B.00000003.397576219.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.430416405.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_overlapped.pdb source: svchost.exe, 0000000B.00000003.390148766.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: svchost.exe, 0000000B.00000003.403125486.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.399119703.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.441941698.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.407177237.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: C:\A\6\b\libcrypto-1_1.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568546215.000000006EDF8000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.414456474.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.408682511.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: svchost.exe, 0000000B.00000003.395157867.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\pywintypes.pdb+ source: Cab_Invoice_pdf.exe, 00000003.00000002.568991542.000000006F30E000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.459130908.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.432280344.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.397132347.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\select.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.569138282.0000000070283000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.460241183.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb@@ source: Cab_Invoice_pdf.exe, 00000003.00000002.567385268.000000006EBD0000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.453594434.000000000295F000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.484471608.000000000355F000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_hashlib.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568820397.000000006F2E5000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.388795347.0000000000E28000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_decimal.pdb source: svchost.exe, 0000000B.00000003.388243683.0000000000E6C000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.8\Release\win32event.pdb source: Cab_Invoice_pdf.exe, 00000003.00000002.568721354.000000006F2D4000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000003.465540156.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.396644442.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.426625427.0000000000E1B000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: svchost.exe, 0000000B.00000003.437644496.0000000000E1B000.00000004.00000001.sdmp

Source: Cab_Invoice_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Cab_Invoice_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Cab_Invoice_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Cab_Invoice_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Cab_Invoice_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_01318356 push ecx; ret	1_2_01318369
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_01318356 push ecx; ret	3_2_01318369
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_6E2F50D4 push ecx; ret	3_2_6E2F50E6
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BC8356 push ecx; ret	11_2_00BC8369
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BC8356 push ecx; ret	19_2_00BC8369
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DA7DF66 push ecx; ret	19_2_6DA7DF79
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DA93266 push ecx; ret	19_2_6DA93279
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DABA456 push ecx; ret	19_2_6DABA469
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAEA8D4 push ecx; ret	22_2_6DAEA8E6
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB0D4C4 push ecx; ret	22_2_6DB0D4D6

PE file contains sections with non-standard names

Source: libcrypto-1_1.dll.1.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.1.dr	Static PE information: section name: .00cfg
Source: libcrypto-1_1.dll.11.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.11.dr	Static PE information: section name: .00cfg

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

Code function: 1_2_01314740 MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_01314740

Binary contains a suspicious time stamp

Source: api-ms-win-core-console-l1-1-0.dll.1.dr

Static PE information: 0xAC22BA81 [Thu Jul 7 10:18:41 2061 UTC]

Persistence and Installation Behavior:

Drops PE files with benign system names

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to dropped file

Drops PE files

Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\win32event.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\pywintypes38.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\win32event.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\pywintypes38.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\pywintypes38.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\win32event.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\win32gui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\win32gui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Roaming\svchost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\win32gui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\python38.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\python38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI61562\python38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run svchost			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run svchost			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Roaming\svchost.exe

Code function: 19_2_6DAB7880 PyArg_ParseTuple,?PyWinObject_AsHANDLE@@YAHPAU_object@@PAPAX@Z,PyEval_SaveThread,IsIconic,PyEval_RestoreThread,Py_BuildValue,

19_2_6DAB7880

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

1_2_013129F0

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: OLLYDBG.EXE
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: OLLYDBG.EXE C

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 1876	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6360	Thread sleep time: -30000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61562\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63082\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI24122\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Roaming\svchost.exe

API coverage: 3.6 %

Source: C:\Users\user\AppData\Roaming\svchost.exe

Code function: 19_2_6DA755C0 PyArg_ParseTuple,GetSystemInfo,PyLong_FromUnsignedLongLong,?PyWinLong_FromVoidPtr@@YAPAU_object@@PBX@Z,?PyWinLong_FromVoidPtr@@YAPAU_object@@PBX@Z,Py_BuildValue,

19_2_6DA755C0

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_0132715E FindFirstFileExW,	1_2_0132715E
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_0131E260 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,	1_2_0131E260
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_0132715E FindFirstFileExW,	3_2_0132715E
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_0131E260 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,	3_2_0131E260
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BCE260 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,	11_2_00BCE260
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BD715E FindFirstFileExW,	11_2_00BD715E
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BD715E FindFirstFileExW,	19_2_00BD715E
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BCE260 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,	19_2_00BCE260
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DA72F40 PyArg_ParseTuple,?PyWinObject_AsWCHAR@@YAHPAU_object@@PAPA_WHPAK@Z,PyList_New,_Py_Dealloc,FindFirstFileW,GetLastError,?PyObject_FromWIN32_FIND_DATAW@@YAPAU_object@@PAU_WIN32_FIND_DATAW@@@Z,PyList_Append,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,FindNextFileW,GetLastError,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,?PyWinObject_FreeWCHAR@@YAXPA_W@Z,FindClose,_Py_Dealloc,	19_2_6DA72F40

Source: C:\Users\user\AppData\Roaming\svchost.exe

19_2_6DA747B0

Source: svchost.exe, 0000000C.00000002.410422151.0000020D17AE9000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.410442915.0000020D17AF8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000C.00000002.410368973.0000020D17AA8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW@
Source: Cab_Invoice_pdf.exe, 00000003.00000002.561957935.0000000000EF1000.00000004.00000020.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.327131318.0000000000F38000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.329527559.0000000000F01000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.329669205.0000000000F2A000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.326143603.0000000000F38000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000003.357303459.0000000000F38000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

Code function: 1_2_01318111 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_01318111

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

Code function: 1_2_01314740 MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_01314740

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

Code function: 1_2_01328587 GetProcessHeap,

1_2_01328587

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_01320158 mov eax, dword ptr fs:[00000030h]	1_2_01320158
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_01320158 mov eax, dword ptr fs:[00000030h]	3_2_01320158
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BD0158 mov eax, dword ptr fs:[00000030h]	11_2_00BD0158
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BD0158 mov eax, dword ptr fs:[00000030h]	19_2_00BD0158

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_0131825F SetUnhandledExceptionFilter,	1_2_0131825F
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_01318111 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_01318111
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_01317B8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_01317B8A
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 1_2_013215BE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_013215BE
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_01318111 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_01318111
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_01317B8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_01317B8A
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_0131825F SetUnhandledExceptionFilter,	3_2_0131825F
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_013215BE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_013215BE
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_6E2F4E29 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E2F4E29
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_6E2F4695 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6E2F4695
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Code function: 3_2_6E2F4FBF SetUnhandledExceptionFilter,	3_2_6E2F4FBF
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BC8111 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00BC8111
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BC825F SetUnhandledExceptionFilter,	11_2_00BC825F
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BC7B8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00BC7B8A
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_00BD15BE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00BD15BE
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BC8111 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00BC8111
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BC825F SetUnhandledExceptionFilter,	19_2_00BC825F
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BC7B8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_00BC7B8A
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_00BD15BE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00BD15BE
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DA7DCD2 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_6DA7DCD2
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DA7DF9E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_6DA7DF9E
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DA7DE67 SetUnhandledExceptionFilter,	19_2_6DA7DE67
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DA9346C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_6DA9346C
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DA92FD7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_6DA92FD7
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DA9316C SetUnhandledExceptionFilter,	19_2_6DA9316C
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DABA65C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_6DABA65C
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DABA1C6 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_6DABA1C6
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 19_2_6DABA35B SetUnhandledExceptionFilter,	19_2_6DABA35B
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAEA7BD SetUnhandledExceptionFilter,	22_2_6DAEA7BD
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAE9E8B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_6DAE9E8B
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DAEA627 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_6DAEA627
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB0D3B7 SetUnhandledExceptionFilter,	22_2_6DB0D3B7
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB0C721 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_6DB0C721
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 22_2_6DB0D221 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_6DB0D221

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Roaming\svchost.exe

Code function: 19_2_6DA7B330 PyArg_ParseTuple,PyEval_SaveThread,keybd_event,PyEval_RestoreThread,_Py_NoneStruct,_Py_NoneStruct,

19_2_6DA7B330

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Process created: C:\Users\user\Desktop\Cab_Invoice_pdf.exe "C:\Users\user\Desktop\Cab_Invoice_pdf.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Roaming\svchost.exe

Code function: 19_2_6DA7B3B0 PyArg_ParseTuple,PyEval_SaveThread,mouse_event,PyEval_RestoreThread,_Py_NoneStruct,_Py_NoneStruct,

19_2_6DA7B3B0

Source: Cab_Invoice_pdf.exe, 00000001.00000002.562024943.00000000017F0000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.562432429.0000000001360000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: Cab_Invoice_pdf.exe, 00000001.00000002.562024943.00000000017F0000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.562432429.0000000001360000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Cab_Invoice_pdf.exe, 00000003.00000002.565410673.0000000003260000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.564851419.0000000003180000.00000004.00000001.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.565254568.0000000003210000.00000004.00000001.sdmp	Binary or memory string: [OnWard Data Entered In : Program Manager]
Source: Cab_Invoice_pdf.exe, 00000001.00000002.562024943.00000000017F0000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.562432429.0000000001360000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Cab_Invoice_pdf.exe, 00000001.00000002.562024943.00000000017F0000.00000002.00020000.sdmp, Cab_Invoice_pdf.exe, 00000003.00000002.562432429.0000000001360000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\pywintypes38.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\win32gui.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\win32event.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\win32api.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\4y2igpme VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI24122\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Cab_Invoice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\pywintypes38.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\win32gui.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\win32event.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63082\win32api.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\pywintypes38.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\win32gui.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\win32event.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI61562\win32api.pyd VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

Code function: 1_2_0131836B cpuid

1_2_0131836B

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

Code function: 1_2_01317FF1 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_01317FF1

Source: C:\Users\user\Desktop\Cab_Invoice_pdf.exe

Code function: 1_2_0132B193 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

1_2_0132B193

Source: C:\Users\user\AppData\Roaming\svchost.exe

19_2_6DA76470

Source: C:\Users\user\AppData\Roaming\svchost.exe

Code function: 19_2_6DA739F0 PyArg_ParseTuple,GetUserNameW,?PyWin_SetAPIError@@YAPAU_object@@PADJ@Z,?PyWinObject_FromOLECHAR@@YAPAU_object@@PB_W@Z,

19_2_6DA739F0

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fprot.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: mcagent.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: mcvsrte.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fsmb32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: avgrsx.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fsaa.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fsgk32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: guard.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: portmonitor.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fnrb32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: portdetective.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fih32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: mcshield.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: nod32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: rtvscan.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fsm32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fsav32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: apvxdwin.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: f-stopw.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: defwatch.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fsav.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: avgemc.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: vsmon.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: mcupdate.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: nmain.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fsma32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: processmonitor.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: procdump.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fp-win.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: MSASCui.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: avguard.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: f-prot.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: avp.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fsav530stbyb.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fsav530wtbyb.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fast.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fameh32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: lordpe.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: avkservice.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fch32.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: spf.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: avgnt.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: fsav95.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: mcvsshld.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: ollydbg.exe
Source: Cab_Invoice_pdf.exe, 00000003.00000002.564043749.00000000030D0000.00000004.00000001.sdmp	Binary or memory string: f-prot95.exe

ID:	534002
Product:	CloudBasic
Start time:	23:20:31
Start date:	04.12.2021
Sample:	Cab_Invoice_pdf.bin
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	e5dc6a7459fd6ef46afee60318470b03
SHA1:	c0a036def9b2d42804c164b156aaf007d9fffa02
SHA256:	ea0fd73223e8313da714a6924c1dfae72f2c976935c2b323a6b192c063b0063a
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report Cab_Invoice_pdf.bin

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains