Windows Analysis Report
JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe

Overview

General Information

Sample name: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
Analysis ID: 1482711
MD5: c2ba6d34f3e6c6b3af5448fd1a7796ad
SHA1: 446e5056b83d01fec8cbd18e371c999e90338564
SHA256: 2036747a3fdc79b8c1394e66b36ae1080ad22db75f08dc9cf91e8fac3dc5fe51
Tags: exeFormbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Avira: detection malicious, Label: HEUR/AGEN.1308795
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Virustotal: Detection: 33% Perma Link
Multi AV Scanner detection for submitted file
Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Virustotal: Detection: 33% Perma Link
Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe ReversingLabs: Detection: 64%
Yara detected FormBook
Source: Yara match File source: 16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.1578419632.0000000000AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1578037000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 4x nop then jmp 057C67ECh 18_2_057C5DBF
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 4x nop then jmp 057C67ECh 18_2_057C5E90
Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, 00000001.00000002.1293693851.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, nCPTBp.exe, 00000012.00000002.1505843402.0000000002572000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.1578419632.0000000000AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1578037000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.1578419632.0000000000AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.1578037000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
.NET source code contains very large array initializations
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5120000.3.raw.unpack, SizeParameters.cs Large array initialization: : array initializer size 15921
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.2a53094.0.raw.unpack, SizeParameters.cs Large array initialization: : array initializer size 15921
Source: 18.2.nCPTBp.exe.2552db8.0.raw.unpack, SizeParameters.cs Large array initialization: : array initializer size 15921
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0042C183 NtClose, 16_2_0042C183
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011035C0 NtCreateMutant,LdrInitializeThunk, 16_2_011035C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102DF0 NtQuerySystemInformation,LdrInitializeThunk, 16_2_01102DF0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102C70 NtFreeVirtualMemory,LdrInitializeThunk, 16_2_01102C70
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01103010 NtOpenDirectoryObject, 16_2_01103010
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01103090 NtSetValueKey, 16_2_01103090
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01104340 NtSetContextThread, 16_2_01104340
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01104650 NtSuspendThread, 16_2_01104650
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011039B0 NtGetContextThread, 16_2_011039B0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102B60 NtClose, 16_2_01102B60
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102B80 NtQueryInformationFile, 16_2_01102B80
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102BA0 NtEnumerateValueKey, 16_2_01102BA0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102BF0 NtAllocateVirtualMemory, 16_2_01102BF0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102BE0 NtQueryValueKey, 16_2_01102BE0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102AB0 NtWaitForSingleObject, 16_2_01102AB0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102AD0 NtReadFile, 16_2_01102AD0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102AF0 NtWriteFile, 16_2_01102AF0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102D10 NtMapViewOfSection, 16_2_01102D10
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01103D10 NtOpenProcessToken, 16_2_01103D10
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102D00 NtSetInformationFile, 16_2_01102D00
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102D30 NtUnmapViewOfSection, 16_2_01102D30
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01103D70 NtOpenThread, 16_2_01103D70
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102DB0 NtEnumerateKey, 16_2_01102DB0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102DD0 NtDelayExecution, 16_2_01102DD0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102C00 NtQueryInformationProcess, 16_2_01102C00
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102C60 NtCreateKey, 16_2_01102C60
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102CA0 NtQueryInformationToken, 16_2_01102CA0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102CC0 NtQueryVirtualMemory, 16_2_01102CC0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102CF0 NtOpenProcess, 16_2_01102CF0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102F30 NtCreateSection, 16_2_01102F30
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102F60 NtCreateProcessEx, 16_2_01102F60
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102F90 NtProtectVirtualMemory, 16_2_01102F90
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102FB0 NtResumeThread, 16_2_01102FB0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102FA0 NtQuerySection, 16_2_01102FA0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102FE0 NtCreateFile, 16_2_01102FE0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102E30 NtWriteVirtualMemory, 16_2_01102E30
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102E80 NtReadVirtualMemory, 16_2_01102E80
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102EA0 NtAdjustPrivilegesToken, 16_2_01102EA0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01102EE0 NtQueueApcThread, 16_2_01102EE0
Detected potential crypto function
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 1_2_00D2DEA4 1_2_00D2DEA4
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 1_2_04FA7020 1_2_04FA7020
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 1_2_04FA0040 1_2_04FA0040
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 1_2_04FA001C 1_2_04FA001C
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 1_2_04FA7010 1_2_04FA7010
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 1_2_04FA5A58 1_2_04FA5A58
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_00402940 16_2_00402940
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0040110C 16_2_0040110C
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_00401110 16_2_00401110
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0041028C 16_2_0041028C
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_00410293 16_2_00410293
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_004012A0 16_2_004012A0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_004033A0 16_2_004033A0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_004104B3 16_2_004104B3
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0040E530 16_2_0040E530
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0040E533 16_2_0040E533
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_004026DD 16_2_004026DD
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_004026E0 16_2_004026E0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_00416F4E 16_2_00416F4E
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_00416F53 16_2_00416F53
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0042E703 16_2_0042E703
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C0100 16_2_010C0100
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0116A118 16_2_0116A118
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01158158 16_2_01158158
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0119B16B 16_2_0119B16B
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BF172 16_2_010BF172
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0110516C 16_2_0110516C
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011901AA 16_2_011901AA
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010DB1B0 16_2_010DB1B0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011881CC 16_2_011881CC
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D70C0 16_2_010D70C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0117F0CC 16_2_0117F0CC
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011870E9 16_2_011870E9
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0118F0E0 16_2_0118F0E0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0118132D 16_2_0118132D
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BD34C 16_2_010BD34C
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0118A352 16_2_0118A352
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0111739A 16_2_0111739A
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010DE3F0 16_2_010DE3F0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011903E6 16_2_011903E6
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01170274 16_2_01170274
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D52A0 16_2_010D52A0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EB2C0 16_2_010EB2C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011502C0 16_2_011502C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011712ED 16_2_011712ED
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D0535 16_2_010D0535
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01187571 16_2_01187571
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01190591 16_2_01190591
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0116D5B0 16_2_0116D5B0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0118F43F 16_2_0118F43F
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01182446 16_2_01182446
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C1460 16_2_010C1460
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0117E4F6 16_2_0117E4F6
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010F4750 16_2_010F4750
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D0770 16_2_010D0770
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0118F7B0 16_2_0118F7B0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CC7C0 16_2_010CC7C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011816CC 16_2_011816CC
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EC6E0 16_2_010EC6E0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D9950 16_2_010D9950
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EB950 16_2_010EB950
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E6962 16_2_010E6962
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D29A0 16_2_010D29A0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0119A9A6 16_2_0119A9A6
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0113D800 16_2_0113D800
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D2840 16_2_010D2840
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010DA840 16_2_010DA840
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010B68B8 16_2_010B68B8
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D38E0 16_2_010D38E0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FE8F0 16_2_010FE8F0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0118AB40 16_2_0118AB40
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0118FB76 16_2_0118FB76
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EFB80 16_2_010EFB80
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01186BD7 16_2_01186BD7
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01145BF0 16_2_01145BF0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0110DBF9 16_2_0110DBF9
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0118FA49 16_2_0118FA49
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01187A46 16_2_01187A46
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01143A6C 16_2_01143A6C
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CEA80 16_2_010CEA80
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01115AA0 16_2_01115AA0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0116DAAC 16_2_0116DAAC
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0117DAC6 16_2_0117DAC6
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010DAD00 16_2_010DAD00
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01181D5A 16_2_01181D5A
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D3D40 16_2_010D3D40
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01187D73 16_2_01187D73
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E8DBF 16_2_010E8DBF
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EFDC0 16_2_010EFDC0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CADE0 16_2_010CADE0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D0C00 16_2_010D0C00
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01149C32 16_2_01149C32
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01170CB5 16_2_01170CB5
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0118FCF2 16_2_0118FCF2
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C0CF2 16_2_010C0CF2
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0118FF09 16_2_0118FF09
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01112F28 16_2_01112F28
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010F0F30 16_2_010F0F30
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01144F40 16_2_01144F40
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D1F92 16_2_010D1F92
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0118FFB1 16_2_0118FFB1
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0114EFA0 16_2_0114EFA0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C2FC8 16_2_010C2FC8
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010DCFE0 16_2_010DCFE0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0118EE26 16_2_0118EE26
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D0E59 16_2_010D0E59
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0118CE93 16_2_0118CE93
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E2E90 16_2_010E2E90
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D9EB0 16_2_010D9EB0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0118EEDB 16_2_0118EEDB
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 18_2_00A9DEA4 18_2_00A9DEA4
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 18_2_057C14E0 18_2_057C14E0
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 18_2_057C14D0 18_2_057C14D0
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 18_2_057C3100 18_2_057C3100
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 18_2_057C10A8 18_2_057C10A8
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 18_2_057C1099 18_2_057C1099
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 18_2_057C0C70 18_2_057C0C70
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 18_2_057C0C61 18_2_057C0C61
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 18_2_057C0838 18_2_057C0838
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_01370100 22_2_01370100
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_013C6000 22_2_013C6000
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_014002C0 22_2_014002C0
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_01380535 22_2_01380535
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_01380770 22_2_01380770
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_013A4750 22_2_013A4750
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_0137C7C0 22_2_0137C7C0
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_0139C6E0 22_2_0139C6E0
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_01396962 22_2_01396962
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_013829A0 22_2_013829A0
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_01382840 22_2_01382840
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_0138A840 22_2_0138A840
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_013668B8 22_2_013668B8
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_013B8890 22_2_013B8890
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_013AE8F0 22_2_013AE8F0
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_0137EA80 22_2_0137EA80
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_0138AD00 22_2_0138AD00
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_0138ED7A 22_2_0138ED7A
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_01398DBF 22_2_01398DBF
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_0137ADE0 22_2_0137ADE0
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_01388DC0 22_2_01388DC0
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_01380C00 22_2_01380C00
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_01370CF2 22_2_01370CF2
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_013A0F30 22_2_013A0F30
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_013C2F28 22_2_013C2F28
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_013F4F40 22_2_013F4F40
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_013FEFA0 22_2_013FEFA0
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_01372FC8 22_2_01372FC8
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_01380E59 22_2_01380E59
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_01392E90 22_2_01392E90
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_0136F172 22_2_0136F172
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_013B516C 22_2_013B516C
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_0138B1B0 22_2_0138B1B0
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_0136D34C 22_2_0136D34C
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_013833F3 22_2_013833F3
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_013852A0 22_2_013852A0
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_0139D2F0 22_2_0139D2F0
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_0139B2C0 22_2_0139B2C0
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_01371460 22_2_01371460
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_01383497 22_2_01383497
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_013C74E0 22_2_013C74E0
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_0138B730 22_2_0138B730
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_01389950 22_2_01389950
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_0139B950 22_2_0139B950
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_01385990 22_2_01385990
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_013ED800 22_2_013ED800
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_013838E0 22_2_013838E0
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_0139FB80 22_2_0139FB80
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_013BDBF9 22_2_013BDBF9
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_013F5BF0 22_2_013F5BF0
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_013F3A6C 22_2_013F3A6C
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_01383D40 22_2_01383D40
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_0139FDC0 22_2_0139FDC0
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_013F9C32 22_2_013F9C32
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_01399C20 22_2_01399C20
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_01381F92 22_2_01381F92
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_01389EB0 22_2_01389EB0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: String function: 013C7E54 appears 97 times
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: String function: 013EEA12 appears 37 times
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: String function: 0114F290 appears 105 times
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: String function: 010BB970 appears 265 times
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: String function: 01105130 appears 36 times
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: String function: 01117E54 appears 96 times
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: String function: 0113EA12 appears 86 times
Sample file is different than original file name gathered from version info
Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, 00000001.00000002.1314675065.0000000005C00000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, 00000001.00000002.1300423741.0000000003C0E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, 00000001.00000002.1293693851.0000000002A31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMML.dll2 vs JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, 00000001.00000002.1291325896.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, 00000001.00000002.1310449163.0000000005120000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMML.dll2 vs JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, 00000010.00000002.1578864787.00000000011BD000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Binary or memory string: OriginalFilenameDdXL.exe< vs JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
Uses 32bit PE files
Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.1578419632.0000000000AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.1578037000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: nCPTBp.exe.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, tr37UWORppbQ5PIAqL.cs Security API names: _0020.SetAccessControl
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, tr37UWORppbQ5PIAqL.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, tr37UWORppbQ5PIAqL.cs Security API names: _0020.AddAccessRule
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, ugiCahmWU9HqoBIE7s.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, ugiCahmWU9HqoBIE7s.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, ugiCahmWU9HqoBIE7s.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, tr37UWORppbQ5PIAqL.cs Security API names: _0020.SetAccessControl
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, tr37UWORppbQ5PIAqL.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, tr37UWORppbQ5PIAqL.cs Security API names: _0020.AddAccessRule
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, tr37UWORppbQ5PIAqL.cs Security API names: _0020.SetAccessControl
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, tr37UWORppbQ5PIAqL.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, tr37UWORppbQ5PIAqL.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.evad.winEXE@19/15@0/0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe File created: C:\Users\user\AppData\Roaming\nCPTBp.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7212:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2404:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe File created: C:\Users\user\AppData\Local\Temp\tmp920A.tmp Jump to behavior
Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Virustotal: Detection: 33%
Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe ReversingLabs: Detection: 64%
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe File read: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe"
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nCPTBp.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmp920A.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process created: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\nCPTBp.exe C:\Users\user\AppData\Roaming\nCPTBp.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmpAC0B.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process created: C:\Users\user\AppData\Roaming\nCPTBp.exe "C:\Users\user\AppData\Roaming\nCPTBp.exe"
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe" Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nCPTBp.exe" Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmp920A.tmp" Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process created: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmpAC0B.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process created: C:\Users\user\AppData\Roaming\nCPTBp.exe "C:\Users\user\AppData\Roaming\nCPTBp.exe" Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, StatGrapher.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: nCPTBp.exe.1.dr, StatGrapher.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5120000.3.raw.unpack, bg.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.2a53094.0.raw.unpack, bg.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, tr37UWORppbQ5PIAqL.cs .Net Code: uirVFu7Pse System.Reflection.Assembly.Load(byte[])
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, tr37UWORppbQ5PIAqL.cs .Net Code: uirVFu7Pse System.Reflection.Assembly.Load(byte[])
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, tr37UWORppbQ5PIAqL.cs .Net Code: uirVFu7Pse System.Reflection.Assembly.Load(byte[])
Source: 18.2.nCPTBp.exe.2552db8.0.raw.unpack, bg.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0040514C push esi; iretd 16_2_00405163
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_004031C4 push cs; retf 16_2_004031C8
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0040D345 push edx; retf 16_2_0040D348
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_004184E7 push esp; retf 16_2_004184E8
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_00418D43 push esi; ret 16_2_00418D5E
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_00418D2F push esi; ret 16_2_00418D5E
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_00412589 push ss; iretd 16_2_0041258A
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_00418DA4 push esi; ret 16_2_00418D5E
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_00412674 push ecx; iretd 16_2_00412675
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_00403620 push eax; ret 16_2_00403622
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0041A76D push eax; ret 16_2_0041A771
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C09AD push ecx; mov dword ptr [esp], ecx 16_2_010C09B6
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 18_2_057C04E9 push ebx; ret 18_2_057C04EA
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 18_2_057C5790 push eax; ret 18_2_057C5791
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 18_2_057C6908 push esp; iretd 18_2_057C6909
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 18_2_057C898D push FFFFFF8Bh; iretd 18_2_057C898F
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_013BC54F push 8B013467h; ret 22_2_013BC554
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_013BC54D pushfd ; ret 22_2_013BC54E
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_013709AD push ecx; mov dword ptr [esp], ecx 22_2_013709B6
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_013BC9D7 push edi; ret 22_2_013BC9D9
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_01341FEC push eax; iretd 22_2_01341FED
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_013C7E99 push ecx; ret 22_2_013C7EAC
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Code function: 22_2_0042DC02 push esp; iretd 22_2_0042DC16
Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Static PE information: section name: .text entropy: 7.951617880904782
Source: nCPTBp.exe.1.dr Static PE information: section name: .text entropy: 7.951617880904782
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, iCMsPPc14g0LbrpC1r.cs High entropy of concatenated method names: 'ToString', 'wqKIWwsRu1', 'w5gIClLtcW', 'hOUIsVgFKX', 'EgNIAYyRPF', 'SgpIZ5w4HA', 'rLRIeblNiM', 'JxPIQXroXt', 'jp1IwC7Q4d', 'giYIPCOdX4'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, jTUmy3T7eSYsyXDiWA5.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't4IRpE8WBJ', 'HoYRjTnIR0', 'O94RgIonfe', 'PRWRrwnZ6r', 't7qRcuKqJ6', 'gYFRtCHpwx', 'eFeRvVq4aF'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, RYP9auK2gvoKrJoTUI.cs High entropy of concatenated method names: 'tEDN1YQ4oq', 'pLlNCLOIWW', 'dpONs0MbVK', 'VHHNAar2p6', 'lDKNpkDwDA', 'MvGNZLDgOv', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, eKcewjTS759y9tNiMw6.cs High entropy of concatenated method names: 'aKM63GnXVk', 'RfS6fjy6nD', 'soE6F7ltlY', 'i2k62Df1DV', 'ypS6DFJ3Jw', 'nR06xxoHw1', 'OCZ6UEfd6v', 'zNJ6KcMPVb', 'Q7C6O9v6B1', 'j9y6Jk6ulW'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, KS4DbtfggC5rweGmtu.cs High entropy of concatenated method names: 'wMGY3kiXng', 'bBHYfPRbLm', 'LKhYFiVI2J', 'GOjY2VEEKG', 'h93YD8jhK1', 'OuFYxxObL1', 'tfSYUO5C5Q', 'TqUYK9t87Z', 'P5PYOhWLvQ', 'Yc8YJo32QK'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, CMJVaV2jhxJrxX4hho.cs High entropy of concatenated method names: 'Xfl67PqBok', 'YGh6TmnQsH', 'iM86V7cg1f', 'FWJ6oH6feI', 'T7t6aTP8Wg', 'tSQ655xDT8', 'HoZ6kwF5of', 'z9QNvxR2ZN', 'MijNSsWrCN', 'Ik2NhTniRW'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, w62axEbqy4R1jsMrBU.cs High entropy of concatenated method names: 'jbB5D5yFQi', 'IbJ5UrctGL', 'qtkXsEkjO6', 'RPRXAV4apr', 'CcrXZDBn8p', 'tsQXeF6TfO', 'rRtXQiPfU1', 'xsnXwheEoP', 'VsnXPjYqtO', 'yGjXntDgnv'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, MqQiTFRFCn0eZo02RE.cs High entropy of concatenated method names: 'uKsk0jQDXJ', 'Lrok3dHj4l', 'N6DkFHnwSc', 'BtAk2LLG7u', 'ATRkxw9ceG', 'Qu1kUDpPc6', 'mKhkOUsP0X', 'd5SkJlrNcN', 'GL9T9uVbqwBZ36uUYK2', 'n243vyVdyHH87q2LOgQ'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, tyBvNlWGwV68pMxayC.cs High entropy of concatenated method names: 'yfj9Kl5dYV', 'c509OiiADH', 'fcv91xAmqm', 'KTU9CCXmW7', 'EBt9AJBHus', 'qGj9Z1G200', 'mBB9Q83GR4', 'n6a9wxT9BM', 'bgN9n2IuqE', 'PQp9WlJSJq'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, ugiCahmWU9HqoBIE7s.cs High entropy of concatenated method names: 'zfyapIrVCn', 'd3yaj55GQG', 'GL9agqmPc6', 'r0QarSLqLZ', 'H4dacbJo1Y', 'JZ3at1GX7V', 'FC9avsyVEU', 'mMWaS7aQJQ', 'ftAahNSyJ5', 'FFZaGoVeja'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, eID7ere8l0byUTlJ4X.cs High entropy of concatenated method names: 'EaqySMlDiT', 'iEoyGLNdEJ', 'Hl2N8wO7WX', 'z2bN75Uic5', 'xwRyW9MulH', 'FZqyHMcG9W', 'uocyiCjIoU', 'A9hypM33SZ', 'nt1yjmfScU', 'nrOyglqcHb'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, rVFerSH0CSsFIIZJhA.cs High entropy of concatenated method names: 'wHEkLOaF31', 'oo9kaZcCAb', 'QRUk5jqjsm', 'UVckYGuGFS', 'OXIkmreYJU', 'adq5cABv4l', 'ceA5tU17VE', 'wAr5vLpTFg', 'j9f5Sct2Bc', 'PyX5hwpS8A'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, Bpj9MhFjE7PWGgTwUM.cs High entropy of concatenated method names: 'QQJyMOKPNe', 'm39y4hBsEp', 'ToString', 'oemyoiIUbi', 'osoya2S5if', 'DqpyXtxkKL', 'zM7y5begFm', 'FkjykjC8de', 'WVqyYAGljL', 'wpwymBJikt'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, l3RmN4vVcBhmsvF52H.cs High entropy of concatenated method names: 'AdkNo0HbOW', 'o59NaOVBOf', 'VKyNXp2qAZ', 'nQJN5DqLZR', 'IerNkOHJlJ', 'w0tNYhtRuM', 'jn3NmYBwYF', 'jiqNlAMciX', 'wpLNM4nk7O', 'vqKN4r6a2O'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, BMpy3yYaCNHkDcpPxY.cs High entropy of concatenated method names: 'q9s7YNspCt', 'ihp7mhNsr1', 'XkQ7Mt4iZ9', 'ith74hUk0h', 'TVC7BSPVsL', 'XoM7IEPhXM', 'TmVkWofYjh3Wc9tQF7', 'KNu2vWRJUCRvk10hFo', 'QJf77Y6W78', 'cAL7TFD3uF'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, tr37UWORppbQ5PIAqL.cs High entropy of concatenated method names: 'aDLTL4eZHQ', 'Rw2TodP4uq', 'p6RTaGMvUO', 'F3YTXk3qvL', 'WrNT5V4jZ9', 'T8BTk38Ig7', 'PvSTY5ETo4', 'kSlTmfqqjn', 'W1OTlixZKJ', 'PPTTMNig5I'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, qQvcU7zmLGU2jZReYI.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IsN69NGyuH', 'zEV6BXAlP7', 'sty6IHUhZj', 'Yrt6yyI6QP', 'yV56NNu7SY', 'F0Q66GByCm', 'Yp66RRQMJf'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, tTf6FS0JjDn3J1oUVR.cs High entropy of concatenated method names: 'k2bBnFfc13', 'J7IBH0mqDb', 'MCjBpdno1Q', 'WeHBjghfra', 'tGxBCLHwRW', 'fraBsmbeZi', 'xSKBAWejvA', 'DIMBZcoHKo', 'mpwBeMa53N', 'wNaBQHf7Xs'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, RPembixow0X3aTpxSU.cs High entropy of concatenated method names: 'JtRX2u3HLN', 'ufbXxNro2p', 'OCsXKxodUh', 'qNOXOQcdyL', 'kU7XBeQ5Lk', 'GlyXIL1sy2', 'PQiXyLWPUo', 'xOaXNFt0rp', 'v8xX6W8hRV', 'lP3XRvjd2C'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, k6sIoRAO12TfY5kE2j.cs High entropy of concatenated method names: 'SRAFhRdWP', 't5E2bZwhM', 'xGfxfHpT1', 'QpgUVZVpV', 'wxrOedlN8', 'p4aJfljnO', 'Um40OyhJIpWr6t7GDc', 'SKs5HxFgPvCoW2yP1Y', 'ATZNp05LE', 'B1hRJZnC1'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, Pq7FEuQ4AWnwjflHjd.cs High entropy of concatenated method names: 'Dispose', 'O3c7hpmXtR', 'qmrqCueYx7', 'Gh5bbb1eNH', 'DVV7GUaLQt', 'GrP7zkVHKM', 'ProcessDialogKey', 'XuLq8fG7It', 'eMkq72mRvL', 'Q0oqqh2y9W'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, iCMsPPc14g0LbrpC1r.cs High entropy of concatenated method names: 'ToString', 'wqKIWwsRu1', 'w5gIClLtcW', 'hOUIsVgFKX', 'EgNIAYyRPF', 'SgpIZ5w4HA', 'rLRIeblNiM', 'JxPIQXroXt', 'jp1IwC7Q4d', 'giYIPCOdX4'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, jTUmy3T7eSYsyXDiWA5.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't4IRpE8WBJ', 'HoYRjTnIR0', 'O94RgIonfe', 'PRWRrwnZ6r', 't7qRcuKqJ6', 'gYFRtCHpwx', 'eFeRvVq4aF'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, RYP9auK2gvoKrJoTUI.cs High entropy of concatenated method names: 'tEDN1YQ4oq', 'pLlNCLOIWW', 'dpONs0MbVK', 'VHHNAar2p6', 'lDKNpkDwDA', 'MvGNZLDgOv', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, eKcewjTS759y9tNiMw6.cs High entropy of concatenated method names: 'aKM63GnXVk', 'RfS6fjy6nD', 'soE6F7ltlY', 'i2k62Df1DV', 'ypS6DFJ3Jw', 'nR06xxoHw1', 'OCZ6UEfd6v', 'zNJ6KcMPVb', 'Q7C6O9v6B1', 'j9y6Jk6ulW'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, KS4DbtfggC5rweGmtu.cs High entropy of concatenated method names: 'wMGY3kiXng', 'bBHYfPRbLm', 'LKhYFiVI2J', 'GOjY2VEEKG', 'h93YD8jhK1', 'OuFYxxObL1', 'tfSYUO5C5Q', 'TqUYK9t87Z', 'P5PYOhWLvQ', 'Yc8YJo32QK'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, CMJVaV2jhxJrxX4hho.cs High entropy of concatenated method names: 'Xfl67PqBok', 'YGh6TmnQsH', 'iM86V7cg1f', 'FWJ6oH6feI', 'T7t6aTP8Wg', 'tSQ655xDT8', 'HoZ6kwF5of', 'z9QNvxR2ZN', 'MijNSsWrCN', 'Ik2NhTniRW'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, w62axEbqy4R1jsMrBU.cs High entropy of concatenated method names: 'jbB5D5yFQi', 'IbJ5UrctGL', 'qtkXsEkjO6', 'RPRXAV4apr', 'CcrXZDBn8p', 'tsQXeF6TfO', 'rRtXQiPfU1', 'xsnXwheEoP', 'VsnXPjYqtO', 'yGjXntDgnv'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, MqQiTFRFCn0eZo02RE.cs High entropy of concatenated method names: 'uKsk0jQDXJ', 'Lrok3dHj4l', 'N6DkFHnwSc', 'BtAk2LLG7u', 'ATRkxw9ceG', 'Qu1kUDpPc6', 'mKhkOUsP0X', 'd5SkJlrNcN', 'GL9T9uVbqwBZ36uUYK2', 'n243vyVdyHH87q2LOgQ'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, tyBvNlWGwV68pMxayC.cs High entropy of concatenated method names: 'yfj9Kl5dYV', 'c509OiiADH', 'fcv91xAmqm', 'KTU9CCXmW7', 'EBt9AJBHus', 'qGj9Z1G200', 'mBB9Q83GR4', 'n6a9wxT9BM', 'bgN9n2IuqE', 'PQp9WlJSJq'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, ugiCahmWU9HqoBIE7s.cs High entropy of concatenated method names: 'zfyapIrVCn', 'd3yaj55GQG', 'GL9agqmPc6', 'r0QarSLqLZ', 'H4dacbJo1Y', 'JZ3at1GX7V', 'FC9avsyVEU', 'mMWaS7aQJQ', 'ftAahNSyJ5', 'FFZaGoVeja'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, eID7ere8l0byUTlJ4X.cs High entropy of concatenated method names: 'EaqySMlDiT', 'iEoyGLNdEJ', 'Hl2N8wO7WX', 'z2bN75Uic5', 'xwRyW9MulH', 'FZqyHMcG9W', 'uocyiCjIoU', 'A9hypM33SZ', 'nt1yjmfScU', 'nrOyglqcHb'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, rVFerSH0CSsFIIZJhA.cs High entropy of concatenated method names: 'wHEkLOaF31', 'oo9kaZcCAb', 'QRUk5jqjsm', 'UVckYGuGFS', 'OXIkmreYJU', 'adq5cABv4l', 'ceA5tU17VE', 'wAr5vLpTFg', 'j9f5Sct2Bc', 'PyX5hwpS8A'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, Bpj9MhFjE7PWGgTwUM.cs High entropy of concatenated method names: 'QQJyMOKPNe', 'm39y4hBsEp', 'ToString', 'oemyoiIUbi', 'osoya2S5if', 'DqpyXtxkKL', 'zM7y5begFm', 'FkjykjC8de', 'WVqyYAGljL', 'wpwymBJikt'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, l3RmN4vVcBhmsvF52H.cs High entropy of concatenated method names: 'AdkNo0HbOW', 'o59NaOVBOf', 'VKyNXp2qAZ', 'nQJN5DqLZR', 'IerNkOHJlJ', 'w0tNYhtRuM', 'jn3NmYBwYF', 'jiqNlAMciX', 'wpLNM4nk7O', 'vqKN4r6a2O'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, BMpy3yYaCNHkDcpPxY.cs High entropy of concatenated method names: 'q9s7YNspCt', 'ihp7mhNsr1', 'XkQ7Mt4iZ9', 'ith74hUk0h', 'TVC7BSPVsL', 'XoM7IEPhXM', 'TmVkWofYjh3Wc9tQF7', 'KNu2vWRJUCRvk10hFo', 'QJf77Y6W78', 'cAL7TFD3uF'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, tr37UWORppbQ5PIAqL.cs High entropy of concatenated method names: 'aDLTL4eZHQ', 'Rw2TodP4uq', 'p6RTaGMvUO', 'F3YTXk3qvL', 'WrNT5V4jZ9', 'T8BTk38Ig7', 'PvSTY5ETo4', 'kSlTmfqqjn', 'W1OTlixZKJ', 'PPTTMNig5I'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, qQvcU7zmLGU2jZReYI.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IsN69NGyuH', 'zEV6BXAlP7', 'sty6IHUhZj', 'Yrt6yyI6QP', 'yV56NNu7SY', 'F0Q66GByCm', 'Yp66RRQMJf'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, tTf6FS0JjDn3J1oUVR.cs High entropy of concatenated method names: 'k2bBnFfc13', 'J7IBH0mqDb', 'MCjBpdno1Q', 'WeHBjghfra', 'tGxBCLHwRW', 'fraBsmbeZi', 'xSKBAWejvA', 'DIMBZcoHKo', 'mpwBeMa53N', 'wNaBQHf7Xs'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, RPembixow0X3aTpxSU.cs High entropy of concatenated method names: 'JtRX2u3HLN', 'ufbXxNro2p', 'OCsXKxodUh', 'qNOXOQcdyL', 'kU7XBeQ5Lk', 'GlyXIL1sy2', 'PQiXyLWPUo', 'xOaXNFt0rp', 'v8xX6W8hRV', 'lP3XRvjd2C'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, k6sIoRAO12TfY5kE2j.cs High entropy of concatenated method names: 'SRAFhRdWP', 't5E2bZwhM', 'xGfxfHpT1', 'QpgUVZVpV', 'wxrOedlN8', 'p4aJfljnO', 'Um40OyhJIpWr6t7GDc', 'SKs5HxFgPvCoW2yP1Y', 'ATZNp05LE', 'B1hRJZnC1'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, Pq7FEuQ4AWnwjflHjd.cs High entropy of concatenated method names: 'Dispose', 'O3c7hpmXtR', 'qmrqCueYx7', 'Gh5bbb1eNH', 'DVV7GUaLQt', 'GrP7zkVHKM', 'ProcessDialogKey', 'XuLq8fG7It', 'eMkq72mRvL', 'Q0oqqh2y9W'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, iCMsPPc14g0LbrpC1r.cs High entropy of concatenated method names: 'ToString', 'wqKIWwsRu1', 'w5gIClLtcW', 'hOUIsVgFKX', 'EgNIAYyRPF', 'SgpIZ5w4HA', 'rLRIeblNiM', 'JxPIQXroXt', 'jp1IwC7Q4d', 'giYIPCOdX4'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, jTUmy3T7eSYsyXDiWA5.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't4IRpE8WBJ', 'HoYRjTnIR0', 'O94RgIonfe', 'PRWRrwnZ6r', 't7qRcuKqJ6', 'gYFRtCHpwx', 'eFeRvVq4aF'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, RYP9auK2gvoKrJoTUI.cs High entropy of concatenated method names: 'tEDN1YQ4oq', 'pLlNCLOIWW', 'dpONs0MbVK', 'VHHNAar2p6', 'lDKNpkDwDA', 'MvGNZLDgOv', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, eKcewjTS759y9tNiMw6.cs High entropy of concatenated method names: 'aKM63GnXVk', 'RfS6fjy6nD', 'soE6F7ltlY', 'i2k62Df1DV', 'ypS6DFJ3Jw', 'nR06xxoHw1', 'OCZ6UEfd6v', 'zNJ6KcMPVb', 'Q7C6O9v6B1', 'j9y6Jk6ulW'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, KS4DbtfggC5rweGmtu.cs High entropy of concatenated method names: 'wMGY3kiXng', 'bBHYfPRbLm', 'LKhYFiVI2J', 'GOjY2VEEKG', 'h93YD8jhK1', 'OuFYxxObL1', 'tfSYUO5C5Q', 'TqUYK9t87Z', 'P5PYOhWLvQ', 'Yc8YJo32QK'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, CMJVaV2jhxJrxX4hho.cs High entropy of concatenated method names: 'Xfl67PqBok', 'YGh6TmnQsH', 'iM86V7cg1f', 'FWJ6oH6feI', 'T7t6aTP8Wg', 'tSQ655xDT8', 'HoZ6kwF5of', 'z9QNvxR2ZN', 'MijNSsWrCN', 'Ik2NhTniRW'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, w62axEbqy4R1jsMrBU.cs High entropy of concatenated method names: 'jbB5D5yFQi', 'IbJ5UrctGL', 'qtkXsEkjO6', 'RPRXAV4apr', 'CcrXZDBn8p', 'tsQXeF6TfO', 'rRtXQiPfU1', 'xsnXwheEoP', 'VsnXPjYqtO', 'yGjXntDgnv'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, MqQiTFRFCn0eZo02RE.cs High entropy of concatenated method names: 'uKsk0jQDXJ', 'Lrok3dHj4l', 'N6DkFHnwSc', 'BtAk2LLG7u', 'ATRkxw9ceG', 'Qu1kUDpPc6', 'mKhkOUsP0X', 'd5SkJlrNcN', 'GL9T9uVbqwBZ36uUYK2', 'n243vyVdyHH87q2LOgQ'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, tyBvNlWGwV68pMxayC.cs High entropy of concatenated method names: 'yfj9Kl5dYV', 'c509OiiADH', 'fcv91xAmqm', 'KTU9CCXmW7', 'EBt9AJBHus', 'qGj9Z1G200', 'mBB9Q83GR4', 'n6a9wxT9BM', 'bgN9n2IuqE', 'PQp9WlJSJq'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, ugiCahmWU9HqoBIE7s.cs High entropy of concatenated method names: 'zfyapIrVCn', 'd3yaj55GQG', 'GL9agqmPc6', 'r0QarSLqLZ', 'H4dacbJo1Y', 'JZ3at1GX7V', 'FC9avsyVEU', 'mMWaS7aQJQ', 'ftAahNSyJ5', 'FFZaGoVeja'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, eID7ere8l0byUTlJ4X.cs High entropy of concatenated method names: 'EaqySMlDiT', 'iEoyGLNdEJ', 'Hl2N8wO7WX', 'z2bN75Uic5', 'xwRyW9MulH', 'FZqyHMcG9W', 'uocyiCjIoU', 'A9hypM33SZ', 'nt1yjmfScU', 'nrOyglqcHb'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, rVFerSH0CSsFIIZJhA.cs High entropy of concatenated method names: 'wHEkLOaF31', 'oo9kaZcCAb', 'QRUk5jqjsm', 'UVckYGuGFS', 'OXIkmreYJU', 'adq5cABv4l', 'ceA5tU17VE', 'wAr5vLpTFg', 'j9f5Sct2Bc', 'PyX5hwpS8A'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, Bpj9MhFjE7PWGgTwUM.cs High entropy of concatenated method names: 'QQJyMOKPNe', 'm39y4hBsEp', 'ToString', 'oemyoiIUbi', 'osoya2S5if', 'DqpyXtxkKL', 'zM7y5begFm', 'FkjykjC8de', 'WVqyYAGljL', 'wpwymBJikt'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, l3RmN4vVcBhmsvF52H.cs High entropy of concatenated method names: 'AdkNo0HbOW', 'o59NaOVBOf', 'VKyNXp2qAZ', 'nQJN5DqLZR', 'IerNkOHJlJ', 'w0tNYhtRuM', 'jn3NmYBwYF', 'jiqNlAMciX', 'wpLNM4nk7O', 'vqKN4r6a2O'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, BMpy3yYaCNHkDcpPxY.cs High entropy of concatenated method names: 'q9s7YNspCt', 'ihp7mhNsr1', 'XkQ7Mt4iZ9', 'ith74hUk0h', 'TVC7BSPVsL', 'XoM7IEPhXM', 'TmVkWofYjh3Wc9tQF7', 'KNu2vWRJUCRvk10hFo', 'QJf77Y6W78', 'cAL7TFD3uF'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, tr37UWORppbQ5PIAqL.cs High entropy of concatenated method names: 'aDLTL4eZHQ', 'Rw2TodP4uq', 'p6RTaGMvUO', 'F3YTXk3qvL', 'WrNT5V4jZ9', 'T8BTk38Ig7', 'PvSTY5ETo4', 'kSlTmfqqjn', 'W1OTlixZKJ', 'PPTTMNig5I'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, qQvcU7zmLGU2jZReYI.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IsN69NGyuH', 'zEV6BXAlP7', 'sty6IHUhZj', 'Yrt6yyI6QP', 'yV56NNu7SY', 'F0Q66GByCm', 'Yp66RRQMJf'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, tTf6FS0JjDn3J1oUVR.cs High entropy of concatenated method names: 'k2bBnFfc13', 'J7IBH0mqDb', 'MCjBpdno1Q', 'WeHBjghfra', 'tGxBCLHwRW', 'fraBsmbeZi', 'xSKBAWejvA', 'DIMBZcoHKo', 'mpwBeMa53N', 'wNaBQHf7Xs'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, RPembixow0X3aTpxSU.cs High entropy of concatenated method names: 'JtRX2u3HLN', 'ufbXxNro2p', 'OCsXKxodUh', 'qNOXOQcdyL', 'kU7XBeQ5Lk', 'GlyXIL1sy2', 'PQiXyLWPUo', 'xOaXNFt0rp', 'v8xX6W8hRV', 'lP3XRvjd2C'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, k6sIoRAO12TfY5kE2j.cs High entropy of concatenated method names: 'SRAFhRdWP', 't5E2bZwhM', 'xGfxfHpT1', 'QpgUVZVpV', 'wxrOedlN8', 'p4aJfljnO', 'Um40OyhJIpWr6t7GDc', 'SKs5HxFgPvCoW2yP1Y', 'ATZNp05LE', 'B1hRJZnC1'
Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, Pq7FEuQ4AWnwjflHjd.cs High entropy of concatenated method names: 'Dispose', 'O3c7hpmXtR', 'qmrqCueYx7', 'Gh5bbb1eNH', 'DVV7GUaLQt', 'GrP7zkVHKM', 'ProcessDialogKey', 'XuLq8fG7It', 'eMkq72mRvL', 'Q0oqqh2y9W'
Drops PE files
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe File created: C:\Users\user\AppData\Roaming\nCPTBp.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmp920A.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: nCPTBp.exe PID: 7532, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Memory allocated: D20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Memory allocated: 2A30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Memory allocated: 4A30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Memory allocated: 5DD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Memory allocated: 6DD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Memory allocated: 6F10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Memory allocated: 7F10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Memory allocated: A90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Memory allocated: 2530000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Memory allocated: 4530000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Memory allocated: 59E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Memory allocated: 69E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Memory allocated: 6B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Memory allocated: 7B20000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0113D1C0 rdtsc 16_2_0113D1C0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2505 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5256 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe API coverage: 0.6 %
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe API coverage: 0.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe TID: 320 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7284 Thread sleep count: 2505 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7448 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7284 Thread sleep count: 103 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7416 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7452 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7436 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe TID: 7408 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe TID: 7608 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe TID: 7744 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: nCPTBp.exe, 00000012.00000002.1547001724.00000000056CF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f
Source: nCPTBp.exe, 00000012.00000002.1387170435.000000000084F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0113D1C0 rdtsc 16_2_0113D1C0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_00417F03 LdrLoadDll, 16_2_00417F03
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01180115 mov eax, dword ptr fs:[00000030h] 16_2_01180115
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0116A118 mov ecx, dword ptr fs:[00000030h] 16_2_0116A118
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0116A118 mov eax, dword ptr fs:[00000030h] 16_2_0116A118
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0116A118 mov eax, dword ptr fs:[00000030h] 16_2_0116A118
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0116A118 mov eax, dword ptr fs:[00000030h] 16_2_0116A118
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010F0124 mov eax, dword ptr fs:[00000030h] 16_2_010F0124
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C1131 mov eax, dword ptr fs:[00000030h] 16_2_010C1131
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C1131 mov eax, dword ptr fs:[00000030h] 16_2_010C1131
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BB136 mov eax, dword ptr fs:[00000030h] 16_2_010BB136
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BB136 mov eax, dword ptr fs:[00000030h] 16_2_010BB136
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BB136 mov eax, dword ptr fs:[00000030h] 16_2_010BB136
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BB136 mov eax, dword ptr fs:[00000030h] 16_2_010BB136
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010B9148 mov eax, dword ptr fs:[00000030h] 16_2_010B9148
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010B9148 mov eax, dword ptr fs:[00000030h] 16_2_010B9148
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010B9148 mov eax, dword ptr fs:[00000030h] 16_2_010B9148
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010B9148 mov eax, dword ptr fs:[00000030h] 16_2_010B9148
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01195152 mov eax, dword ptr fs:[00000030h] 16_2_01195152
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01158158 mov eax, dword ptr fs:[00000030h] 16_2_01158158
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01154144 mov eax, dword ptr fs:[00000030h] 16_2_01154144
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01154144 mov eax, dword ptr fs:[00000030h] 16_2_01154144
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01154144 mov ecx, dword ptr fs:[00000030h] 16_2_01154144
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01154144 mov eax, dword ptr fs:[00000030h] 16_2_01154144
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01154144 mov eax, dword ptr fs:[00000030h] 16_2_01154144
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01153140 mov eax, dword ptr fs:[00000030h] 16_2_01153140
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01153140 mov eax, dword ptr fs:[00000030h] 16_2_01153140
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01153140 mov eax, dword ptr fs:[00000030h] 16_2_01153140
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C6154 mov eax, dword ptr fs:[00000030h] 16_2_010C6154
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C6154 mov eax, dword ptr fs:[00000030h] 16_2_010C6154
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BC156 mov eax, dword ptr fs:[00000030h] 16_2_010BC156
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C7152 mov eax, dword ptr fs:[00000030h] 16_2_010C7152
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01159179 mov eax, dword ptr fs:[00000030h] 16_2_01159179
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h] 16_2_010BF172
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h] 16_2_010BF172
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h] 16_2_010BF172
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h] 16_2_010BF172
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h] 16_2_010BF172
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h] 16_2_010BF172
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h] 16_2_010BF172
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h] 16_2_010BF172
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h] 16_2_010BF172
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h] 16_2_010BF172
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h] 16_2_010BF172
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h] 16_2_010BF172
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h] 16_2_010BF172
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h] 16_2_010BF172
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h] 16_2_010BF172
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h] 16_2_010BF172
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h] 16_2_010BF172
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h] 16_2_010BF172
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h] 16_2_010BF172
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h] 16_2_010BF172
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h] 16_2_010BF172
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01117190 mov eax, dword ptr fs:[00000030h] 16_2_01117190
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0114019F mov eax, dword ptr fs:[00000030h] 16_2_0114019F
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0114019F mov eax, dword ptr fs:[00000030h] 16_2_0114019F
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0114019F mov eax, dword ptr fs:[00000030h] 16_2_0114019F
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0114019F mov eax, dword ptr fs:[00000030h] 16_2_0114019F
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01100185 mov eax, dword ptr fs:[00000030h] 16_2_01100185
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BA197 mov eax, dword ptr fs:[00000030h] 16_2_010BA197
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BA197 mov eax, dword ptr fs:[00000030h] 16_2_010BA197
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BA197 mov eax, dword ptr fs:[00000030h] 16_2_010BA197
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0117C188 mov eax, dword ptr fs:[00000030h] 16_2_0117C188
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0117C188 mov eax, dword ptr fs:[00000030h] 16_2_0117C188
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011711A4 mov eax, dword ptr fs:[00000030h] 16_2_011711A4
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011711A4 mov eax, dword ptr fs:[00000030h] 16_2_011711A4
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011711A4 mov eax, dword ptr fs:[00000030h] 16_2_011711A4
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011711A4 mov eax, dword ptr fs:[00000030h] 16_2_011711A4
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010DB1B0 mov eax, dword ptr fs:[00000030h] 16_2_010DB1B0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0113E1D0 mov eax, dword ptr fs:[00000030h] 16_2_0113E1D0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0113E1D0 mov eax, dword ptr fs:[00000030h] 16_2_0113E1D0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0113E1D0 mov ecx, dword ptr fs:[00000030h] 16_2_0113E1D0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0113E1D0 mov eax, dword ptr fs:[00000030h] 16_2_0113E1D0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0113E1D0 mov eax, dword ptr fs:[00000030h] 16_2_0113E1D0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011951CB mov eax, dword ptr fs:[00000030h] 16_2_011951CB
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011861C3 mov eax, dword ptr fs:[00000030h] 16_2_011861C3
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011861C3 mov eax, dword ptr fs:[00000030h] 16_2_011861C3
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FD1D0 mov eax, dword ptr fs:[00000030h] 16_2_010FD1D0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FD1D0 mov ecx, dword ptr fs:[00000030h] 16_2_010FD1D0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h] 16_2_010E51EF
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h] 16_2_010E51EF
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h] 16_2_010E51EF
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h] 16_2_010E51EF
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h] 16_2_010E51EF
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h] 16_2_010E51EF
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h] 16_2_010E51EF
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h] 16_2_010E51EF
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h] 16_2_010E51EF
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h] 16_2_010E51EF
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h] 16_2_010E51EF
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h] 16_2_010E51EF
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h] 16_2_010E51EF
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C51ED mov eax, dword ptr fs:[00000030h] 16_2_010C51ED
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011671F9 mov esi, dword ptr fs:[00000030h] 16_2_011671F9
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010F01F8 mov eax, dword ptr fs:[00000030h] 16_2_010F01F8
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011961E5 mov eax, dword ptr fs:[00000030h] 16_2_011961E5
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01144000 mov ecx, dword ptr fs:[00000030h] 16_2_01144000
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010DE016 mov eax, dword ptr fs:[00000030h] 16_2_010DE016
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010DE016 mov eax, dword ptr fs:[00000030h] 16_2_010DE016
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010DE016 mov eax, dword ptr fs:[00000030h] 16_2_010DE016
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010DE016 mov eax, dword ptr fs:[00000030h] 16_2_010DE016
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01156030 mov eax, dword ptr fs:[00000030h] 16_2_01156030
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0118903E mov eax, dword ptr fs:[00000030h] 16_2_0118903E
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0118903E mov eax, dword ptr fs:[00000030h] 16_2_0118903E
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0118903E mov eax, dword ptr fs:[00000030h] 16_2_0118903E
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0118903E mov eax, dword ptr fs:[00000030h] 16_2_0118903E
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BA020 mov eax, dword ptr fs:[00000030h] 16_2_010BA020
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BC020 mov eax, dword ptr fs:[00000030h] 16_2_010BC020
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01146050 mov eax, dword ptr fs:[00000030h] 16_2_01146050
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0116705E mov ebx, dword ptr fs:[00000030h] 16_2_0116705E
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0116705E mov eax, dword ptr fs:[00000030h] 16_2_0116705E
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C2050 mov eax, dword ptr fs:[00000030h] 16_2_010C2050
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EB052 mov eax, dword ptr fs:[00000030h] 16_2_010EB052
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0113D070 mov ecx, dword ptr fs:[00000030h] 16_2_0113D070
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01195060 mov eax, dword ptr fs:[00000030h] 16_2_01195060
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0114106E mov eax, dword ptr fs:[00000030h] 16_2_0114106E
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D1070 mov eax, dword ptr fs:[00000030h] 16_2_010D1070
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D1070 mov ecx, dword ptr fs:[00000030h] 16_2_010D1070
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D1070 mov eax, dword ptr fs:[00000030h] 16_2_010D1070
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D1070 mov eax, dword ptr fs:[00000030h] 16_2_010D1070
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D1070 mov eax, dword ptr fs:[00000030h] 16_2_010D1070
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D1070 mov eax, dword ptr fs:[00000030h] 16_2_010D1070
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D1070 mov eax, dword ptr fs:[00000030h] 16_2_010D1070
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D1070 mov eax, dword ptr fs:[00000030h] 16_2_010D1070
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D1070 mov eax, dword ptr fs:[00000030h] 16_2_010D1070
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D1070 mov eax, dword ptr fs:[00000030h] 16_2_010D1070
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D1070 mov eax, dword ptr fs:[00000030h] 16_2_010D1070
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D1070 mov eax, dword ptr fs:[00000030h] 16_2_010D1070
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D1070 mov eax, dword ptr fs:[00000030h] 16_2_010D1070
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EC073 mov eax, dword ptr fs:[00000030h] 16_2_010EC073
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C208A mov eax, dword ptr fs:[00000030h] 16_2_010C208A
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BD08D mov eax, dword ptr fs:[00000030h] 16_2_010BD08D
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010F909C mov eax, dword ptr fs:[00000030h] 16_2_010F909C
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0114D080 mov eax, dword ptr fs:[00000030h] 16_2_0114D080
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0114D080 mov eax, dword ptr fs:[00000030h] 16_2_0114D080
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C5096 mov eax, dword ptr fs:[00000030h] 16_2_010C5096
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010ED090 mov eax, dword ptr fs:[00000030h] 16_2_010ED090
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010ED090 mov eax, dword ptr fs:[00000030h] 16_2_010ED090
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011860B8 mov eax, dword ptr fs:[00000030h] 16_2_011860B8
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011860B8 mov ecx, dword ptr fs:[00000030h] 16_2_011860B8
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011580A8 mov eax, dword ptr fs:[00000030h] 16_2_011580A8
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011950D9 mov eax, dword ptr fs:[00000030h] 16_2_011950D9
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011420DE mov eax, dword ptr fs:[00000030h] 16_2_011420DE
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h] 16_2_010D70C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D70C0 mov ecx, dword ptr fs:[00000030h] 16_2_010D70C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D70C0 mov ecx, dword ptr fs:[00000030h] 16_2_010D70C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h] 16_2_010D70C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D70C0 mov ecx, dword ptr fs:[00000030h] 16_2_010D70C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D70C0 mov ecx, dword ptr fs:[00000030h] 16_2_010D70C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h] 16_2_010D70C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h] 16_2_010D70C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h] 16_2_010D70C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h] 16_2_010D70C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h] 16_2_010D70C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h] 16_2_010D70C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h] 16_2_010D70C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h] 16_2_010D70C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h] 16_2_010D70C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h] 16_2_010D70C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h] 16_2_010D70C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h] 16_2_010D70C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0113D0C0 mov eax, dword ptr fs:[00000030h] 16_2_0113D0C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0113D0C0 mov eax, dword ptr fs:[00000030h] 16_2_0113D0C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E90DB mov eax, dword ptr fs:[00000030h] 16_2_010E90DB
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011020F0 mov ecx, dword ptr fs:[00000030h] 16_2_011020F0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C80E9 mov eax, dword ptr fs:[00000030h] 16_2_010C80E9
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BA0E3 mov ecx, dword ptr fs:[00000030h] 16_2_010BA0E3
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E50E4 mov eax, dword ptr fs:[00000030h] 16_2_010E50E4
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E50E4 mov ecx, dword ptr fs:[00000030h] 16_2_010E50E4
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011460E0 mov eax, dword ptr fs:[00000030h] 16_2_011460E0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BC0F0 mov eax, dword ptr fs:[00000030h] 16_2_010BC0F0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FA30B mov eax, dword ptr fs:[00000030h] 16_2_010FA30B
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FA30B mov eax, dword ptr fs:[00000030h] 16_2_010FA30B
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FA30B mov eax, dword ptr fs:[00000030h] 16_2_010FA30B
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BC310 mov ecx, dword ptr fs:[00000030h] 16_2_010BC310
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E0310 mov ecx, dword ptr fs:[00000030h] 16_2_010E0310
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0114930B mov eax, dword ptr fs:[00000030h] 16_2_0114930B
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0114930B mov eax, dword ptr fs:[00000030h] 16_2_0114930B
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0114930B mov eax, dword ptr fs:[00000030h] 16_2_0114930B
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EF32A mov eax, dword ptr fs:[00000030h] 16_2_010EF32A
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0118132D mov eax, dword ptr fs:[00000030h] 16_2_0118132D
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0118132D mov eax, dword ptr fs:[00000030h] 16_2_0118132D
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010B7330 mov eax, dword ptr fs:[00000030h] 16_2_010B7330
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BD34C mov eax, dword ptr fs:[00000030h] 16_2_010BD34C
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BD34C mov eax, dword ptr fs:[00000030h] 16_2_010BD34C
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0114035C mov eax, dword ptr fs:[00000030h] 16_2_0114035C
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0114035C mov eax, dword ptr fs:[00000030h] 16_2_0114035C
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0114035C mov eax, dword ptr fs:[00000030h] 16_2_0114035C
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0114035C mov ecx, dword ptr fs:[00000030h] 16_2_0114035C
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0114035C mov eax, dword ptr fs:[00000030h] 16_2_0114035C
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0114035C mov eax, dword ptr fs:[00000030h] 16_2_0114035C
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0118A352 mov eax, dword ptr fs:[00000030h] 16_2_0118A352
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01195341 mov eax, dword ptr fs:[00000030h] 16_2_01195341
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010B9353 mov eax, dword ptr fs:[00000030h] 16_2_010B9353
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010B9353 mov eax, dword ptr fs:[00000030h] 16_2_010B9353
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01142349 mov eax, dword ptr fs:[00000030h] 16_2_01142349
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01142349 mov eax, dword ptr fs:[00000030h] 16_2_01142349
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01142349 mov eax, dword ptr fs:[00000030h] 16_2_01142349
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01142349 mov eax, dword ptr fs:[00000030h] 16_2_01142349
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01142349 mov eax, dword ptr fs:[00000030h] 16_2_01142349
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01142349 mov eax, dword ptr fs:[00000030h] 16_2_01142349
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01142349 mov eax, dword ptr fs:[00000030h] 16_2_01142349
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01142349 mov eax, dword ptr fs:[00000030h] 16_2_01142349
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01142349 mov eax, dword ptr fs:[00000030h] 16_2_01142349
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01142349 mov eax, dword ptr fs:[00000030h] 16_2_01142349
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01142349 mov eax, dword ptr fs:[00000030h] 16_2_01142349
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01142349 mov eax, dword ptr fs:[00000030h] 16_2_01142349
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01142349 mov eax, dword ptr fs:[00000030h] 16_2_01142349
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01142349 mov eax, dword ptr fs:[00000030h] 16_2_01142349
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01142349 mov eax, dword ptr fs:[00000030h] 16_2_01142349
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0116437C mov eax, dword ptr fs:[00000030h] 16_2_0116437C
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0117F367 mov eax, dword ptr fs:[00000030h] 16_2_0117F367
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C7370 mov eax, dword ptr fs:[00000030h] 16_2_010C7370
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C7370 mov eax, dword ptr fs:[00000030h] 16_2_010C7370
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C7370 mov eax, dword ptr fs:[00000030h] 16_2_010C7370
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E438F mov eax, dword ptr fs:[00000030h] 16_2_010E438F
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E438F mov eax, dword ptr fs:[00000030h] 16_2_010E438F
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BE388 mov eax, dword ptr fs:[00000030h] 16_2_010BE388
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BE388 mov eax, dword ptr fs:[00000030h] 16_2_010BE388
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BE388 mov eax, dword ptr fs:[00000030h] 16_2_010BE388
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0119539D mov eax, dword ptr fs:[00000030h] 16_2_0119539D
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0111739A mov eax, dword ptr fs:[00000030h] 16_2_0111739A
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0111739A mov eax, dword ptr fs:[00000030h] 16_2_0111739A
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010B8397 mov eax, dword ptr fs:[00000030h] 16_2_010B8397
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010B8397 mov eax, dword ptr fs:[00000030h] 16_2_010B8397
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010B8397 mov eax, dword ptr fs:[00000030h] 16_2_010B8397
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E33A5 mov eax, dword ptr fs:[00000030h] 16_2_010E33A5
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010F33A0 mov eax, dword ptr fs:[00000030h] 16_2_010F33A0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010F33A0 mov eax, dword ptr fs:[00000030h] 16_2_010F33A0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0117B3D0 mov ecx, dword ptr fs:[00000030h] 16_2_0117B3D0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CA3C0 mov eax, dword ptr fs:[00000030h] 16_2_010CA3C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CA3C0 mov eax, dword ptr fs:[00000030h] 16_2_010CA3C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CA3C0 mov eax, dword ptr fs:[00000030h] 16_2_010CA3C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CA3C0 mov eax, dword ptr fs:[00000030h] 16_2_010CA3C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CA3C0 mov eax, dword ptr fs:[00000030h] 16_2_010CA3C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CA3C0 mov eax, dword ptr fs:[00000030h] 16_2_010CA3C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C83C0 mov eax, dword ptr fs:[00000030h] 16_2_010C83C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C83C0 mov eax, dword ptr fs:[00000030h] 16_2_010C83C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C83C0 mov eax, dword ptr fs:[00000030h] 16_2_010C83C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C83C0 mov eax, dword ptr fs:[00000030h] 16_2_010C83C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011463C0 mov eax, dword ptr fs:[00000030h] 16_2_011463C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0117C3CD mov eax, dword ptr fs:[00000030h] 16_2_0117C3CD
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D03E9 mov eax, dword ptr fs:[00000030h] 16_2_010D03E9
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D03E9 mov eax, dword ptr fs:[00000030h] 16_2_010D03E9
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D03E9 mov eax, dword ptr fs:[00000030h] 16_2_010D03E9
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D03E9 mov eax, dword ptr fs:[00000030h] 16_2_010D03E9
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D03E9 mov eax, dword ptr fs:[00000030h] 16_2_010D03E9
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D03E9 mov eax, dword ptr fs:[00000030h] 16_2_010D03E9
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D03E9 mov eax, dword ptr fs:[00000030h] 16_2_010D03E9
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D03E9 mov eax, dword ptr fs:[00000030h] 16_2_010D03E9
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011953FC mov eax, dword ptr fs:[00000030h] 16_2_011953FC
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010F63FF mov eax, dword ptr fs:[00000030h] 16_2_010F63FF
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0117F3E6 mov eax, dword ptr fs:[00000030h] 16_2_0117F3E6
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010DE3F0 mov eax, dword ptr fs:[00000030h] 16_2_010DE3F0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010DE3F0 mov eax, dword ptr fs:[00000030h] 16_2_010DE3F0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010DE3F0 mov eax, dword ptr fs:[00000030h] 16_2_010DE3F0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010F7208 mov eax, dword ptr fs:[00000030h] 16_2_010F7208
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010F7208 mov eax, dword ptr fs:[00000030h] 16_2_010F7208
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010B823B mov eax, dword ptr fs:[00000030h] 16_2_010B823B
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01195227 mov eax, dword ptr fs:[00000030h] 16_2_01195227
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0117B256 mov eax, dword ptr fs:[00000030h] 16_2_0117B256
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0117B256 mov eax, dword ptr fs:[00000030h] 16_2_0117B256
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010F724D mov eax, dword ptr fs:[00000030h] 16_2_010F724D
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0114D250 mov ecx, dword ptr fs:[00000030h] 16_2_0114D250
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010B9240 mov eax, dword ptr fs:[00000030h] 16_2_010B9240
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010B9240 mov eax, dword ptr fs:[00000030h] 16_2_010B9240
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C6259 mov eax, dword ptr fs:[00000030h] 16_2_010C6259
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01148243 mov eax, dword ptr fs:[00000030h] 16_2_01148243
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01148243 mov ecx, dword ptr fs:[00000030h] 16_2_01148243
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BA250 mov eax, dword ptr fs:[00000030h] 16_2_010BA250
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010B826B mov eax, dword ptr fs:[00000030h] 16_2_010B826B
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01101270 mov eax, dword ptr fs:[00000030h] 16_2_01101270
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01101270 mov eax, dword ptr fs:[00000030h] 16_2_01101270
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01170274 mov eax, dword ptr fs:[00000030h] 16_2_01170274
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01170274 mov eax, dword ptr fs:[00000030h] 16_2_01170274
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01170274 mov eax, dword ptr fs:[00000030h] 16_2_01170274
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01170274 mov eax, dword ptr fs:[00000030h] 16_2_01170274
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01170274 mov eax, dword ptr fs:[00000030h] 16_2_01170274
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01170274 mov eax, dword ptr fs:[00000030h] 16_2_01170274
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01170274 mov eax, dword ptr fs:[00000030h] 16_2_01170274
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01170274 mov eax, dword ptr fs:[00000030h] 16_2_01170274
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01170274 mov eax, dword ptr fs:[00000030h] 16_2_01170274
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01170274 mov eax, dword ptr fs:[00000030h] 16_2_01170274
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01170274 mov eax, dword ptr fs:[00000030h] 16_2_01170274
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01170274 mov eax, dword ptr fs:[00000030h] 16_2_01170274
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C4260 mov eax, dword ptr fs:[00000030h] 16_2_010C4260
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C4260 mov eax, dword ptr fs:[00000030h] 16_2_010C4260
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C4260 mov eax, dword ptr fs:[00000030h] 16_2_010C4260
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0118D26B mov eax, dword ptr fs:[00000030h] 16_2_0118D26B
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0118D26B mov eax, dword ptr fs:[00000030h] 16_2_0118D26B
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E9274 mov eax, dword ptr fs:[00000030h] 16_2_010E9274
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FE284 mov eax, dword ptr fs:[00000030h] 16_2_010FE284
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FE284 mov eax, dword ptr fs:[00000030h] 16_2_010FE284
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010F329E mov eax, dword ptr fs:[00000030h] 16_2_010F329E
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010F329E mov eax, dword ptr fs:[00000030h] 16_2_010F329E
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01140283 mov eax, dword ptr fs:[00000030h] 16_2_01140283
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01140283 mov eax, dword ptr fs:[00000030h] 16_2_01140283
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01140283 mov eax, dword ptr fs:[00000030h] 16_2_01140283
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01195283 mov eax, dword ptr fs:[00000030h] 16_2_01195283
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011492BC mov eax, dword ptr fs:[00000030h] 16_2_011492BC
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011492BC mov eax, dword ptr fs:[00000030h] 16_2_011492BC
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011492BC mov ecx, dword ptr fs:[00000030h] 16_2_011492BC
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011492BC mov ecx, dword ptr fs:[00000030h] 16_2_011492BC
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D02A0 mov eax, dword ptr fs:[00000030h] 16_2_010D02A0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D02A0 mov eax, dword ptr fs:[00000030h] 16_2_010D02A0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D52A0 mov eax, dword ptr fs:[00000030h] 16_2_010D52A0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D52A0 mov eax, dword ptr fs:[00000030h] 16_2_010D52A0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D52A0 mov eax, dword ptr fs:[00000030h] 16_2_010D52A0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D52A0 mov eax, dword ptr fs:[00000030h] 16_2_010D52A0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011562A0 mov eax, dword ptr fs:[00000030h] 16_2_011562A0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011562A0 mov ecx, dword ptr fs:[00000030h] 16_2_011562A0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011562A0 mov eax, dword ptr fs:[00000030h] 16_2_011562A0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011562A0 mov eax, dword ptr fs:[00000030h] 16_2_011562A0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011562A0 mov eax, dword ptr fs:[00000030h] 16_2_011562A0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011562A0 mov eax, dword ptr fs:[00000030h] 16_2_011562A0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011572A0 mov eax, dword ptr fs:[00000030h] 16_2_011572A0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011572A0 mov eax, dword ptr fs:[00000030h] 16_2_011572A0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011892A6 mov eax, dword ptr fs:[00000030h] 16_2_011892A6
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011892A6 mov eax, dword ptr fs:[00000030h] 16_2_011892A6
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011892A6 mov eax, dword ptr fs:[00000030h] 16_2_011892A6
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011892A6 mov eax, dword ptr fs:[00000030h] 16_2_011892A6
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C92C5 mov eax, dword ptr fs:[00000030h] 16_2_010C92C5
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C92C5 mov eax, dword ptr fs:[00000030h] 16_2_010C92C5
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EB2C0 mov eax, dword ptr fs:[00000030h] 16_2_010EB2C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EB2C0 mov eax, dword ptr fs:[00000030h] 16_2_010EB2C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EB2C0 mov eax, dword ptr fs:[00000030h] 16_2_010EB2C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EB2C0 mov eax, dword ptr fs:[00000030h] 16_2_010EB2C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EB2C0 mov eax, dword ptr fs:[00000030h] 16_2_010EB2C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EB2C0 mov eax, dword ptr fs:[00000030h] 16_2_010EB2C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EB2C0 mov eax, dword ptr fs:[00000030h] 16_2_010EB2C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CA2C3 mov eax, dword ptr fs:[00000030h] 16_2_010CA2C3
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CA2C3 mov eax, dword ptr fs:[00000030h] 16_2_010CA2C3
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CA2C3 mov eax, dword ptr fs:[00000030h] 16_2_010CA2C3
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CA2C3 mov eax, dword ptr fs:[00000030h] 16_2_010CA2C3
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CA2C3 mov eax, dword ptr fs:[00000030h] 16_2_010CA2C3
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BB2D3 mov eax, dword ptr fs:[00000030h] 16_2_010BB2D3
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BB2D3 mov eax, dword ptr fs:[00000030h] 16_2_010BB2D3
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BB2D3 mov eax, dword ptr fs:[00000030h] 16_2_010BB2D3
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EF2D0 mov eax, dword ptr fs:[00000030h] 16_2_010EF2D0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EF2D0 mov eax, dword ptr fs:[00000030h] 16_2_010EF2D0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D02E1 mov eax, dword ptr fs:[00000030h] 16_2_010D02E1
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D02E1 mov eax, dword ptr fs:[00000030h] 16_2_010D02E1
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D02E1 mov eax, dword ptr fs:[00000030h] 16_2_010D02E1
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0117F2F8 mov eax, dword ptr fs:[00000030h] 16_2_0117F2F8
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010B92FF mov eax, dword ptr fs:[00000030h] 16_2_010B92FF
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011712ED mov eax, dword ptr fs:[00000030h] 16_2_011712ED
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011712ED mov eax, dword ptr fs:[00000030h] 16_2_011712ED
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011712ED mov eax, dword ptr fs:[00000030h] 16_2_011712ED
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011712ED mov eax, dword ptr fs:[00000030h] 16_2_011712ED
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011712ED mov eax, dword ptr fs:[00000030h] 16_2_011712ED
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011712ED mov eax, dword ptr fs:[00000030h] 16_2_011712ED
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011712ED mov eax, dword ptr fs:[00000030h] 16_2_011712ED
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011712ED mov eax, dword ptr fs:[00000030h] 16_2_011712ED
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011712ED mov eax, dword ptr fs:[00000030h] 16_2_011712ED
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011712ED mov eax, dword ptr fs:[00000030h] 16_2_011712ED
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011712ED mov eax, dword ptr fs:[00000030h] 16_2_011712ED
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011712ED mov eax, dword ptr fs:[00000030h] 16_2_011712ED
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011712ED mov eax, dword ptr fs:[00000030h] 16_2_011712ED
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011712ED mov eax, dword ptr fs:[00000030h] 16_2_011712ED
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011952E2 mov eax, dword ptr fs:[00000030h] 16_2_011952E2
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010F7505 mov eax, dword ptr fs:[00000030h] 16_2_010F7505
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010F7505 mov ecx, dword ptr fs:[00000030h] 16_2_010F7505
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01156500 mov eax, dword ptr fs:[00000030h] 16_2_01156500
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01194500 mov eax, dword ptr fs:[00000030h] 16_2_01194500
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01194500 mov eax, dword ptr fs:[00000030h] 16_2_01194500
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01194500 mov eax, dword ptr fs:[00000030h] 16_2_01194500
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01194500 mov eax, dword ptr fs:[00000030h] 16_2_01194500
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01194500 mov eax, dword ptr fs:[00000030h] 16_2_01194500
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01194500 mov eax, dword ptr fs:[00000030h] 16_2_01194500
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01194500 mov eax, dword ptr fs:[00000030h] 16_2_01194500
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01195537 mov eax, dword ptr fs:[00000030h] 16_2_01195537
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EE53E mov eax, dword ptr fs:[00000030h] 16_2_010EE53E
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EE53E mov eax, dword ptr fs:[00000030h] 16_2_010EE53E
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EE53E mov eax, dword ptr fs:[00000030h] 16_2_010EE53E
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EE53E mov eax, dword ptr fs:[00000030h] 16_2_010EE53E
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EE53E mov eax, dword ptr fs:[00000030h] 16_2_010EE53E
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0116F525 mov eax, dword ptr fs:[00000030h] 16_2_0116F525
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0116F525 mov eax, dword ptr fs:[00000030h] 16_2_0116F525
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0116F525 mov eax, dword ptr fs:[00000030h] 16_2_0116F525
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0116F525 mov eax, dword ptr fs:[00000030h] 16_2_0116F525
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0116F525 mov eax, dword ptr fs:[00000030h] 16_2_0116F525
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0116F525 mov eax, dword ptr fs:[00000030h] 16_2_0116F525
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0116F525 mov eax, dword ptr fs:[00000030h] 16_2_0116F525
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D0535 mov eax, dword ptr fs:[00000030h] 16_2_010D0535
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D0535 mov eax, dword ptr fs:[00000030h] 16_2_010D0535
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D0535 mov eax, dword ptr fs:[00000030h] 16_2_010D0535
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D0535 mov eax, dword ptr fs:[00000030h] 16_2_010D0535
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D0535 mov eax, dword ptr fs:[00000030h] 16_2_010D0535
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010D0535 mov eax, dword ptr fs:[00000030h] 16_2_010D0535
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0117B52F mov eax, dword ptr fs:[00000030h] 16_2_0117B52F
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CD534 mov eax, dword ptr fs:[00000030h] 16_2_010CD534
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CD534 mov eax, dword ptr fs:[00000030h] 16_2_010CD534
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CD534 mov eax, dword ptr fs:[00000030h] 16_2_010CD534
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CD534 mov eax, dword ptr fs:[00000030h] 16_2_010CD534
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CD534 mov eax, dword ptr fs:[00000030h] 16_2_010CD534
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CD534 mov eax, dword ptr fs:[00000030h] 16_2_010CD534
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FD530 mov eax, dword ptr fs:[00000030h] 16_2_010FD530
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FD530 mov eax, dword ptr fs:[00000030h] 16_2_010FD530
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C8550 mov eax, dword ptr fs:[00000030h] 16_2_010C8550
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C8550 mov eax, dword ptr fs:[00000030h] 16_2_010C8550
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010F656A mov eax, dword ptr fs:[00000030h] 16_2_010F656A
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010F656A mov eax, dword ptr fs:[00000030h] 16_2_010F656A
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010F656A mov eax, dword ptr fs:[00000030h] 16_2_010F656A
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BB562 mov eax, dword ptr fs:[00000030h] 16_2_010BB562
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FB570 mov eax, dword ptr fs:[00000030h] 16_2_010FB570
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FB570 mov eax, dword ptr fs:[00000030h] 16_2_010FB570
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0114B594 mov eax, dword ptr fs:[00000030h] 16_2_0114B594
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0114B594 mov eax, dword ptr fs:[00000030h] 16_2_0114B594
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010B758F mov eax, dword ptr fs:[00000030h] 16_2_010B758F
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010B758F mov eax, dword ptr fs:[00000030h] 16_2_010B758F
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010B758F mov eax, dword ptr fs:[00000030h] 16_2_010B758F
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010F4588 mov eax, dword ptr fs:[00000030h] 16_2_010F4588
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C2582 mov eax, dword ptr fs:[00000030h] 16_2_010C2582
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C2582 mov ecx, dword ptr fs:[00000030h] 16_2_010C2582
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FE59C mov eax, dword ptr fs:[00000030h] 16_2_010FE59C
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E15A9 mov eax, dword ptr fs:[00000030h] 16_2_010E15A9
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E15A9 mov eax, dword ptr fs:[00000030h] 16_2_010E15A9
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E15A9 mov eax, dword ptr fs:[00000030h] 16_2_010E15A9
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E15A9 mov eax, dword ptr fs:[00000030h] 16_2_010E15A9
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E15A9 mov eax, dword ptr fs:[00000030h] 16_2_010E15A9
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0117F5BE mov eax, dword ptr fs:[00000030h] 16_2_0117F5BE
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011535BA mov eax, dword ptr fs:[00000030h] 16_2_011535BA
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011535BA mov eax, dword ptr fs:[00000030h] 16_2_011535BA
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011535BA mov eax, dword ptr fs:[00000030h] 16_2_011535BA
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011535BA mov eax, dword ptr fs:[00000030h] 16_2_011535BA
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011405A7 mov eax, dword ptr fs:[00000030h] 16_2_011405A7
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011405A7 mov eax, dword ptr fs:[00000030h] 16_2_011405A7
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011405A7 mov eax, dword ptr fs:[00000030h] 16_2_011405A7
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EF5B0 mov eax, dword ptr fs:[00000030h] 16_2_010EF5B0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EF5B0 mov eax, dword ptr fs:[00000030h] 16_2_010EF5B0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EF5B0 mov eax, dword ptr fs:[00000030h] 16_2_010EF5B0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EF5B0 mov eax, dword ptr fs:[00000030h] 16_2_010EF5B0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EF5B0 mov eax, dword ptr fs:[00000030h] 16_2_010EF5B0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EF5B0 mov eax, dword ptr fs:[00000030h] 16_2_010EF5B0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EF5B0 mov eax, dword ptr fs:[00000030h] 16_2_010EF5B0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EF5B0 mov eax, dword ptr fs:[00000030h] 16_2_010EF5B0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EF5B0 mov eax, dword ptr fs:[00000030h] 16_2_010EF5B0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E45B1 mov eax, dword ptr fs:[00000030h] 16_2_010E45B1
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E45B1 mov eax, dword ptr fs:[00000030h] 16_2_010E45B1
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FE5CF mov eax, dword ptr fs:[00000030h] 16_2_010FE5CF
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FE5CF mov eax, dword ptr fs:[00000030h] 16_2_010FE5CF
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0113D5D0 mov eax, dword ptr fs:[00000030h] 16_2_0113D5D0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0113D5D0 mov ecx, dword ptr fs:[00000030h] 16_2_0113D5D0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011935D7 mov eax, dword ptr fs:[00000030h] 16_2_011935D7
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011935D7 mov eax, dword ptr fs:[00000030h] 16_2_011935D7
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011935D7 mov eax, dword ptr fs:[00000030h] 16_2_011935D7
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010F55C0 mov eax, dword ptr fs:[00000030h] 16_2_010F55C0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_011955C9 mov eax, dword ptr fs:[00000030h] 16_2_011955C9
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E95DA mov eax, dword ptr fs:[00000030h] 16_2_010E95DA
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C65D0 mov eax, dword ptr fs:[00000030h] 16_2_010C65D0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FA5D0 mov eax, dword ptr fs:[00000030h] 16_2_010FA5D0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FA5D0 mov eax, dword ptr fs:[00000030h] 16_2_010FA5D0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FC5ED mov eax, dword ptr fs:[00000030h] 16_2_010FC5ED
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FC5ED mov eax, dword ptr fs:[00000030h] 16_2_010FC5ED
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EE5E7 mov eax, dword ptr fs:[00000030h] 16_2_010EE5E7
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EE5E7 mov eax, dword ptr fs:[00000030h] 16_2_010EE5E7
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EE5E7 mov eax, dword ptr fs:[00000030h] 16_2_010EE5E7
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EE5E7 mov eax, dword ptr fs:[00000030h] 16_2_010EE5E7
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EE5E7 mov eax, dword ptr fs:[00000030h] 16_2_010EE5E7
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EE5E7 mov eax, dword ptr fs:[00000030h] 16_2_010EE5E7
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EE5E7 mov eax, dword ptr fs:[00000030h] 16_2_010EE5E7
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010EE5E7 mov eax, dword ptr fs:[00000030h] 16_2_010EE5E7
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010C25E0 mov eax, dword ptr fs:[00000030h] 16_2_010C25E0
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E15F4 mov eax, dword ptr fs:[00000030h] 16_2_010E15F4
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E15F4 mov eax, dword ptr fs:[00000030h] 16_2_010E15F4
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E15F4 mov eax, dword ptr fs:[00000030h] 16_2_010E15F4
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E15F4 mov eax, dword ptr fs:[00000030h] 16_2_010E15F4
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E15F4 mov eax, dword ptr fs:[00000030h] 16_2_010E15F4
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E15F4 mov eax, dword ptr fs:[00000030h] 16_2_010E15F4
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010E340D mov eax, dword ptr fs:[00000030h] 16_2_010E340D
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01147410 mov eax, dword ptr fs:[00000030h] 16_2_01147410
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010F8402 mov eax, dword ptr fs:[00000030h] 16_2_010F8402
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010F8402 mov eax, dword ptr fs:[00000030h] 16_2_010F8402
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010F8402 mov eax, dword ptr fs:[00000030h] 16_2_010F8402
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BE420 mov eax, dword ptr fs:[00000030h] 16_2_010BE420
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BE420 mov eax, dword ptr fs:[00000030h] 16_2_010BE420
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BE420 mov eax, dword ptr fs:[00000030h] 16_2_010BE420
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010BC427 mov eax, dword ptr fs:[00000030h] 16_2_010BC427
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01146420 mov eax, dword ptr fs:[00000030h] 16_2_01146420
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01146420 mov eax, dword ptr fs:[00000030h] 16_2_01146420
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01146420 mov eax, dword ptr fs:[00000030h] 16_2_01146420
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01146420 mov eax, dword ptr fs:[00000030h] 16_2_01146420
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01146420 mov eax, dword ptr fs:[00000030h] 16_2_01146420
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01146420 mov eax, dword ptr fs:[00000030h] 16_2_01146420
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_01146420 mov eax, dword ptr fs:[00000030h] 16_2_01146420
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FA430 mov eax, dword ptr fs:[00000030h] 16_2_010FA430
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_0117F453 mov eax, dword ptr fs:[00000030h] 16_2_0117F453
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CB440 mov eax, dword ptr fs:[00000030h] 16_2_010CB440
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CB440 mov eax, dword ptr fs:[00000030h] 16_2_010CB440
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CB440 mov eax, dword ptr fs:[00000030h] 16_2_010CB440
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CB440 mov eax, dword ptr fs:[00000030h] 16_2_010CB440
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CB440 mov eax, dword ptr fs:[00000030h] 16_2_010CB440
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010CB440 mov eax, dword ptr fs:[00000030h] 16_2_010CB440
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FE443 mov eax, dword ptr fs:[00000030h] 16_2_010FE443
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FE443 mov eax, dword ptr fs:[00000030h] 16_2_010FE443
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FE443 mov eax, dword ptr fs:[00000030h] 16_2_010FE443
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FE443 mov eax, dword ptr fs:[00000030h] 16_2_010FE443
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FE443 mov eax, dword ptr fs:[00000030h] 16_2_010FE443
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FE443 mov eax, dword ptr fs:[00000030h] 16_2_010FE443
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FE443 mov eax, dword ptr fs:[00000030h] 16_2_010FE443
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Code function: 16_2_010FE443 mov eax, dword ptr fs:[00000030h] 16_2_010FE443
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe"
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nCPTBp.exe"
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe" Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nCPTBp.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Memory written: C:\Users\user\AppData\Roaming\nCPTBp.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe" Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nCPTBp.exe" Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmp920A.tmp" Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Process created: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmpAC0B.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Process created: C:\Users\user\AppData\Roaming\nCPTBp.exe "C:\Users\user\AppData\Roaming\nCPTBp.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Queries volume information: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Queries volume information: C:\Users\user\AppData\Roaming\nCPTBp.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\nCPTBp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.1578419632.0000000000AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1578037000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.1578419632.0000000000AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1578037000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1482711 Sample: JPG_TTRN101921929240724_PDA... Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 Sigma detected: Scheduled temp file as task from temp location 2->48 50 11 other signatures 2->50 7 JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe 7 2->7         started        11 nCPTBp.exe 5 2->11         started        process3 file4 36 C:\Users\user\AppData\Roaming\nCPTBp.exe, PE32 7->36 dropped 38 C:\Users\user\...\nCPTBp.exe:Zone.Identifier, ASCII 7->38 dropped 40 C:\Users\user\AppData\Local\...\tmp920A.tmp, XML 7->40 dropped 42 JPG_TTRN1019219292...392-2024-07.exe.log, ASCII 7->42 dropped 52 Adds a directory exclusion to Windows Defender 7->52 13 powershell.exe 23 7->13         started        16 powershell.exe 23 7->16         started        18 schtasks.exe 1 7->18         started        20 JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe 7->20         started        54 Antivirus detection for dropped file 11->54 56 Multi AV Scanner detection for dropped file 11->56 58 Machine Learning detection for dropped file 11->58 60 Injects a PE file into a foreign processes 11->60 22 schtasks.exe 1 11->22         started        24 nCPTBp.exe 11->24         started        signatures5 process6 signatures7 62 Loading BitLocker PowerShell Module 13->62 26 conhost.exe 13->26         started        28 WmiPrvSE.exe 13->28         started        30 conhost.exe 16->30         started        32 conhost.exe 18->32         started        34 conhost.exe 22->34         started        process8
No contacted IP infos