Loading ...

Analysis Report http://akxenrjjnou.xsl.pt/u9F

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:102816
Start date:11.01.2019
Start time:20:03:41
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 49s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:http://akxenrjjnou.xsl.pt/u9F
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:16
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • EGA enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean1.win@3/60@16/7
Cookbook Comments:
  • Adjust boot time
  • Browsing link: http://dfzasyuudds.xsl.pt/pu
  • Browsing link: http://kdgrlvibpbucup.xsl.pt/rg
  • Browsing link: http://uvlmqtqlbgx.xsl.pt/fj
  • Browsing link: http://inaggfvrys.xsl.pt/ds
  • Browsing link: http://axkkharbfjj.xsl.pt/66
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, ielowutil.exe, TiWorker.exe, RuntimeBroker.exe, wermgr.exe, MusNotifyIcon.exe, conhost.exe, CompatTelRunner.exe, svchost.exe, TrustedInstaller.exe
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold10 - 100Report FP / FNfalseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold20 - 5true
ConfidenceConfidence


Classification

Analysis Advice

All HTTP servers contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsFile System Logical OffsetsCredential DumpingSystem Service DiscoveryApplication Deployment SoftwareData from Local SystemData Encrypted1Standard Non-Application Layer Protocol6
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol6

Signature Overview

Click to jump to signature section


Networking:

barindex
Connects to country known for bullet proof hostersShow sources
Source: unknownNetwork traffic detected: IP: 193.124.189.141 Russian Federation
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)Show sources
Source: global trafficTCP traffic: 192.168.2.7:49784 -> 193.124.189.141:80
Source: global trafficTCP traffic: 192.168.2.7:49802 -> 213.13.28.100:80
Source: global trafficTCP traffic: 192.168.2.7:49806 -> 213.13.146.180:80
Source: global trafficTCP traffic: 192.168.2.7:49808 -> 213.13.65.101:443
Source: global trafficTCP traffic: 192.168.2.7:49812 -> 213.13.25.44:80
Source: global trafficTCP traffic: 192.168.2.7:49813 -> 213.13.145.98:443
Source: global trafficTCP traffic: 192.168.2.7:49815 -> 213.13.65.100:80
Downloads compressed data via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKExpires: Sat, 12 Jan 2019 01:05:41 GMTCache-Control: max-age=21600Vary: Accept-EncodingContent-Encoding: gzipLast-Modified: Mon, 17 Mar 2014 17:35:37 GMTETag: "1478521566"Content-Type: text/javascript; charset=utf-8Accept-Ranges: bytesContent-Length: 3446Date: Fri, 11 Jan 2019 19:05:41 GMTServer: lighttpd/1.4.35Data Raw: 1f 8b 08 00 69 32 27 53 00 03 b5 1a db 72 db 36 f6 3d 5f c1 68 32 26 b9 a2 e9 4b d3 76 22 9a cd 38 ae bb c9 34 ad 53 3b d9 3e c8 aa 87 22 21 89 16 2f 2a 40 c9 56 25 fd fb 1e dc 41 8a b2 95 6e f7 45 22 81 73 c7 b9 01 e0 8b 74 e4 54 cb 19 2a 47 d6 cd f9 a7 ab 30 0c ed 79 91 a0 51 5a a0 c4 76 57 0f 69 91 94 0f 3e 9b 5a 6d 82 0d ca 08 aa 0d 1a cf c1 e6 05 fd f3 8b 28 47 64 16 c5 28 1c cd 8b b8 4a cb c2 29 88 bb 02 46 2f 0b b2 5e c3 8f 9f a1 62 5c 4d dc 15 46 d5 1c 17 56 31 cf 32 c0 5e 44 d8 ca d0 02 78 84 00 43 66 59 5a 39 1d bf e3 06 74 a2 20 e5 f0 3e 64 7c 46 25 76 e8 50 1a 3a 1c bc 7f 3c 00 c1 3b 74 b2 e3 be 3d e9 1d 07 e9 19 9f 11 9c 82 6e 37 75 57 8c 44
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxContent-Type: application/x-javascriptLast-Modified: Mon, 23 Jul 2018 10:46:32 GMTVary: Accept-EncodingContent-Encoding: gzipCache-Control: max-age=900Content-Length: 2206Accept-Ranges: bytesDate: Fri, 11 Jan 2019 19:05:42 GMTX-Varnish: 1148216880 1148148906Age: 885Via: 1.1 varnishConnection: keep-aliveX-Cache: HITData Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 5a 6b 6f e3 b8 15 fd 2b ac 3e 04 2d 10 3f 25 3f 92 4e 12 78 a6 d9 a2 83 c1 24 bb c9 b6 1f ea 85 40 4b b4 c3 19 89 54 45 ca 49 66 36 ff bd e7 52 96 62 7b ed 3c 3d 40 0b 64 e0 71 24 8a ba bc bc cf 73 2f fd fe e2 d7 ee 47 a3 d5 f9 28 cb de 73 a5 44 6e 46 2a fe ac ad 9c ca 88 5b a9 95 f9 f3 77 8f 67 99 f1 0e bf 7b 5f 74 ae b8 34 4d c3 33 dd cc ac 77 f8 ef ef 9e e2 a9 f0 0e bd 8f e5 23 6f df 9b 70 23 32 6e af 30 38 6e e1 5e 46 5a b9 eb 71 8b e8 34 a7 32 11 35 89 71 eb 97 d3 8b cb 71 4b a6 7c 26 9a d9 55 76 92 0a 7b a5 e3 a3 99 b0 7b 34 53 c6 47 7e e0 f7 40 27 cb 75 aa 2f c5 0d 96 f5 2e 75 cc 0d c3 27 e2 19
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /u9F HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: akxenrjjnou.xsl.ptConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /styles/bootstrap-min.css HTTP/1.1Accept: text/css, */*Referer: http://akxenrjjnou.xsl.pt/u9FAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: akxenrjjnou.xsl.ptConnection: Keep-AliveCookie: track=1547233476.8
Source: global trafficHTTP traffic detected: GET /styles/font-awesome.css HTTP/1.1Accept: text/css, */*Referer: http://akxenrjjnou.xsl.pt/u9FAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: akxenrjjnou.xsl.ptConnection: Keep-AliveCookie: track=1547233476.8
Source: global trafficHTTP traffic detected: GET /styles/master.css HTTP/1.1Accept: text/css, */*Referer: http://akxenrjjnou.xsl.pt/u9FAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: akxenrjjnou.xsl.ptConnection: Keep-AliveCookie: track=1547233476.8
Source: global trafficHTTP traffic detected: GET /styles/print.css HTTP/1.1Accept: text/css, */*Referer: http://akxenrjjnou.xsl.pt/u9FAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: akxenrjjnou.xsl.ptConnection: Keep-AliveCookie: track=1547233476.8
Source: global trafficHTTP traffic detected: GET /styles/img/icons/icon_video.gif HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://akxenrjjnou.xsl.pt/u9FAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: akxenrjjnou.xsl.ptConnection: Keep-AliveCookie: track=1547233476.8
Source: global trafficHTTP traffic detected: GET /images/menu/logos/onss.gif HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://akxenrjjnou.xsl.pt/u9FAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: akxenrjjnou.xsl.ptConnection: Keep-AliveCookie: track=1547233476.8
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*Referer: http://akxenrjjnou.xsl.pt/u9FAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: akxenrjjnou.xsl.ptConnection: Keep-AliveCookie: track=1547233476.8
Source: global trafficHTTP traffic detected: GET /styles/favicon.ico HTTP/1.1User-Agent: AutoItHost: akxenrjjnou.xsl.pt
Source: global trafficHTTP traffic detected: GET /pu HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: dfzasyuudds.xsl.ptConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /rg HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: kdgrlvibpbucup.xsl.ptConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: xsl.pt
Source: global trafficHTTP traffic detected: GET /rp/http_static/css/styles.css HTTP/1.1Accept: text/css, */*Referer: http://xsl.pt/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: xsl.ptConnection: Keep-AliveCookie: lang=pt
Source: global trafficHTTP traffic detected: GET /rp/http_static/js/puny.js HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://xsl.pt/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: xsl.ptConnection: Keep-AliveCookie: lang=pt
Source: global trafficHTTP traffic detected: GET /rp/http_static/js/ajax.js HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://xsl.pt/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: xsl.ptConnection: Keep-AliveCookie: lang=pt
Source: global trafficHTTP traffic detected: GET /SAPO/ HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://xsl.pt/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: js.sapo.ptConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /rp/http_static/images/bg.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://xsl.pt/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: xsl.ptConnection: Keep-AliveCookie: lang=pt
Source: global trafficHTTP traffic detected: GET /rp/http_static/images/header_bg.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://xsl.pt/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: xsl.ptConnection: Keep-AliveCookie: lang=pt
Source: global trafficHTTP traffic detected: GET /rp/http_static/images/shadow_small.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://xsl.pt/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: xsl.ptConnection: Keep-AliveCookie: lang=pt
Source: global trafficHTTP traffic detected: GET /rp/http_static/images/footer.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://xsl.pt/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: xsl.ptConnection: Keep-AliveCookie: lang=pt
Source: global trafficHTTP traffic detected: GET /sapologos/current/b146b6081ba4fc4b664dd3f53eb57eb766493c3c91d7fb17b5e5bf313df7b184.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://xsl.pt/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: assets.web.sapo.ioConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /barimgs/bsu_v2.0/2.0.57/css/bsu.css?v=2.0.57 HTTP/1.1Accept: text/css, */*Referer: http://xsl.pt/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: assets.web.sapo.ioConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /barimgs/bsu_v2.0/2.0.57/img/sprite.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://xsl.pt/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: assets.web.sapo.ioConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /barimgs/bsu_apps_ntfs/AppBanners.js HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://xsl.pt/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: imgs.sapo.ptConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /fj HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: uvlmqtqlbgx.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1
Source: global trafficHTTP traffic detected: GET /ds HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: inaggfvrys.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1
Source: global trafficHTTP traffic detected: GET /styles/bootstrap-min.css HTTP/1.1Accept: text/css, */*Referer: http://inaggfvrys.xsl.pt/dsAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: inaggfvrys.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233546.52
Source: global trafficHTTP traffic detected: GET /styles/font-awesome.css HTTP/1.1Accept: text/css, */*Referer: http://inaggfvrys.xsl.pt/dsAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: inaggfvrys.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233546.52
Source: global trafficHTTP traffic detected: GET /images/menu/logos/onss.gif HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://inaggfvrys.xsl.pt/dsAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: inaggfvrys.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233546.52
Source: global trafficHTTP traffic detected: GET /styles/master.css HTTP/1.1Accept: text/css, */*Referer: http://inaggfvrys.xsl.pt/dsAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: inaggfvrys.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233546.52
Source: global trafficHTTP traffic detected: GET /styles/print.css HTTP/1.1Accept: text/css, */*Referer: http://inaggfvrys.xsl.pt/dsAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: inaggfvrys.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233546.52
Source: global trafficHTTP traffic detected: GET /styles/img/icons/icon_video.gif HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://inaggfvrys.xsl.pt/dsAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: inaggfvrys.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233546.52
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*Referer: http://inaggfvrys.xsl.pt/dsAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: inaggfvrys.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233546.52
Source: global trafficHTTP traffic detected: GET /hJ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: http://inaggfvrys.xsl.pt/dsAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: lheqcodoqk.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1
Source: global trafficHTTP traffic detected: GET /styles/bootstrap-min.css HTTP/1.1Accept: text/css, */*Referer: http://lheqcodoqk.xsl.pt/hJAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: lheqcodoqk.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233562.81
Source: global trafficHTTP traffic detected: GET /styles/font-awesome.css HTTP/1.1Accept: text/css, */*Referer: http://lheqcodoqk.xsl.pt/hJAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: lheqcodoqk.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233562.81
Source: global trafficHTTP traffic detected: GET /styles/master.css HTTP/1.1Accept: text/css, */*Referer: http://lheqcodoqk.xsl.pt/hJAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: lheqcodoqk.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233562.81
Source: global trafficHTTP traffic detected: GET /styles/img/icons/icon_video.gif HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://lheqcodoqk.xsl.pt/hJAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: lheqcodoqk.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233562.81
Source: global trafficHTTP traffic detected: GET /styles/print.css HTTP/1.1Accept: text/css, */*Referer: http://lheqcodoqk.xsl.pt/hJAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: lheqcodoqk.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233562.81
Source: global trafficHTTP traffic detected: GET /images/menu/logos/onss.gif HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://lheqcodoqk.xsl.pt/hJAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: lheqcodoqk.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233562.81
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*Referer: http://lheqcodoqk.xsl.pt/hJAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: lheqcodoqk.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233562.81
Source: global trafficHTTP traffic detected: GET /T6 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: http://lheqcodoqk.xsl.pt/hJAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: onpuuoeayg.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1
Source: global trafficHTTP traffic detected: GET /styles/bootstrap-min.css HTTP/1.1Accept: text/css, */*Referer: http://onpuuoeayg.xsl.pt/T6Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: onpuuoeayg.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233565.76
Source: global trafficHTTP traffic detected: GET /styles/font-awesome.css HTTP/1.1Accept: text/css, */*Referer: http://onpuuoeayg.xsl.pt/T6Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: onpuuoeayg.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233565.76
Source: global trafficHTTP traffic detected: GET /styles/master.css HTTP/1.1Accept: text/css, */*Referer: http://onpuuoeayg.xsl.pt/T6Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: onpuuoeayg.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233565.76
Source: global trafficHTTP traffic detected: GET /styles/print.css HTTP/1.1Accept: text/css, */*Referer: http://onpuuoeayg.xsl.pt/T6Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: onpuuoeayg.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233565.76
Source: global trafficHTTP traffic detected: GET /styles/img/icons/icon_video.gif HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://onpuuoeayg.xsl.pt/T6Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: onpuuoeayg.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233565.76
Source: global trafficHTTP traffic detected: GET /images/menu/logos/onss.gif HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://onpuuoeayg.xsl.pt/T6Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: onpuuoeayg.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233565.76
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*Referer: http://onpuuoeayg.xsl.pt/T6Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: onpuuoeayg.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233565.76
Source: global trafficHTTP traffic detected: GET /66 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: axkkharbfjj.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1
Source: global trafficHTTP traffic detected: GET /styles/bootstrap-min.css HTTP/1.1Accept: text/css, */*Referer: http://axkkharbfjj.xsl.pt/66Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: axkkharbfjj.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233568.09
Source: global trafficHTTP traffic detected: GET /styles/font-awesome.css HTTP/1.1Accept: text/css, */*Referer: http://axkkharbfjj.xsl.pt/66Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: axkkharbfjj.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233568.09
Source: global trafficHTTP traffic detected: GET /styles/master.css HTTP/1.1Accept: text/css, */*Referer: http://axkkharbfjj.xsl.pt/66Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: axkkharbfjj.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233568.09
Source: global trafficHTTP traffic detected: GET /styles/print.css HTTP/1.1Accept: text/css, */*Referer: http://axkkharbfjj.xsl.pt/66Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: axkkharbfjj.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233568.09
Source: global trafficHTTP traffic detected: GET /styles/img/icons/icon_video.gif HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://axkkharbfjj.xsl.pt/66Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: axkkharbfjj.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233568.09
Source: global trafficHTTP traffic detected: GET /images/menu/logos/onss.gif HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://axkkharbfjj.xsl.pt/66Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: axkkharbfjj.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233568.09
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*Referer: http://axkkharbfjj.xsl.pt/66Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: axkkharbfjj.xsl.ptConnection: Keep-AliveCookie: bsuv2counthome=1; track=1547233568.09
Found strings which match to known social media urlsShow sources
Source: EJD1D233.htm.3.drString found in binary or memory: style="color: rgb(54, 57, 59); font-family: Arial,Tahoma,Helvetica,sans-serif; font-size: 12.6667px; font-style: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; display: inline ! important; float: none;">good memories. This is how long the light cycle scene should of been in the movie. Hope are taxes dint build that clown his bike. dude your capture is crappier than cod mw2 on a potato. Am an oh player I played it when it got out a few days later. Friendly advice, you jump of your cycle too early meaning you will land right on the light/shield whatever u wanna call it, jump a little later. your are fun to whatch i always whatch you on youtube hash tag like you. GTA ONLINE. Heyyy i watched this in netflix. A WORLD INSIDE A COMPUTER WHERE NO MAN HAS EVER BEEN. UNTIL NOW! Quantum Soldiers: 2:10 Now that equals www.youtube.com (Youtube)
Source: msapplication.xml1.2.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x26635288,0x01d4aa2c</date><accdate>0x26635288,0x01d4aa2c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml1.2.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x26635288,0x01d4aa2c</date><accdate>0x2665e39b,0x01d4aa2c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml6.2.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x269ce535,0x01d4aa2c</date><accdate>0x269ce535,0x01d4aa2c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml6.2.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x269ce535,0x01d4aa2c</date><accdate>0x269f426d,0x01d4aa2c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml8.2.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x26a3b8a0,0x01d4aa2c</date><accdate>0x26a3b8a0,0x01d4aa2c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml8.2.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x26a3b8a0,0x01d4aa2c</date><accdate>0x26a3b8a0,0x01d4aa2c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: XVGO2Y2B.htm.3.drString found in binary or memory: Photo&quot; uploaded Sunday (Oct. 28), the guys behind the Yes Theory&nbsp;. Oct 29, 2018. YouTube channel Yes Theory hired Justin Bieber impersonator Brad Sousa for equals www.youtube.com (Youtube)
Source: XVGO2Y2B.htm.3.drString found in binary or memory: eats his burrito sideways, like it&#39;s corn-on-the-cob? Turns out&nbsp;. Oct 29, 2018. In a YouTube video, titled equals www.youtube.com (Youtube)
Source: XVGO2Y2B.htm.3.drString found in binary or memory: photo went viral on Facebook, Twitter, and dozens of news sites. Oct 28, 2018. Remember how angry you were last week when you found out that Justin Bieber equals www.facebook.com (Facebook)
Source: XVGO2Y2B.htm.3.drString found in binary or memory: photo went viral on Facebook, Twitter, and dozens of news sites. Oct 28, 2018. Remember how angry you were last week when you found out that Justin Bieber equals www.twitter.com (Twitter)
Source: XVGO2Y2B.htm.3.drString found in binary or memory: r /; born March 1, 1994) is a Canadian singer-songwriter. After talent manager Scooter Braun discovered him through his YouTube videos covering songs in 2008 and he signed to RBMG, Bieber released his debut EP, My World, in late 2009. Watch <b>Justin bieber </b>gay porn on Pornhub.com, the best hardcore porn site. Pornhub is home to the widest selection of free Daddy sex videos full of the hottest pornstars. Marriage record of Justin equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: akxenrjjnou.xsl.pt
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 11 Jan 2019 19:05:41 GMTServer: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8x mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1Last-Modified: Thu, 19 Feb 2015 10:39:28 GMTETag: "116002-3cb5-50f6e8ce21800"Accept-Ranges: bytesContent-Length: 15541X-FRAME-OPTIONS: denyKeep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: application/javascriptData Raw: 69 66 20 28 21 53 41 50 4f 2e 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 20 7c 7c 20 74 79 70 65 6f 66 20 53 41 50 4f 2e 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 20 3d 3d 3d 20 27 75 6e 64 65 66 69 6e 65 64 27 29 20 7b 0a 20 20 20 20 53 41 50 4f 2e 6e 61 6d 65 73 70 61 63 65 28 27 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 27 29 3b 0a 7d 0a 53 41 50 4f 2e 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 2e 41 6a 61 78 20 3d 20 66 75 6e 63 74 69 6f 6e 28 75 72 6c 2c 20 6f 70 74 69 6f 6e 73 29 20 7b 0a 20 20 20 20 74 68 69 73 2e 69 6e 69 74 28 75 72 6c 2c 20 6f 70 74 69 6f 6e 73 29 3b 0a 7d 3b 0a 53 41 50 4f 2e 43 6f 6d
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.12.2Date: Fri, 11 Jan 2019 19:04:37 GMTContent-Type: text/html; charset=urf-8Content-Length: 168Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.6.2</center></body></html>
Urls found in memory or binary dataShow sources
Source: {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.drString found in binary or memory: http://akxenrjjnou.xsl
Source: XVGO2Y2B.htm.3.drString found in binary or memory: http://akxenrjjnou.xsl.pt/
Source: T6[1].htm.3.drString found in binary or memory: http://akxenrjjnou.xsl.pt/Qr
Source: {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.dr, u9F[1].htm.3.drString found in binary or memory: http://akxenrjjnou.xsl.pt/u9F
Source: {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.drString found in binary or memory: http://akxenrjjnou.xsl.pt/u9F.pt/u9FRoot
Source: {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.drString found in binary or memory: http://akxenrjjnou.xsl.pt/u9FLGreen
Source: {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.drString found in binary or memory: http://akxenrjjnou.xsl.pt/u9FRoot
Source: ~DFE20935C8B8B1A793.TMP.2.drString found in binary or memory: http://akxenrjjnou.xsl.pt/u9Fxmlenc%2523%2522%2520Id%253D%2522devicesoftware%2522%2520Type%253D%2522
Source: styles[1].css.3.drString found in binary or memory: http://assets.web.sapo.io/sapologos/current/b146b6081ba4fc4b664dd3f53eb57eb766493c3c91d7fb17b5e5bf31
Source: TA7HWZLH.htm.3.drString found in binary or memory: http://auto.sapo.pt/Carros/Hyundai-i20-12-access-plus-2155706.aspx
Source: TA7HWZLH.htm.3.drString found in binary or memory: http://auto.sapo.pt/Carros/Nissan-Juke-12-DIG-T-Tekna-4x2-(115cv)-(5-lug)-(5p)-2165428.aspx
Source: TA7HWZLH.htm.3.drString found in binary or memory: http://auto.sapo.pt/Carros/Nissan-Juke-16-T-Tekna-Sport-(190cv)-(5p)-2166526.aspx
Source: TA7HWZLH.htm.3.drString found in binary or memory: http://auto.sapo.pt/Carros/Nissan-Micra-09-IG-T-ACENTA-GPS-90cv-2096394.aspx
Source: hJ[1].htm.3.drString found in binary or memory: http://avryyolsygztcc.xsl.pt/ku
Source: {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.drString found in binary or memory: http://axkkharbfjj.xsl
Source: YQ4I15SH.htm.3.drString found in binary or memory: http://axkkharbfjj.xsl.pt/
Source: {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.dr, 66[1].htm.3.dr, u9F[1].htm.3.drString found in binary or memory: http://axkkharbfjj.xsl.pt/66
Source: {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.drString found in binary or memory: http://axkkharbfjj.xsl.pt/66&Summary
Source: XVGO2Y2B.htm.3.drString found in binary or memory: http://daogruawrzbogf.xsl.pt/1lm
Source: 66[1].htm.3.drString found in binary or memory: http://daogruawrzbogf.xsl.pt/3vg
Source: {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.drString found in binary or memory: http://dfzasyuudds.xsl
Source: u9F[1].htm.3.drString found in binary or memory: http://dfzasyuudds.xsl.pt/pU
Source: {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.drString found in binary or memory: http://dfzasyuudds.xsl.pt/pu
Source: {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.drString found in binary or memory: http://dfzasyuudds.xsl.pt/pu$HTTP
Source: ~DFE20935C8B8B1A793.TMP.2.drString found in binary or memory: http://dfzasyuudds.xsl.pt/puZ
Source: T6[1].htm.3.drString found in binary or memory: http://duiwhmqcnesn.xsl.pt/74
Source: EJD1D233.htm.3.drString found in binary or memory: http://dzfvyhmenviwmy.xsl.pt/31
Source: EJD1D233.htm.3.drString found in binary or memory: http://dzfvyhmenviwmy.xsl.pt/wdl
Source: T6[1].htm.3.drString found in binary or memory: http://hbhzakitgo.xsl.pt/
Source: {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.drString found in binary or memory: http://inaggfvrys.xsl.
Source: EJD1D233.htm.3.drString found in binary or memory: http://inaggfvrys.xsl.pt/
Source: hJ[1].htm.3.drString found in binary or memory: http://inaggfvrys.xsl.pt/K2
Source: ds[1].htm.3.drString found in binary or memory: http://inaggfvrys.xsl.pt/Zf
Source: {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.dr, ds[1].htm.3.dr, u9F[1].htm.3.drString found in binary or memory: http://inaggfvrys.xsl.pt/ds
Source: {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.drString found in binary or memory: http://inaggfvrys.xsl.pt/ds.Xbox
Source: ~DFE20935C8B8B1A793.TMP.2.drString found in binary or memory: http://inaggfvrys.xsl.pt/dstp_404.htm#http://dfzasyuudds.xsl.pt/pu
Source: SAPO[1].js.3.drString found in binary or memory: http://js.sapo.pt/
Source: I1FPH1UR.htm.3.drString found in binary or memory: http://kdgrlvibpbucup.xsl.pt/77
Source: u9F[1].htm.3.drString found in binary or memory: http://kdgrlvibpbucup.xsl.pt/rG
Source: QZLRGMJF.htm.3.drString found in binary or memory: http://kqzheayuofmffx.xsl.pt/Eb
Source: 66[1].htm.3.drString found in binary or memory: http://kqzheayuofmffx.xsl.pt/hok
Source: {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.drString found in binary or memory: http://lheqcodoqk.xsl.
Source: QZLRGMJF.htm.3.drString found in binary or memory: http://lheqcodoqk.xsl.pt/
Source: hJ[1].htm.3.drString found in binary or memory: http://lheqcodoqk.xsl.pt/3L
Source: I1FPH1UR.htm.3.drString found in binary or memory: http://lheqcodoqk.xsl.pt/F3
Source: QZLRGMJF.htm.3.drString found in binary or memory: http://lheqcodoqk.xsl.pt/U6
Source: 66[1].htm.3.drString found in binary or memory: http://lheqcodoqk.xsl.pt/bI
Source: {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.dr, ds[1].htm.3.dr, hJ[1].htm.3.drString found in binary or memory: http://lheqcodoqk.xsl.pt/hJ
Source: ~DFE20935C8B8B1A793.TMP.2.drString found in binary or memory: http://lheqcodoqk.xsl.pt/hJX
Source: T6[1].htm.3.drString found in binary or memory: http://ofiekncnrenvou.xsl.pt/3Q
Source: XVGO2Y2B.htm.3.drString found in binary or memory: http://ofiekncnrenvou.xsl.pt/55
Source: T6[1].htm.3.drString found in binary or memory: http://ofiekncnrenvou.xsl.pt/Nb
Source: QZLRGMJF.htm.3.drString found in binary or memory: http://ofiekncnrenvou.xsl.pt/m9
Source: XVGO2Y2B.htm.3.drString found in binary or memory: http://ofiekncnrenvou.xsl.pt/y2K
Source: ds[1].htm.3.drString found in binary or memory: http://olugcvkaqfg.xsl.pt/S9
Source: QZLRGMJF.htm.3.drString found in binary or memory: http://olugcvkaqfg.xsl.pt/Va7
Source: 66[1].htm.3.drString found in binary or memory: http://olugcvkaqfg.xsl.pt/bjn
Source: QZLRGMJF.htm.3.drString found in binary or memory: http://olugcvkaqfg.xsl.pt/z4
Source: {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.drString found in binary or memory: http://onpuuoeayg.xsl.
Source: I1FPH1UR.htm.3.drString found in binary or memory: http://onpuuoeayg.xsl.pt/
Source: YQ4I15SH.htm.3.drString found in binary or memory: http://onpuuoeayg.xsl.pt/50
Source: {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.dr, T6[1].htm.3.dr, hJ[1].htm.3.drString found in binary or memory: http://onpuuoeayg.xsl.pt/T6
Source: ds[1].htm.3.drString found in binary or memory: http://onpuuoeayg.xsl.pt/y4D
Source: hJ[1].htm.3.drString found in binary or memory: http://oocqqgnojpk.xsl.pt/NV
Source: XVGO2Y2B.htm.3.drString found in binary or memory: http://oocqqgnojpk.xsl.pt/t8
Source: ds[1].htm.3.drString found in binary or memory: http://pwhocynqvwh.xsl.pt/0ig
Source: I1FPH1UR.htm.3.drString found in binary or memory: http://pwhocynqvwh.xsl.pt/8g
Source: YQ4I15SH.htm.3.drString found in binary or memory: http://qxgudwtpycdqq.xsl.pt/hw
Source: I1FPH1UR.htm.3.drString found in binary or memory: http://uryyhzzhbz.xsl.pt/0xy
Source: 66[1].htm.3.drString found in binary or memory: http://uryyhzzhbz.xsl.pt/GP
Source: {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.drString found in binary or memory: http://uvlmqtqlbgx.xsl
Source: u9F[1].htm.3.drString found in binary or memory: http://uvlmqtqlbgx.xsl.pt/fJ
Source: {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.drString found in binary or memory: http://uvlmqtqlbgx.xsl.pt/fj
Source: {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.drString found in binary or memory: http://uvlmqtqlbgx.xsl.pt/fj$HTTP
Source: ~DFE20935C8B8B1A793.TMP.2.drString found in binary or memory: http://uvlmqtqlbgx.xsl.pt/fjtp_404.htm#http://dfzasyuudds.xsl.pt/pu
Source: EJD1D233.htm.3.drString found in binary or memory: http://uvlmqtqlbgx.xsl.pt/jt
Source: I1FPH1UR.htm.3.drString found in binary or memory: http://vvqhidoqkjayt.xsl.pt/Aa5
Source: YQ4I15SH.htm.3.drString found in binary or memory: http://vvqhidoqkjayt.xsl.pt/Q3
Source: SAPO[1].js.3.drString found in binary or memory: http://wa.sl.pt/wa.gif?
Source: msapplication.xml.2.drString found in binary or memory: http://www.amazon.com/
Source: msapplication.xml2.2.drString found in binary or memory: http://www.google.com/
Source: msapplication.xml3.2.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml4.2.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml5.2.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml6.2.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml7.2.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml8.2.drString found in binary or memory: http://www.youtube.com/
Source: rg[1].htm.3.drString found in binary or memory: http://xsl.pt
Source: {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.drString found in binary or memory: http://xsl.pt/
Source: {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.drString found in binary or memory: http://xsl.pt/ds.xsl
Source: ~DFE20935C8B8B1A793.TMP.2.drString found in binary or memory: http://xsl.pt/ds.xsl.pt/pu
Source: ~DFE20935C8B8B1A793.TMP.2.drString found in binary or memory: http://xsl.pt/ds.xsl.pt/putp_404.htm#http://dfzasyuudds.xsl.pt/pu
Source: TA7HWZLH.htm.3.drString found in binary or memory: http://y3c.12.xsl.pt
Source: TA7HWZLH.htm.3.drString found in binary or memory: http://y3c.1r.xsl.pt
Source: TA7HWZLH.htm.3.drString found in binary or memory: http://y3c.2j.xsl.pt
Source: TA7HWZLH.htm.3.drString found in binary or memory: http://y3c.2n.xsl.pt
Source: TA7HWZLH.htm.3.drString found in binary or memory: http://y3c.2p.xsl.pt
Source: TA7HWZLH.htm.3.drString found in binary or memory: http://y3c.2v.xsl.pt
Source: XVGO2Y2B.htm.3.drString found in binary or memory: http://yjptufiulvvhxq.xsl.pt/OJ
Source: EJD1D233.htm.3.drString found in binary or memory: http://yjptufiulvvhxq.xsl.pt/Y9
Source: YQ4I15SH.htm.3.drString found in binary or memory: http://yjptufiulvvhxq.xsl.pt/oU
Source: EJD1D233.htm.3.drString found in binary or memory: http://yuerxjrjxu.xsl.pt/3H
Source: YQ4I15SH.htm.3.drString found in binary or memory: http://ziwzkrnmpivybu.xsl.pt/4ha
Source: TA7HWZLH.htm.3.drString found in binary or memory: https://24.sapo.pt/desporto/artigos/o-11-do-ano-da-uefa-cristiano-ronaldo-eleito-pela-13-a-vez-na-eq
Source: TA7HWZLH.htm.3.drString found in binary or memory: https://bars.sapo.pt/bsu_v2.0/barra.js
Source: XVGO2Y2B.htm.3.drString found in binary or memory: https://familysearch.org
Source: {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.drString found in binary or memory: https://login.sapo.pt/Bsu/Max.do?ref=http%3A%2F%2Fxsl.pt&source=http%3A%2F%2Fxsl.pt%2F&login=&logout
Source: {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.drString found in binary or memory: https://login.sapo.pt/Bsu/Min.do?ref=http%3A%2F%2Fxsl.pt&source=http%3A%2F%2Fxsl.pt%2F&login=&logout
Source: TA7HWZLH.htm.3.drString found in binary or memory: https://ssl.sapo.pt/bars.sapo.pt/footer_fundo_claro/barra.js
Source: SAPO[1].js.3.drString found in binary or memory: https://wa.sl.pt/wa.gif?
Source: YQ4I15SH.htm.3.drString found in binary or memory: https://www.google.be/search
Source: TA7HWZLH.htm.3.drString found in binary or memory: https://www.ptempresas.pt/lojas/loja-meo-aveiro-aveiro-shopping-center
Source: YQ4I15SH.htm.3.dr, {2A0F7057-161F-11E9-AADC-44C1B3FB757B}.dat.2.drString found in binary or memory: https://www.socialsecurity.be/citizen/nl/
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: clean1.win@3/60@16/7
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user~1\AppData\Local\Temp\~DF830AE654BF31CD36.TMPJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4596 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4596 CREDAT:17410 /prefetch:2Jump to behavior
Tries to open an application configuration file (.cfg)Show sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Windows\SysWOW64\Macromed\Flash\ss.cfgJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 102816 URL: http://akxenrjjnou.xsl.pt/u9F Startdate: 11/01/2019 Architecture: WINDOWS Score: 1 11 akxenrjjnou.xsl.pt 2->11 6 iexplore.exe 10 84 2->6         started        process3 process4 8 iexplore.exe 2 110 6->8         started        dnsIp5 13 login.sapo.pt 213.13.145.98, 443, 49813, 49814 MEO-RESIDENCIALPT Portugal 8->13 15 js.sapo.pt 213.13.146.180, 49806, 49807, 80 MEO-RESIDENCIALPT Portugal 8->15 17 14 other IPs or domains 8->17

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
http://akxenrjjnou.xsl.pt/u9F0%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
xsl.pt0%virustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://y3c.2v.xsl.pt0%Avira URL Cloudsafe
http://lheqcodoqk.xsl.pt/hJ0%Avira URL Cloudsafe
http://inaggfvrys.xsl.pt/styles/img/icons/icon_video.gif0%Avira URL Cloudsafe
http://kqzheayuofmffx.xsl.pt/Eb0%Avira URL Cloudsafe
http://onpuuoeayg.xsl.pt/0%Avira URL Cloudsafe
http://yuerxjrjxu.xsl.pt/3H0%Avira URL Cloudsafe
http://dfzasyuudds.xsl0%Avira URL Cloudsafe
http://dfzasyuudds.xsl.pt/pU0%Avira URL Cloudsafe
http://onpuuoeayg.xsl.pt/styles/img/icons/icon_video.gif0%Avira URL Cloudsafe
http://xsl.pt/rp/http_static/js/ajax.js0%Avira URL Cloudsafe
http://oocqqgnojpk.xsl.pt/NV0%Avira URL Cloudsafe
http://axkkharbfjj.xsl.pt/0%Avira URL Cloudsafe
http://y3c.2n.xsl.pt0%Avira URL Cloudsafe
http://y3c.2p.xsl.pt0%Avira URL Cloudsafe
http://onpuuoeayg.xsl.pt/styles/bootstrap-min.css0%Avira URL Cloudsafe
http://ofiekncnrenvou.xsl.pt/550%Avira URL Cloudsafe
http://akxenrjjnou.xsl.pt/Qr0%Avira URL Cloudsafe
http://onpuuoeayg.xsl.pt/y4D0%Avira URL Cloudsafe
http://inaggfvrys.xsl.pt/ds0%Avira URL Cloudsafe
http://kqzheayuofmffx.xsl.pt/hok0%Avira URL Cloudsafe
http://uvlmqtqlbgx.xsl.pt/fJ0%Avira URL Cloudsafe
http://lheqcodoqk.xsl.pt/styles/master.css0%Avira URL Cloudsafe
http://inaggfvrys.xsl.pt/0%Avira URL Cloudsafe
http://olugcvkaqfg.xsl.pt/z40%Avira URL Cloudsafe
http://dfzasyuudds.xsl.pt/pu0%Avira URL Cloudsafe
http://ofiekncnrenvou.xsl.pt/m90%Avira URL Cloudsafe
http://pwhocynqvwh.xsl.pt/0ig0%Avira URL Cloudsafe
http://xsl.pt/ds.xsl0%Avira URL Cloudsafe
http://xsl.pt0%virustotalBrowse
http://xsl.pt0%Avira URL Cloudsafe
http://xsl.pt/rp/http_static/images/bg.png0%Avira URL Cloudsafe
http://vvqhidoqkjayt.xsl.pt/Q30%Avira URL Cloudsafe
http://onpuuoeayg.xsl.pt/500%Avira URL Cloudsafe
http://xsl.pt/ds.xsl.pt/putp_404.htm#http://dfzasyuudds.xsl.pt/pu0%Avira URL Cloudsafe
http://olugcvkaqfg.xsl.pt/Va70%Avira URL Cloudsafe
http://ofiekncnrenvou.xsl.pt/3Q0%Avira URL Cloudsafe
http://akxenrjjnou.xsl.pt/u9F0%virustotalBrowse
http://akxenrjjnou.xsl.pt/u9F0%Avira URL Cloudsafe
http://uvlmqtqlbgx.xsl.pt/fj0%Avira URL Cloudsafe
http://ofiekncnrenvou.xsl.pt/Nb0%Avira URL Cloudsafe
http://dfzasyuudds.xsl.pt/puZ0%Avira URL Cloudsafe
http://xsl.pt/rp/http_static/images/header_bg.jpg0%Avira URL Cloudsafe
http://axkkharbfjj.xsl.pt/styles/print.css0%Avira URL Cloudsafe
http://inaggfvrys.xsl.pt/dstp_404.htm#http://dfzasyuudds.xsl.pt/pu0%Avira URL Cloudsafe
http://lheqcodoqk.xsl.pt/F30%Avira URL Cloudsafe
http://lheqcodoqk.xsl.pt/styles/bootstrap-min.css0%Avira URL Cloudsafe
http://daogruawrzbogf.xsl.pt/3vg0%Avira URL Cloudsafe
http://dzfvyhmenviwmy.xsl.pt/wdl0%Avira URL Cloudsafe
http://y3c.2j.xsl.pt0%Avira URL Cloudsafe
http://onpuuoeayg.xsl.pt/styles/master.css0%Avira URL Cloudsafe
http://axkkharbfjj.xsl.pt/66&Summary0%Avira URL Cloudsafe
http://olugcvkaqfg.xsl.pt/S90%Avira URL Cloudsafe
http://lheqcodoqk.xsl.0%Avira URL Cloudsafe
http://axkkharbfjj.xsl.pt/styles/img/icons/icon_video.gif0%Avira URL Cloudsafe
http://qxgudwtpycdqq.xsl.pt/hw0%Avira URL Cloudsafe
http://akxenrjjnou.xsl.pt/styles/font-awesome.css0%Avira URL Cloudsafe
http://lheqcodoqk.xsl.pt/images/menu/logos/onss.gif0%Avira URL Cloudsafe
http://onpuuoeayg.xsl.0%Avira URL Cloudsafe
http://axkkharbfjj.xsl.pt/660%Avira URL Cloudsafe
http://xsl.pt/0%virustotalBrowse
http://xsl.pt/0%Avira URL Cloudsafe
http://uvlmqtqlbgx.xsl0%Avira URL Cloudsafe
http://onpuuoeayg.xsl.pt/images/menu/logos/onss.gif0%Avira URL Cloudsafe
http://inaggfvrys.xsl.0%Avira URL Cloudsafe
http://xsl.pt/rp/http_static/images/footer.png0%Avira URL Cloudsafe
http://inaggfvrys.xsl.pt/styles/bootstrap-min.css0%Avira URL Cloudsafe
http://hbhzakitgo.xsl.pt/0%Avira URL Cloudsafe
http://lheqcodoqk.xsl.pt/styles/print.css0%Avira URL Cloudsafe
http://ziwzkrnmpivybu.xsl.pt/4ha0%Avira URL Cloudsafe
http://inaggfvrys.xsl.pt/styles/master.css0%Avira URL Cloudsafe
http://inaggfvrys.xsl.pt/styles/font-awesome.css0%Avira URL Cloudsafe
http://lheqcodoqk.xsl.pt/0%Avira URL Cloudsafe
http://oocqqgnojpk.xsl.pt/t80%Avira URL Cloudsafe
http://daogruawrzbogf.xsl.pt/1lm0%Avira URL Cloudsafe
http://yjptufiulvvhxq.xsl.pt/OJ0%Avira URL Cloudsafe
http://akxenrjjnou.xsl0%Avira URL Cloudsafe
http://lheqcodoqk.xsl.pt/U60%Avira URL Cloudsafe
http://inaggfvrys.xsl.pt/Zf0%Avira URL Cloudsafe
https://wa.sl.pt/wa.gif?0%Avira URL Cloudsafe
http://akxenrjjnou.xsl.pt/u9FLGreen0%Avira URL Cloudsafe
http://akxenrjjnou.xsl.pt/styles/img/icons/icon_video.gif0%Avira URL Cloudsafe
http://inaggfvrys.xsl.pt/K20%Avira URL Cloudsafe
http://lheqcodoqk.xsl.pt/3L0%Avira URL Cloudsafe
http://uryyhzzhbz.xsl.pt/GP0%Avira URL Cloudsafe
http://xsl.pt/rp/http_static/images/shadow_small.png0%Avira URL Cloudsafe
http://dzfvyhmenviwmy.xsl.pt/310%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.