Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Invoice-BL. Payment TT $ 16945.99.exe

Overview

General Information

Sample name:Invoice-BL. Payment TT $ 16945.99.exe
Analysis ID:1572212
MD5:eb7496ff2480e5b4fbd90e785a7328cd
SHA1:0039713076f0ccb54bfea4fa060b62eada29d39e
SHA256:d30d43ea8f103340a2307145035f404873d3d345f310dbeba6fa20f85d3fb790
Tags:exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected RedLine Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Invoice-BL. Payment TT $ 16945.99.exe (PID: 6880 cmdline: "C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe" MD5: EB7496FF2480E5B4FBD90E785A7328CD)
    • powershell.exe (PID: 5960 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7392 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 5940 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\haYzNpEpfrrs" /XML "C:\Users\user\AppData\Local\Temp\tmp4600.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • haYzNpEpfrrs.exe (PID: 7264 cmdline: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe MD5: EB7496FF2480E5B4FBD90E785A7328CD)
    • schtasks.exe (PID: 7496 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\haYzNpEpfrrs" /XML "C:\Users\user\AppData\Local\Temp\tmpBEE8.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • haYzNpEpfrrs.exe (PID: 7540 cmdline: "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe" MD5: EB7496FF2480E5B4FBD90E785A7328CD)
    • haYzNpEpfrrs.exe (PID: 7548 cmdline: "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe" MD5: EB7496FF2480E5B4FBD90E785A7328CD)
    • haYzNpEpfrrs.exe (PID: 7556 cmdline: "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe" MD5: EB7496FF2480E5B4FBD90E785A7328CD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["45.137.22.164:1912"], "Bot Id": "SystemCache", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000006.00000002.1798528235.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 11 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.Invoice-BL. Payment TT $ 16945.99.exe.3cd4cb0.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.Invoice-BL. Payment TT $ 16945.99.exe.3cd4cb0.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    6.2.Invoice-BL. Payment TT $ 16945.99.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      0.2.Invoice-BL. Payment TT $ 16945.99.exe.3c89a90.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        0.2.Invoice-BL. Payment TT $ 16945.99.exe.3c89a90.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                          Click to see the 1 entries

                          Sigma Signatures

                          System Summary

                          barindex
                          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe", ParentImage: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe, ParentProcessId: 6880, ParentProcessName: Invoice-BL. Payment TT $ 16945.99.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe", ProcessId: 5960, ProcessName: powershell.exe
                          Sigma detected: Powershell Defender Exclusion
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe", ParentImage: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe, ParentProcessId: 6880, ParentProcessName: Invoice-BL. Payment TT $ 16945.99.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe", ProcessId: 5960, ProcessName: powershell.exe
                          Sigma detected: Suspicious Add Scheduled Task Parent
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\haYzNpEpfrrs" /XML "C:\Users\user\AppData\Local\Temp\tmpBEE8.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\haYzNpEpfrrs" /XML "C:\Users\user\AppData\Local\Temp\tmpBEE8.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe, ParentImage: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe, ParentProcessId: 7264, ParentProcessName: haYzNpEpfrrs.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\haYzNpEpfrrs" /XML "C:\Users\user\AppData\Local\Temp\tmpBEE8.tmp", ProcessId: 7496, ProcessName: schtasks.exe
                          Sigma detected: Suspicious Schtasks From Env Var Folder
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\haYzNpEpfrrs" /XML "C:\Users\user\AppData\Local\Temp\tmp4600.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\haYzNpEpfrrs" /XML "C:\Users\user\AppData\Local\Temp\tmp4600.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe", ParentImage: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe, ParentProcessId: 6880, ParentProcessName: Invoice-BL. Payment TT $ 16945.99.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\haYzNpEpfrrs" /XML "C:\Users\user\AppData\Local\Temp\tmp4600.tmp", ProcessId: 5940, ProcessName: schtasks.exe
                          Sigma detected: Non Interactive PowerShell Process Spawned
                          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe", ParentImage: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe, ParentProcessId: 6880, ParentProcessName: Invoice-BL. Payment TT $ 16945.99.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe", ProcessId: 5960, ProcessName: powershell.exe

                          Persistence and Installation Behavior

                          barindex
                          Sigma detected: Scheduled temp file as task from temp location
                          Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\haYzNpEpfrrs" /XML "C:\Users\user\AppData\Local\Temp\tmp4600.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\haYzNpEpfrrs" /XML "C:\Users\user\AppData\Local\Temp\tmp4600.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe", ParentImage: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe, ParentProcessId: 6880, ParentProcessName: Invoice-BL. Payment TT $ 16945.99.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\haYzNpEpfrrs" /XML "C:\Users\user\AppData\Local\Temp\tmp4600.tmp", ProcessId: 5940, ProcessName: schtasks.exe

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-10T09:17:02.420478+010020432341A Network Trojan was detected45.137.22.1641912192.168.2.449733TCP
                          2024-12-10T09:17:07.682772+010020432341A Network Trojan was detected45.137.22.1641912192.168.2.449736TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-10T09:17:02.030831+010020432311A Network Trojan was detected192.168.2.44973345.137.22.1641912TCP
                          2024-12-10T09:17:06.742113+010020432311A Network Trojan was detected192.168.2.44973645.137.22.1641912TCP
                          2024-12-10T09:17:07.543715+010020432311A Network Trojan was detected192.168.2.44973345.137.22.1641912TCP
                          2024-12-10T09:17:10.554388+010020432311A Network Trojan was detected192.168.2.44973345.137.22.1641912TCP
                          2024-12-10T09:17:11.009802+010020432311A Network Trojan was detected192.168.2.44973345.137.22.1641912TCP
                          2024-12-10T09:17:12.811063+010020432311A Network Trojan was detected192.168.2.44973645.137.22.1641912TCP
                          2024-12-10T09:17:15.615330+010020432311A Network Trojan was detected192.168.2.44973645.137.22.1641912TCP
                          2024-12-10T09:17:16.056822+010020432311A Network Trojan was detected192.168.2.44973645.137.22.1641912TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-10T09:17:09.080209+010020460561A Network Trojan was detected45.137.22.1641912192.168.2.449733TCP
                          2024-12-10T09:17:14.206852+010020460561A Network Trojan was detected45.137.22.1641912192.168.2.449736TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-10T09:17:02.030831+010020460451A Network Trojan was detected192.168.2.44973345.137.22.1641912TCP
                          2024-12-10T09:17:06.742113+010020460451A Network Trojan was detected192.168.2.44973645.137.22.1641912TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Found malware configuration
                          Source: 00000000.00000002.1687136757.0000000003B01000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": ["45.137.22.164:1912"], "Bot Id": "SystemCache", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                          Multi AV Scanner detection for dropped file
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeReversingLabs: Detection: 28%
                          Multi AV Scanner detection for submitted file
                          Source: Invoice-BL. Payment TT $ 16945.99.exeReversingLabs: Detection: 28%
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Machine Learning detection for dropped file
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeJoe Sandbox ML: detected
                          Machine Learning detection for sample
                          Source: Invoice-BL. Payment TT $ 16945.99.exeJoe Sandbox ML: detected
                          Source: Invoice-BL. Payment TT $ 16945.99.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: Invoice-BL. Payment TT $ 16945.99.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: jXdm.pdbSHA256T source: Invoice-BL. Payment TT $ 16945.99.exe, haYzNpEpfrrs.exe.0.dr
                          Source: Binary string: jXdm.pdb source: Invoice-BL. Payment TT $ 16945.99.exe, haYzNpEpfrrs.exe.0.dr
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 4x nop then jmp 077466EAh6_2_07746428
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_07743BE0
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 4x nop then jmp 07745D8Ah6_2_07745968
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 4x nop then jmp 0774620Ah6_2_07745968
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 4x nop then jmp 0774540Bh6_2_077451D8
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 4x nop then jmp 077419BFh6_2_077419A7
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 4x nop then jmp 0774040Dh6_2_07740040
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 4x nop then jmp 0774040Dh6_2_0774001B
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 4x nop then jmp 0774040Dh6_2_07740007
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 4x nop then jmp 06FB5C23h13_2_06FB59F0
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h13_2_06FB39A0
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 4x nop then jmp 06FB65A2h13_2_06FB6180
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 4x nop then jmp 06FB6A22h13_2_06FB6180
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 4x nop then jmp 06FB3565h13_2_06FB3198
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 4x nop then jmp 06FB3565h13_2_06FB3189

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.4:49733 -> 45.137.22.164:1912
                          Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.4:49736 -> 45.137.22.164:1912
                          Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49733 -> 45.137.22.164:1912
                          Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49736 -> 45.137.22.164:1912
                          Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 45.137.22.164:1912 -> 192.168.2.4:49733
                          Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 45.137.22.164:1912 -> 192.168.2.4:49736
                          Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 45.137.22.164:1912 -> 192.168.2.4:49733
                          Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 45.137.22.164:1912 -> 192.168.2.4:49736
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: 45.137.22.164:1912
                          Source: global trafficTCP traffic: 192.168.2.4:49733 -> 45.137.22.164:1912
                          Source: Joe Sandbox ViewASN Name: ROOTLAYERNETNL ROOTLAYERNETNL
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.164
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800294591.000000000101E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://purl.oen
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1684498941.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 00000007.00000002.1738139117.0000000002521000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002D1F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002D1F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002D1F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3ResponseD
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1694125149.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1694125149.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1694125149.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1694125149.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1694125149.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1694125149.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1694125149.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1694125149.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1694125149.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1694125149.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1694125149.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1694125149.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1694125149.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1694125149.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1694125149.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1694125149.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1694125149.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1694125149.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1694125149.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1694125149.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1694125149.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1694125149.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1694125149.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1694125149.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1694125149.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002D89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1687136757.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1687136757.0000000003CCC000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1798528235.0000000000402000.00000040.00000400.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002D89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002D89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002D89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002D89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/?q=
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002D89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002D89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002D89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002D89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                          System Summary

                          barindex
                          Initial sample is a PE file and has a suspicious name
                          Source: initial sampleStatic PE information: Filename: Invoice-BL. Payment TT $ 16945.99.exe
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 0_2_01153E340_2_01153E34
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 0_2_0115E1240_2_0115E124
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 0_2_01156F900_2_01156F90
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 0_2_05EB36680_2_05EB3668
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 0_2_05EB41280_2_05EB4128
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 0_2_05EB12400_2_05EB1240
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 0_2_05EB11F80_2_05EB11F8
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 0_2_05EB12300_2_05EB1230
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 0_2_07C09FF50_2_07C09FF5
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 0_2_07C085E90_2_07C085E9
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 0_2_07C000400_2_07C00040
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 0_2_07C037880_2_07C03788
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 0_2_07C033500_2_07C03350
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 0_2_07C02F180_2_07C02F18
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 0_2_07C04E600_2_07C04E60
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 0_2_07C04A280_2_07C04A28
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 6_2_0269DC746_2_0269DC74
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 6_2_077496B86_2_077496B8
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 6_2_077464286_2_07746428
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 6_2_07741C176_2_07741C17
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 6_2_07743BE06_2_07743BE0
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 6_2_07740A806_2_07740A80
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 6_2_077459686_2_07745968
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 6_2_077441806_2_07744180
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 6_2_077410C06_2_077410C0
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 6_2_07743BD06_2_07743BD0
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 6_2_077433806_2_07743380
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 6_2_07740A726_2_07740A72
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 6_2_077422996_2_07742299
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 6_2_077459576_2_07745957
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 6_2_077400406_2_07740040
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 6_2_0774001B6_2_0774001B
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 6_2_077400076_2_07740007
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 7_2_04A43E347_2_04A43E34
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 7_2_04A4E1247_2_04A4E124
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 7_2_04A46F907_2_04A46F90
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 7_2_058E0BD47_2_058E0BD4
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 7_2_058E01207_2_058E0120
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 7_2_058E01307_2_058E0130
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 7_2_058E20F07_2_058E20F0
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 7_2_058E0BC87_2_058E0BC8
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 7_2_072F94A07_2_072F94A0
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 7_2_072F00407_2_072F0040
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 7_2_072F78D47_2_072F78D4
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 7_2_072F2F187_2_072F2F18
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 7_2_072F37887_2_072F3788
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 7_2_072F4E607_2_072F4E60
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 7_2_072F2EF97_2_072F2EF9
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 7_2_072F33507_2_072F3350
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 7_2_072F4A287_2_072F4A28
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 7_2_072F00067_2_072F0006
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 7_2_072F00E37_2_072F00E3
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 7_2_087441177_2_08744117
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 7_2_087412407_2_08741240
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 7_2_087436687_2_08743668
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 7_2_08746D087_2_08746D08
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 7_2_087412307_2_08741230
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_0295DC7413_2_0295DC74
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_0510EE5813_2_0510EE58
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_0510885013_2_05108850
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_05100AFC13_2_05100AFC
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_0510000713_2_05100007
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_0510004013_2_05100040
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_0510884013_2_05108840
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_05100AF913_2_05100AF9
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_05101FF013_2_05101FF0
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_06FB967813_2_06FB9678
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_06FB401813_2_06FB4018
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_06FB39A013_2_06FB39A0
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_06FB618013_2_06FB6180
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_06FB078813_2_06FB0788
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_06FB077813_2_06FB0778
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_06FB4AE813_2_06FB4AE8
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_06FB4AD813_2_06FB4AD8
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_06FB20F013_2_06FB20F0
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_06FB319813_2_06FB3198
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_06FB399013_2_06FB3990
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_06FB318913_2_06FB3189
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_06FB617013_2_06FB6170
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1682696891.0000000000B6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Invoice-BL. Payment TT $ 16945.99.exe
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1695792598.0000000009120000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Invoice-BL. Payment TT $ 16945.99.exe
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000000.1649883210.00000000006A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamejXdm.exeJ vs Invoice-BL. Payment TT $ 16945.99.exe
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1687136757.0000000003D25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs Invoice-BL. Payment TT $ 16945.99.exe
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1687136757.0000000003D25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Invoice-BL. Payment TT $ 16945.99.exe
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1687136757.0000000003B01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Invoice-BL. Payment TT $ 16945.99.exe
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1687136757.0000000003B01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Invoice-BL. Payment TT $ 16945.99.exe
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1687136757.0000000003CCC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs Invoice-BL. Payment TT $ 16945.99.exe
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1687136757.0000000003D17000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs Invoice-BL. Payment TT $ 16945.99.exe
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000000.00000002.1695001468.0000000007880000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Invoice-BL. Payment TT $ 16945.99.exe
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1798528235.0000000000446000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs Invoice-BL. Payment TT $ 16945.99.exe
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Invoice-BL. Payment TT $ 16945.99.exe
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000029C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefirefox.exe0 vs Invoice-BL. Payment TT $ 16945.99.exe
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000029C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $kq,\\StringFileInfo\\000004B0\\OriginalFilename vs Invoice-BL. Payment TT $ 16945.99.exe
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000029C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs Invoice-BL. Payment TT $ 16945.99.exe
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000029C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $kq,\\StringFileInfo\\040904B0\\OriginalFilename vs Invoice-BL. Payment TT $ 16945.99.exe
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000029C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs Invoice-BL. Payment TT $ 16945.99.exe
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000029C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXED vs Invoice-BL. Payment TT $ 16945.99.exe
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000029C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $kq,\\StringFileInfo\\080904B0\\OriginalFilename vs Invoice-BL. Payment TT $ 16945.99.exe
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.00000000029C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe> vs Invoice-BL. Payment TT $ 16945.99.exe
                          Source: Invoice-BL. Payment TT $ 16945.99.exeBinary or memory string: OriginalFilenamejXdm.exeJ vs Invoice-BL. Payment TT $ 16945.99.exe
                          Source: Invoice-BL. Payment TT $ 16945.99.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: Invoice-BL. Payment TT $ 16945.99.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: haYzNpEpfrrs.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, ESUYSjpJ1jS9kdLtPJ.csSecurity API names: _0020.SetAccessControl
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, ESUYSjpJ1jS9kdLtPJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, ESUYSjpJ1jS9kdLtPJ.csSecurity API names: _0020.AddAccessRule
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, ESUYSjpJ1jS9kdLtPJ.csSecurity API names: _0020.SetAccessControl
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, ESUYSjpJ1jS9kdLtPJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, ESUYSjpJ1jS9kdLtPJ.csSecurity API names: _0020.AddAccessRule
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, eP7KFHYxkowkSxeuGX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, eP7KFHYxkowkSxeuGX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, eP7KFHYxkowkSxeuGX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, ESUYSjpJ1jS9kdLtPJ.csSecurity API names: _0020.SetAccessControl
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, ESUYSjpJ1jS9kdLtPJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, ESUYSjpJ1jS9kdLtPJ.csSecurity API names: _0020.AddAccessRule
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@20/11@0/1
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile created: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeMutant created: NULL
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3340:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4600.tmpJump to behavior
                          Source: Invoice-BL. Payment TT $ 16945.99.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: Invoice-BL. Payment TT $ 16945.99.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: Invoice-BL. Payment TT $ 16945.99.exeReversingLabs: Detection: 28%
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile read: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe "C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe"
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe"
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\haYzNpEpfrrs" /XML "C:\Users\user\AppData\Local\Temp\tmp4600.tmp"
                          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess created: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe "C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe"
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\haYzNpEpfrrs" /XML "C:\Users\user\AppData\Local\Temp\tmpBEE8.tmp"
                          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess created: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe"
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess created: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe"
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess created: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe"
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\haYzNpEpfrrs" /XML "C:\Users\user\AppData\Local\Temp\tmp4600.tmp"Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess created: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe "C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe"Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\haYzNpEpfrrs" /XML "C:\Users\user\AppData\Local\Temp\tmpBEE8.tmp"Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess created: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe"Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess created: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe"Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess created: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: textshaping.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: textshaping.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: mscoree.dll
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: version.dll
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: uxtheme.dll
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: windows.storage.dll
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: wldp.dll
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: profapi.dll
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: cryptsp.dll
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: rsaenh.dll
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: cryptbase.dll
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: dwrite.dll
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: msvcp140_clr0400.dll
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: mswsock.dll
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: sspicli.dll
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: secur32.dll
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: wbemcomn.dll
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: amsi.dll
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: userenv.dll
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: dpapi.dll
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: rstrtmgr.dll
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: ncrypt.dll
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: ntasn1.dll
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeSection loaded: windowscodecs.dll
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                          Source: Invoice-BL. Payment TT $ 16945.99.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: Invoice-BL. Payment TT $ 16945.99.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Invoice-BL. Payment TT $ 16945.99.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: Binary string: jXdm.pdbSHA256T source: Invoice-BL. Payment TT $ 16945.99.exe, haYzNpEpfrrs.exe.0.dr
                          Source: Binary string: jXdm.pdb source: Invoice-BL. Payment TT $ 16945.99.exe, haYzNpEpfrrs.exe.0.dr

                          Data Obfuscation

                          barindex
                          .NET source code contains potential unpacker
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, ESUYSjpJ1jS9kdLtPJ.cs.Net Code: bZ6RcTZovb System.Reflection.Assembly.Load(byte[])
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, ESUYSjpJ1jS9kdLtPJ.cs.Net Code: bZ6RcTZovb System.Reflection.Assembly.Load(byte[])
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, ESUYSjpJ1jS9kdLtPJ.cs.Net Code: bZ6RcTZovb System.Reflection.Assembly.Load(byte[])
                          Source: Invoice-BL. Payment TT $ 16945.99.exeStatic PE information: 0xF8F576FC [Fri May 12 00:19:08 2102 UTC]
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeCode function: 0_2_078AA7F8 pushad ; iretd 0_2_078AA7F9
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 7_2_06F9A7F8 pushad ; iretd 7_2_06F9A7F9
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_0510D442 push eax; ret 13_2_0510D451
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_06FB2F10 push es; ret 13_2_06FB2F20
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_06FB8DB0 push es; ret 13_2_06FB8DC6
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeCode function: 13_2_06FB759F push es; iretd 13_2_06FB75AC
                          Source: Invoice-BL. Payment TT $ 16945.99.exeStatic PE information: section name: .text entropy: 7.634839633173352
                          Source: haYzNpEpfrrs.exe.0.drStatic PE information: section name: .text entropy: 7.634839633173352
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, e7TN4PnOnqqB1XnTNa.csHigh entropy of concatenated method names: 'FFrFuGqQBU', 'BMeFLk1GBA', 'lPrIqSYHur', 'e2WIOQhYiD', 'L0RIdTCGaG', 'HbPIsCA6WY', 'Yq6IVZKF0w', 'Xk5IhatQ8H', 'UbdI4CeaLC', 'RehI7dH1Pt'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, KbC8tU5yG5eux3Yk9B.csHigh entropy of concatenated method names: 'tMXI6NgAUc', 'Uy1Ia4wCH4', 'dJDIYluVGn', 'TqGI5CPth2', 'f2WIfGV2mt', 'OaQIBI8puH', 'UpkID1ZNkG', 'EbEI1lRk0f', 'UXTIAfMvJ7', 'BJCIJWfpEG'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, VHZrGHG2wXeGJdZoyl.csHigh entropy of concatenated method names: 'ad6cXOews', 'leA6TiX2f', 'VGhaP7oNu', 'I8sLDPK7Z', 'AAL50BlnT', 'cn0nO5dCs', 'yymnUWyBnVTbC5pQWJ', 'As1InUuDaKRYiWyOlW', 'tM8lRpYOfOVRytVLSd', 'oof1jYsHj'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, s93qNXSGbNbWJP7aVIn.csHigh entropy of concatenated method names: 'ToString', 'iwRkYVRc9I', 'SCfk5GcGgu', 'tj9kn2bm7H', 'u1lkgqjkl2', 'h7lk2DPtRG', 'tIPkqvbl8e', 'SMukOWNs70', 'Vty6oPI4JjKha3MmK54', 'tBpLAhI2cpb55RNoj2Y'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, u0Gl3uSSaGneLr4jH2h.csHigh entropy of concatenated method names: 'fWkJ3jQsf9', 'aRPJzkwNLC', 'HRakTeqqfp', 'duikSwNtq2', 'MR8kG7cscI', 'tyikbQ1gvE', 'Sw2kRfJP1n', 'kdikwb6hWd', 'SYmklEEGd2', 'WEVkW0X7oj'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, LEdKxJREXSd8iRYU11.csHigh entropy of concatenated method names: 'M3wSeP7KFH', 'nkoSpwkSxe', 'vyGS95eux3', 'Dk9SxBw7TN', 'xnTSfNadWh', 'gMKSBbO9xr', 'SEXFV8lXNVgljsxMjy', 'rZ9UPcLuko3R22uOyd', 'fVSSSqvxHh', 'Q22SbibeJk'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, vGenll45Z3mdtqb5Ms.csHigh entropy of concatenated method names: 'IWNerDn8Sd', 'cu2ejLVaw0', 'Wc0ec3PhdN', 'QG2e6OvKQA', 'jiReukXpVD', 'xHeeaL7JpB', 'ioceLs5nP0', 'Kt2eYQoSTB', 'FSae5525QY', 'qgben7VNuH'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, dghlcHSTQVJdmyqA9rM.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'agZJPHIHmr', 'e10JQNm5PC', 'vLrJv2UI77', 'qedJNGIvlV', 'vlJJCcPMg5', 'cP1JMZyIrx', 'f6jJ0iq7fH'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, ODvLNRzM3FAwHc17Mj.csHigh entropy of concatenated method names: 'mxtJayHpxl', 'VZPJYDK50x', 'MVjJ55q5Ji', 'SoCJg1sl0j', 'B2oJ2i1M4A', 'Xc4JOjTXCb', 'jttJd9ET3H', 'tFiJXcppkc', 'fjYJr3Umcx', 'EyxJjOnT91'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, uLtONgybIk8sD7YNCT.csHigh entropy of concatenated method names: 'VKxAgqwtv5', 'Y8iA2VeALk', 'NJFAqga9IZ', 'lLnAODAyJs', 'jUjAdbWbBp', 'bYNAsici2A', 'ndeAV6895U', 'dHPAhHcTSH', 'R4nA4EVrAv', 'fREA7NBbWZ'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, ER1fQI040O1uAmAo6y.csHigh entropy of concatenated method names: 'LXED9qX5YL', 'PGgDxNOXBq', 'ToString', 'sC2Dl8T6Vc', 'dUFDWBpI6D', 'prFDIuBhIn', 'FxlDFdmdKj', 'WvVDoA1ZJv', 'TC3DeVQDJV', 'jStDpl4vJF'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, JWhIMKgbO9xr7L04SE.csHigh entropy of concatenated method names: 'pcBowH3LpJ', 'kNWoWduCxa', 'ybsoF2tWrq', 'rCcoedaOlA', 'xyWopviGYa', 'CEYF8vKWUT', 'dLHFEYbG5t', 'V9OFKNU5y1', 'AQ8FipUwqG', 'l23FyOtr7r'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, jZV4koSRBfvyB75E1vY.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DptZAJ3Ma8', 'VjLZJKKbtW', 'MbrZkI4XFy', 'CkUZZ5AN8c', 'UYGZU8y15t', 'eryZmHv25D', 'vRtZXXPKmJ'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, MSd3BNM9dQZOh2hKMM.csHigh entropy of concatenated method names: 'ToString', 'lnHBPG0OMN', 'pkuB29NVAl', 'pSOBqBvNis', 'F9NBOKBoS9', 'IMrBdCZUSl', 'Cn7BsdMEEt', 'enyBVaw5mN', 'DwYBhmZ1uo', 'hTIB4p4a8C'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, ESUYSjpJ1jS9kdLtPJ.csHigh entropy of concatenated method names: 'FVMbw06EHF', 'qwEblBN0ZW', 'wpqbW7haQf', 'nqEbIfV0Tq', 'KKSbFdCGkf', 'tlNboBy3EM', 'piDbeVP9ms', 'kFRbp4IiFD', 'g9xbtjNjOY', 'i7tb92B8LH'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, P1eSWVE42NiH1cPGAT.csHigh entropy of concatenated method names: 'vXJDimZURa', 'ROfD3tHor8', 'w8n1TrRAYi', 'wSd1SYRUQU', 'euIDPFUEH8', 'jgiDQkuY3I', 'zNFDvvrbZp', 'MNCDNGfwLd', 'rptDCgCkJm', 'ey9DMlx9Uq'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, ShRkBn35B1kHB42EQe.csHigh entropy of concatenated method names: 'GsIJIIGmXj', 'C0TJFGJTOC', 'qZPJo4xovJ', 'eDKJeKvnfC', 'sAcJA40397', 'BqdJpvZYLx', 'Next', 'Next', 'Next', 'NextBytes'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, jYCtcYKn20p3lckyj0.csHigh entropy of concatenated method names: 'eOoAfQHDlZ', 'P8hADQDi0I', 'nCqAAoI6PK', 'm9VAkGBgBE', 'RxnAUVR2OM', 'RlcAXWwd40', 'Dispose', 'MEd1lgIaen', 'EWi1Woh5UA', 'LEC1IxYudm'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, eP7KFHYxkowkSxeuGX.csHigh entropy of concatenated method names: 'YXFWNhOpVs', 'bR0WCRFrHA', 'AfZWMN2kw5', 'dxaW0KYR7Y', 'kxAW8uq7RG', 'AcxWEy4EiY', 'jQ6WKP9SuL', 'ITMWiicQWZ', 'ESMWygfyIX', 'ElLW3jdvfa'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, Vs3EWJWRqxX6oSNoJc.csHigh entropy of concatenated method names: 'Dispose', 'Tp3Sylckyj', 'SMsG2J2inU', 'eB2nOlsesE', 'TnsS3DRbOL', 'vP7SzKDtMG', 'ProcessDialogKey', 'KqZGTLtONg', 'cIkGS8sD7Y', 'QCTGGMhRkB'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3db1d88.2.raw.unpack, KPkJuIvMSB23gq0ZxP.csHigh entropy of concatenated method names: 'ivNHYPveOg', 'dt3H56AvWL', 'HAHHgjB2ZL', 'EE7H2fBZ4I', 'WI9HOM39FQ', 'x7eHdbLHqL', 'cuWHVe8YvY', 'tRbHh3lwft', 'J99H7Qd1b9', 'e2sHP5FSFc'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, e7TN4PnOnqqB1XnTNa.csHigh entropy of concatenated method names: 'FFrFuGqQBU', 'BMeFLk1GBA', 'lPrIqSYHur', 'e2WIOQhYiD', 'L0RIdTCGaG', 'HbPIsCA6WY', 'Yq6IVZKF0w', 'Xk5IhatQ8H', 'UbdI4CeaLC', 'RehI7dH1Pt'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, KbC8tU5yG5eux3Yk9B.csHigh entropy of concatenated method names: 'tMXI6NgAUc', 'Uy1Ia4wCH4', 'dJDIYluVGn', 'TqGI5CPth2', 'f2WIfGV2mt', 'OaQIBI8puH', 'UpkID1ZNkG', 'EbEI1lRk0f', 'UXTIAfMvJ7', 'BJCIJWfpEG'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, VHZrGHG2wXeGJdZoyl.csHigh entropy of concatenated method names: 'ad6cXOews', 'leA6TiX2f', 'VGhaP7oNu', 'I8sLDPK7Z', 'AAL50BlnT', 'cn0nO5dCs', 'yymnUWyBnVTbC5pQWJ', 'As1InUuDaKRYiWyOlW', 'tM8lRpYOfOVRytVLSd', 'oof1jYsHj'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, s93qNXSGbNbWJP7aVIn.csHigh entropy of concatenated method names: 'ToString', 'iwRkYVRc9I', 'SCfk5GcGgu', 'tj9kn2bm7H', 'u1lkgqjkl2', 'h7lk2DPtRG', 'tIPkqvbl8e', 'SMukOWNs70', 'Vty6oPI4JjKha3MmK54', 'tBpLAhI2cpb55RNoj2Y'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, u0Gl3uSSaGneLr4jH2h.csHigh entropy of concatenated method names: 'fWkJ3jQsf9', 'aRPJzkwNLC', 'HRakTeqqfp', 'duikSwNtq2', 'MR8kG7cscI', 'tyikbQ1gvE', 'Sw2kRfJP1n', 'kdikwb6hWd', 'SYmklEEGd2', 'WEVkW0X7oj'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, LEdKxJREXSd8iRYU11.csHigh entropy of concatenated method names: 'M3wSeP7KFH', 'nkoSpwkSxe', 'vyGS95eux3', 'Dk9SxBw7TN', 'xnTSfNadWh', 'gMKSBbO9xr', 'SEXFV8lXNVgljsxMjy', 'rZ9UPcLuko3R22uOyd', 'fVSSSqvxHh', 'Q22SbibeJk'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, vGenll45Z3mdtqb5Ms.csHigh entropy of concatenated method names: 'IWNerDn8Sd', 'cu2ejLVaw0', 'Wc0ec3PhdN', 'QG2e6OvKQA', 'jiReukXpVD', 'xHeeaL7JpB', 'ioceLs5nP0', 'Kt2eYQoSTB', 'FSae5525QY', 'qgben7VNuH'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, dghlcHSTQVJdmyqA9rM.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'agZJPHIHmr', 'e10JQNm5PC', 'vLrJv2UI77', 'qedJNGIvlV', 'vlJJCcPMg5', 'cP1JMZyIrx', 'f6jJ0iq7fH'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, ODvLNRzM3FAwHc17Mj.csHigh entropy of concatenated method names: 'mxtJayHpxl', 'VZPJYDK50x', 'MVjJ55q5Ji', 'SoCJg1sl0j', 'B2oJ2i1M4A', 'Xc4JOjTXCb', 'jttJd9ET3H', 'tFiJXcppkc', 'fjYJr3Umcx', 'EyxJjOnT91'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, uLtONgybIk8sD7YNCT.csHigh entropy of concatenated method names: 'VKxAgqwtv5', 'Y8iA2VeALk', 'NJFAqga9IZ', 'lLnAODAyJs', 'jUjAdbWbBp', 'bYNAsici2A', 'ndeAV6895U', 'dHPAhHcTSH', 'R4nA4EVrAv', 'fREA7NBbWZ'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, ER1fQI040O1uAmAo6y.csHigh entropy of concatenated method names: 'LXED9qX5YL', 'PGgDxNOXBq', 'ToString', 'sC2Dl8T6Vc', 'dUFDWBpI6D', 'prFDIuBhIn', 'FxlDFdmdKj', 'WvVDoA1ZJv', 'TC3DeVQDJV', 'jStDpl4vJF'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, JWhIMKgbO9xr7L04SE.csHigh entropy of concatenated method names: 'pcBowH3LpJ', 'kNWoWduCxa', 'ybsoF2tWrq', 'rCcoedaOlA', 'xyWopviGYa', 'CEYF8vKWUT', 'dLHFEYbG5t', 'V9OFKNU5y1', 'AQ8FipUwqG', 'l23FyOtr7r'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, jZV4koSRBfvyB75E1vY.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DptZAJ3Ma8', 'VjLZJKKbtW', 'MbrZkI4XFy', 'CkUZZ5AN8c', 'UYGZU8y15t', 'eryZmHv25D', 'vRtZXXPKmJ'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, MSd3BNM9dQZOh2hKMM.csHigh entropy of concatenated method names: 'ToString', 'lnHBPG0OMN', 'pkuB29NVAl', 'pSOBqBvNis', 'F9NBOKBoS9', 'IMrBdCZUSl', 'Cn7BsdMEEt', 'enyBVaw5mN', 'DwYBhmZ1uo', 'hTIB4p4a8C'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, ESUYSjpJ1jS9kdLtPJ.csHigh entropy of concatenated method names: 'FVMbw06EHF', 'qwEblBN0ZW', 'wpqbW7haQf', 'nqEbIfV0Tq', 'KKSbFdCGkf', 'tlNboBy3EM', 'piDbeVP9ms', 'kFRbp4IiFD', 'g9xbtjNjOY', 'i7tb92B8LH'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, P1eSWVE42NiH1cPGAT.csHigh entropy of concatenated method names: 'vXJDimZURa', 'ROfD3tHor8', 'w8n1TrRAYi', 'wSd1SYRUQU', 'euIDPFUEH8', 'jgiDQkuY3I', 'zNFDvvrbZp', 'MNCDNGfwLd', 'rptDCgCkJm', 'ey9DMlx9Uq'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, ShRkBn35B1kHB42EQe.csHigh entropy of concatenated method names: 'GsIJIIGmXj', 'C0TJFGJTOC', 'qZPJo4xovJ', 'eDKJeKvnfC', 'sAcJA40397', 'BqdJpvZYLx', 'Next', 'Next', 'Next', 'NextBytes'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, jYCtcYKn20p3lckyj0.csHigh entropy of concatenated method names: 'eOoAfQHDlZ', 'P8hADQDi0I', 'nCqAAoI6PK', 'm9VAkGBgBE', 'RxnAUVR2OM', 'RlcAXWwd40', 'Dispose', 'MEd1lgIaen', 'EWi1Woh5UA', 'LEC1IxYudm'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, eP7KFHYxkowkSxeuGX.csHigh entropy of concatenated method names: 'YXFWNhOpVs', 'bR0WCRFrHA', 'AfZWMN2kw5', 'dxaW0KYR7Y', 'kxAW8uq7RG', 'AcxWEy4EiY', 'jQ6WKP9SuL', 'ITMWiicQWZ', 'ESMWygfyIX', 'ElLW3jdvfa'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, Vs3EWJWRqxX6oSNoJc.csHigh entropy of concatenated method names: 'Dispose', 'Tp3Sylckyj', 'SMsG2J2inU', 'eB2nOlsesE', 'TnsS3DRbOL', 'vP7SzKDtMG', 'ProcessDialogKey', 'KqZGTLtONg', 'cIkGS8sD7Y', 'QCTGGMhRkB'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, KPkJuIvMSB23gq0ZxP.csHigh entropy of concatenated method names: 'ivNHYPveOg', 'dt3H56AvWL', 'HAHHgjB2ZL', 'EE7H2fBZ4I', 'WI9HOM39FQ', 'x7eHdbLHqL', 'cuWHVe8YvY', 'tRbHh3lwft', 'J99H7Qd1b9', 'e2sHP5FSFc'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, e7TN4PnOnqqB1XnTNa.csHigh entropy of concatenated method names: 'FFrFuGqQBU', 'BMeFLk1GBA', 'lPrIqSYHur', 'e2WIOQhYiD', 'L0RIdTCGaG', 'HbPIsCA6WY', 'Yq6IVZKF0w', 'Xk5IhatQ8H', 'UbdI4CeaLC', 'RehI7dH1Pt'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, KbC8tU5yG5eux3Yk9B.csHigh entropy of concatenated method names: 'tMXI6NgAUc', 'Uy1Ia4wCH4', 'dJDIYluVGn', 'TqGI5CPth2', 'f2WIfGV2mt', 'OaQIBI8puH', 'UpkID1ZNkG', 'EbEI1lRk0f', 'UXTIAfMvJ7', 'BJCIJWfpEG'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, VHZrGHG2wXeGJdZoyl.csHigh entropy of concatenated method names: 'ad6cXOews', 'leA6TiX2f', 'VGhaP7oNu', 'I8sLDPK7Z', 'AAL50BlnT', 'cn0nO5dCs', 'yymnUWyBnVTbC5pQWJ', 'As1InUuDaKRYiWyOlW', 'tM8lRpYOfOVRytVLSd', 'oof1jYsHj'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, s93qNXSGbNbWJP7aVIn.csHigh entropy of concatenated method names: 'ToString', 'iwRkYVRc9I', 'SCfk5GcGgu', 'tj9kn2bm7H', 'u1lkgqjkl2', 'h7lk2DPtRG', 'tIPkqvbl8e', 'SMukOWNs70', 'Vty6oPI4JjKha3MmK54', 'tBpLAhI2cpb55RNoj2Y'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, u0Gl3uSSaGneLr4jH2h.csHigh entropy of concatenated method names: 'fWkJ3jQsf9', 'aRPJzkwNLC', 'HRakTeqqfp', 'duikSwNtq2', 'MR8kG7cscI', 'tyikbQ1gvE', 'Sw2kRfJP1n', 'kdikwb6hWd', 'SYmklEEGd2', 'WEVkW0X7oj'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, LEdKxJREXSd8iRYU11.csHigh entropy of concatenated method names: 'M3wSeP7KFH', 'nkoSpwkSxe', 'vyGS95eux3', 'Dk9SxBw7TN', 'xnTSfNadWh', 'gMKSBbO9xr', 'SEXFV8lXNVgljsxMjy', 'rZ9UPcLuko3R22uOyd', 'fVSSSqvxHh', 'Q22SbibeJk'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, vGenll45Z3mdtqb5Ms.csHigh entropy of concatenated method names: 'IWNerDn8Sd', 'cu2ejLVaw0', 'Wc0ec3PhdN', 'QG2e6OvKQA', 'jiReukXpVD', 'xHeeaL7JpB', 'ioceLs5nP0', 'Kt2eYQoSTB', 'FSae5525QY', 'qgben7VNuH'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, dghlcHSTQVJdmyqA9rM.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'agZJPHIHmr', 'e10JQNm5PC', 'vLrJv2UI77', 'qedJNGIvlV', 'vlJJCcPMg5', 'cP1JMZyIrx', 'f6jJ0iq7fH'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, ODvLNRzM3FAwHc17Mj.csHigh entropy of concatenated method names: 'mxtJayHpxl', 'VZPJYDK50x', 'MVjJ55q5Ji', 'SoCJg1sl0j', 'B2oJ2i1M4A', 'Xc4JOjTXCb', 'jttJd9ET3H', 'tFiJXcppkc', 'fjYJr3Umcx', 'EyxJjOnT91'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, uLtONgybIk8sD7YNCT.csHigh entropy of concatenated method names: 'VKxAgqwtv5', 'Y8iA2VeALk', 'NJFAqga9IZ', 'lLnAODAyJs', 'jUjAdbWbBp', 'bYNAsici2A', 'ndeAV6895U', 'dHPAhHcTSH', 'R4nA4EVrAv', 'fREA7NBbWZ'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, ER1fQI040O1uAmAo6y.csHigh entropy of concatenated method names: 'LXED9qX5YL', 'PGgDxNOXBq', 'ToString', 'sC2Dl8T6Vc', 'dUFDWBpI6D', 'prFDIuBhIn', 'FxlDFdmdKj', 'WvVDoA1ZJv', 'TC3DeVQDJV', 'jStDpl4vJF'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, JWhIMKgbO9xr7L04SE.csHigh entropy of concatenated method names: 'pcBowH3LpJ', 'kNWoWduCxa', 'ybsoF2tWrq', 'rCcoedaOlA', 'xyWopviGYa', 'CEYF8vKWUT', 'dLHFEYbG5t', 'V9OFKNU5y1', 'AQ8FipUwqG', 'l23FyOtr7r'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, jZV4koSRBfvyB75E1vY.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DptZAJ3Ma8', 'VjLZJKKbtW', 'MbrZkI4XFy', 'CkUZZ5AN8c', 'UYGZU8y15t', 'eryZmHv25D', 'vRtZXXPKmJ'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, MSd3BNM9dQZOh2hKMM.csHigh entropy of concatenated method names: 'ToString', 'lnHBPG0OMN', 'pkuB29NVAl', 'pSOBqBvNis', 'F9NBOKBoS9', 'IMrBdCZUSl', 'Cn7BsdMEEt', 'enyBVaw5mN', 'DwYBhmZ1uo', 'hTIB4p4a8C'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, ESUYSjpJ1jS9kdLtPJ.csHigh entropy of concatenated method names: 'FVMbw06EHF', 'qwEblBN0ZW', 'wpqbW7haQf', 'nqEbIfV0Tq', 'KKSbFdCGkf', 'tlNboBy3EM', 'piDbeVP9ms', 'kFRbp4IiFD', 'g9xbtjNjOY', 'i7tb92B8LH'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, P1eSWVE42NiH1cPGAT.csHigh entropy of concatenated method names: 'vXJDimZURa', 'ROfD3tHor8', 'w8n1TrRAYi', 'wSd1SYRUQU', 'euIDPFUEH8', 'jgiDQkuY3I', 'zNFDvvrbZp', 'MNCDNGfwLd', 'rptDCgCkJm', 'ey9DMlx9Uq'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, ShRkBn35B1kHB42EQe.csHigh entropy of concatenated method names: 'GsIJIIGmXj', 'C0TJFGJTOC', 'qZPJo4xovJ', 'eDKJeKvnfC', 'sAcJA40397', 'BqdJpvZYLx', 'Next', 'Next', 'Next', 'NextBytes'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, jYCtcYKn20p3lckyj0.csHigh entropy of concatenated method names: 'eOoAfQHDlZ', 'P8hADQDi0I', 'nCqAAoI6PK', 'm9VAkGBgBE', 'RxnAUVR2OM', 'RlcAXWwd40', 'Dispose', 'MEd1lgIaen', 'EWi1Woh5UA', 'LEC1IxYudm'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, eP7KFHYxkowkSxeuGX.csHigh entropy of concatenated method names: 'YXFWNhOpVs', 'bR0WCRFrHA', 'AfZWMN2kw5', 'dxaW0KYR7Y', 'kxAW8uq7RG', 'AcxWEy4EiY', 'jQ6WKP9SuL', 'ITMWiicQWZ', 'ESMWygfyIX', 'ElLW3jdvfa'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, Vs3EWJWRqxX6oSNoJc.csHigh entropy of concatenated method names: 'Dispose', 'Tp3Sylckyj', 'SMsG2J2inU', 'eB2nOlsesE', 'TnsS3DRbOL', 'vP7SzKDtMG', 'ProcessDialogKey', 'KqZGTLtONg', 'cIkGS8sD7Y', 'QCTGGMhRkB'
                          Source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.9120000.5.raw.unpack, KPkJuIvMSB23gq0ZxP.csHigh entropy of concatenated method names: 'ivNHYPveOg', 'dt3H56AvWL', 'HAHHgjB2ZL', 'EE7H2fBZ4I', 'WI9HOM39FQ', 'x7eHdbLHqL', 'cuWHVe8YvY', 'tRbHh3lwft', 'J99H7Qd1b9', 'e2sHP5FSFc'
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile created: \invoice-bl. payment tt $ 16945.99.exe
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile created: \invoice-bl. payment tt $ 16945.99.exe
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile created: \invoice-bl. payment tt $ 16945.99.exe
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile created: \invoice-bl. payment tt $ 16945.99.exeJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile created: \invoice-bl. payment tt $ 16945.99.exeJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile created: \invoice-bl. payment tt $ 16945.99.exeJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile created: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeJump to dropped file

                          Boot Survival

                          barindex
                          Uses schtasks.exe or at.exe to add and modify task schedules
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\haYzNpEpfrrs" /XML "C:\Users\user\AppData\Local\Temp\tmp4600.tmp"

                          Hooking and other Techniques for Hiding and Protection

                          barindex
                          Loading BitLocker PowerShell Module
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess information set: NOOPENFILEERRORBOX

                          Malware Analysis System Evasion

                          barindex
                          Yara detected AntiVM3
                          Source: Yara matchFile source: Process Memory Space: Invoice-BL. Payment TT $ 16945.99.exe PID: 6880, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: haYzNpEpfrrs.exe PID: 7264, type: MEMORYSTR
                          Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeMemory allocated: 1110000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeMemory allocated: 2B00000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeMemory allocated: 4B00000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeMemory allocated: 92F0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeMemory allocated: A2F0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeMemory allocated: A510000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeMemory allocated: B510000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeMemory allocated: 2670000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeMemory allocated: 27F0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeMemory allocated: 47F0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeMemory allocated: 23E0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeMemory allocated: 2520000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeMemory allocated: 4520000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeMemory allocated: 8950000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeMemory allocated: 9950000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeMemory allocated: 9B60000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeMemory allocated: AB60000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeMemory allocated: 2950000 memory reserve | memory write watch
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeMemory allocated: 2B70000 memory reserve | memory write watch
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeMemory allocated: 4B70000 memory reserve | memory write watch
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 240000Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 239884Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 239766Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 239645Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 239531Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 239421Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 239311Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 239194Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 239078Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 238969Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 238844Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 238734Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 238624Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 238467Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 238334Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 238207Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 237703Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 237516Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 237293Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 237164Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 237031Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 240000Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 238875Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 238744Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 238632Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 238525Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 238408Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 238281Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 238171Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 238062Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 237953Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 237844Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 237722Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 237594Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 237484Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 237375Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 237265Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeWindow / User API: threadDelayed 1496Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeWindow / User API: threadDelayed 1482Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8762Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 856Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeWindow / User API: threadDelayed 1461Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeWindow / User API: threadDelayed 2924Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeWindow / User API: threadDelayed 1010Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeWindow / User API: threadDelayed 1954Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeWindow / User API: threadDelayed 500
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeWindow / User API: threadDelayed 4056
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe TID: 3288Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe TID: 3288Thread sleep time: -240000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe TID: 3288Thread sleep time: -239884s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe TID: 3288Thread sleep time: -239766s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe TID: 3288Thread sleep time: -239645s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe TID: 3288Thread sleep time: -239531s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe TID: 3288Thread sleep time: -239421s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe TID: 3288Thread sleep time: -239311s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe TID: 3288Thread sleep time: -239194s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe TID: 3288Thread sleep time: -239078s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe TID: 3288Thread sleep time: -238969s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe TID: 3288Thread sleep time: -238844s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe TID: 3288Thread sleep time: -238734s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe TID: 3288Thread sleep time: -238624s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe TID: 3288Thread sleep time: -238467s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe TID: 3288Thread sleep time: -238334s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe TID: 3288Thread sleep time: -238207s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe TID: 3288Thread sleep time: -237703s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe TID: 3288Thread sleep time: -237516s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe TID: 3288Thread sleep time: -237293s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe TID: 3288Thread sleep time: -237164s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe TID: 3288Thread sleep time: -237031s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe TID: 6112Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7260Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe TID: 7668Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe TID: 7248Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe TID: 7320Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe TID: 7320Thread sleep time: -240000s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe TID: 7320Thread sleep time: -238875s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe TID: 7320Thread sleep time: -238744s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe TID: 7320Thread sleep time: -238632s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe TID: 7320Thread sleep time: -238525s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe TID: 7320Thread sleep time: -238408s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe TID: 7320Thread sleep time: -238281s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe TID: 7320Thread sleep time: -238171s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe TID: 7320Thread sleep time: -238062s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe TID: 7320Thread sleep time: -237953s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe TID: 7320Thread sleep time: -237844s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe TID: 7320Thread sleep time: -237722s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe TID: 7320Thread sleep time: -237594s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe TID: 7320Thread sleep time: -237484s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe TID: 7320Thread sleep time: -237375s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe TID: 7320Thread sleep time: -237265s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe TID: 7300Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe TID: 7776Thread sleep time: -13835058055282155s >= -30000s
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe TID: 7580Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 240000Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 239884Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 239766Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 239645Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 239531Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 239421Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 239311Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 239194Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 239078Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 238969Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 238844Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 238734Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 238624Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 238467Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 238334Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 238207Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 237703Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 237516Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 237293Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 237164Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 237031Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 240000Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 238875Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 238744Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 238632Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 238525Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 238408Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 238281Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 238171Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 238062Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 237953Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 237844Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 237722Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 237594Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 237484Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 237375Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 237265Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeThread delayed: delay time: 922337203685477
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800151668.0000000000C92000.00000004.00000020.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1849868035.0000000000CB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeMemory allocated: page read and write | page guardJump to behavior

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          Adds a directory exclusion to Windows Defender
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe"
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe"Jump to behavior
                          Injects a PE file into a foreign processes
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeMemory written: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe base: 400000 value starts with: 4D5AJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeMemory written: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe base: 400000 value starts with: 4D5AJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\haYzNpEpfrrs" /XML "C:\Users\user\AppData\Local\Temp\tmp4600.tmp"Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeProcess created: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe "C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe"Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\haYzNpEpfrrs" /XML "C:\Users\user\AppData\Local\Temp\tmpBEE8.tmp"Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess created: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe"Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess created: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe"Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeProcess created: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe "C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeQueries volume information: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeQueries volume information: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exe VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1816187695.0000000007B69000.00000004.00000020.00020000.00000000.sdmp, haYzNpEpfrrs.exe, 0000000D.00000002.1872656825.000000000601D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                          Stealing of Sensitive Information

                          barindex
                          Yara detected RedLine Stealer
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3cd4cb0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3cd4cb0.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 6.2.Invoice-BL. Payment TT $ 16945.99.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3c89a90.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3c89a90.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000006.00000002.1798528235.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1687136757.0000000003CCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1687136757.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Invoice-BL. Payment TT $ 16945.99.exe PID: 6880, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: Invoice-BL. Payment TT $ 16945.99.exe PID: 7216, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: haYzNpEpfrrs.exe PID: 7556, type: MEMORYSTR
                          Found many strings related to Crypto-Wallets (likely being stolen)
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002A12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $kq1C:\Users\user\AppData\Roaming\Electrum\wallets\*
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxE#
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002A12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLRkqX
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002A12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLRkq
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002A12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $kq%appdata%`,kqdC:\Users\user\AppData\Roaming`,kqdC:\Users\user\AppData\Roaming\Binance
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002A12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $kq&%localappdata%\Coinomi\Coinomi\walletsLRkq
                          Source: Invoice-BL. Payment TT $ 16945.99.exe, 00000006.00000002.1800626325.0000000002A12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $kq5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                          Tries to harvest and steal browser information (history, passwords, etc)
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                          Tries to steal Crypto Currency Wallets
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                          Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 16945.99.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeFile opened: C:\Users\user\AppData\Roaming\atomic\
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeFile opened: C:\Users\user\AppData\Roaming\Binance\
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\
                          Source: C:\Users\user\AppData\Roaming\haYzNpEpfrrs.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
                          Source: Yara matchFile source: 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000D.00000002.1854830160.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000006.00000002.1800626325.0000000002A12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Invoice-BL. Payment TT $ 16945.99.exe PID: 7216, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: haYzNpEpfrrs.exe PID: 7556, type: MEMORYSTR

                          Remote Access Functionality

                          barindex
                          Yara detected RedLine Stealer
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3cd4cb0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3cd4cb0.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 6.2.Invoice-BL. Payment TT $ 16945.99.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3c89a90.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3c89a90.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Invoice-BL. Payment TT $ 16945.99.exe.3bfa470.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000006.00000002.1800626325.0000000002886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000006.00000002.1798528235.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000D.00000002.1854830160.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1687136757.0000000003CCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1687136757.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Invoice-BL. Payment TT $ 16945.99.exe PID: 6880, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: Invoice-BL. Payment TT $ 16945.99.exe PID: 7216, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: haYzNpEpfrrs.exe PID: 7556, type: MEMORYSTR

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                          Windows Management Instrumentation                          		1
                          Scheduled Task/Job                          		111
                          Process Injection                          		1
                          Masquerading                          		1
                          OS Credential Dumping                          		331
                          Security Software Discovery                          		Remote Services1
                          Archive Collected Data                          		1
                          Encrypted Channel                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault Accounts1
                          Scheduled Task/Job                          		1
                          DLL Side-Loading                          		1
                          Scheduled Task/Job                          		11
                          Disable or Modify Tools                          		LSASS Memory1
                          Process Discovery                          		Remote Desktop Protocol3
                          Data from Local System                          		1
                          Non-Standard Port                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                          DLL Side-Loading                          		241
                          Virtualization/Sandbox Evasion                          		Security Account Manager241
                          Virtualization/Sandbox Evasion                          		SMB/Windows Admin SharesData from Network Shared Drive1
                          Application Layer Protocol                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                          Process Injection                          		NTDS1
                          Application Window Discovery                          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                          Obfuscated Files or Information                          		LSA Secrets1
                          File and Directory Discovery                          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                          Software Packing                          		Cached Domain Credentials113
                          System Information Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                          Timestomp                          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                          DLL Side-Loading                          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1572212 Sample: Invoice-BL. Payment TT $  1... Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 47 Suricata IDS alerts for network traffic 2->47 49 Found malware configuration 2->49 51 Sigma detected: Scheduled temp file as task from temp location 2->51 53 13 other signatures 2->53 7 Invoice-BL. Payment TT $  16945.99.exe 7 2->7         started        11 haYzNpEpfrrs.exe 5 2->11         started        process3 file4 37 C:\Users\user\AppData\...\haYzNpEpfrrs.exe, PE32 7->37 dropped 39 C:\Users\...\haYzNpEpfrrs.exe:Zone.Identifier, ASCII 7->39 dropped 41 C:\Users\user\AppData\Local\...\tmp4600.tmp, XML 7->41 dropped 43 Invoice-BL. Paymen...$  16945.99.exe.log, ASCII 7->43 dropped 55 Adds a directory exclusion to Windows Defender 7->55 57 Injects a PE file into a foreign processes 7->57 13 Invoice-BL. Payment TT $  16945.99.exe 5 3 7->13         started        17 powershell.exe 23 7->17         started        19 schtasks.exe 1 7->19         started        59 Multi AV Scanner detection for dropped file 11->59 61 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->61 63 Machine Learning detection for dropped file 11->63 65 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 11->65 21 haYzNpEpfrrs.exe 11->21         started        23 schtasks.exe 11->23         started        25 haYzNpEpfrrs.exe 11->25         started        27 haYzNpEpfrrs.exe 11->27         started        signatures5 process6 dnsIp7 45 45.137.22.164, 1912, 49733, 49736 ROOTLAYERNETNL Netherlands 13->45 67 Found many strings related to Crypto-Wallets (likely being stolen) 13->67 69 Tries to steal Crypto Currency Wallets 13->69 71 Loading BitLocker PowerShell Module 17->71 29 conhost.exe 17->29         started        31 WmiPrvSE.exe 17->31         started        33 conhost.exe 19->33         started        73 Tries to harvest and steal browser information (history, passwords, etc) 21->73 35 conhost.exe 23->35         started        signatures8 process9

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.