Loading ...

Play interactive tourEdit tour

Analysis Report 59ceo@cryptotelecom.com

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:141285
Start date:12.06.2019
Start time:23:37:36
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 25s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:59ceo@cryptotelecom.com
Cookbook file name:defaultwindowshtmlcookbook.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean2.winCOM@3/52@3/2
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .com
  • Browsing link: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?
  • Browsing link: http://www.magicwinmail.net/?so=winmailcust
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, ielowutil.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 92.122.32.78, 152.199.19.161
  • Excluded domains from analysis (whitelisted): e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, ie9comview.vo.msecnd.net, go.microsoft.com.edgekey.net, cs9.wpc.v0cdn.net
  • Report size getting too big, too many NtDeviceIoControlFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold20 - 100falseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsFile System Logical OffsetsCredential DumpingFile and Directory Discovery1Remote File Copy2Data from Local SystemData CompressedStandard Non-Application Layer Protocol3
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol3
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy2

Signature Overview

Click to jump to signature section


Phishing:

barindex
HTML body contains low number of good linksShow sources
Source: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?GKDG901560375521b7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbec&email=ceo@cryptotelecom.comHTTP Parser: Number of links: 0
Source: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?HTTP Parser: Number of links: 0
HTML title does not match URLShow sources
Source: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?GKDG901560375521b7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbec&email=ceo@cryptotelecom.comHTTP Parser: Title: Mail | Sign-in does not match URL
Source: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?HTTP Parser: Title: Mail | Sign-in does not match URL
None HTTPS page querying sensitive user data (password, username or email)Show sources
Source: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?GKDG901560375521b7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbec&email=ceo@cryptotelecom.comHTTP Parser: Has password / email / username input fields
Source: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?HTTP Parser: Has password / email / username input fields
Suspicious form URL foundShow sources
Source: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?GKDG901560375521b7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbec&email=ceo@cryptotelecom.comHTTP Parser: Form action: login.php
Source: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?HTTP Parser: Form action: login.php
META author tag missingShow sources
Source: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?GKDG901560375521b7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbec&email=ceo@cryptotelecom.comHTTP Parser: No <meta name="author".. found
Source: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?HTTP Parser: No <meta name="author".. found
META copyright tag missingShow sources
Source: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?GKDG901560375521b7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbec&email=ceo@cryptotelecom.comHTTP Parser: No <meta name="copyright".. found
Source: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?HTTP Parser: No <meta name="copyright".. found

Networking:

barindex
Downloads compressed data via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 12 Jun 2019 21:38:41 GMTServer: ApacheX-Powered-By: PHP/7.2.17Vary: Accept-Encoding,User-AgentContent-Encoding: gzipContent-Length: 3119Keep-Alive: timeout=5Connection: Keep-AliveContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 cd 1a 6b 73 db c6 f1 33 f9 2b ce b0 6b 90 95 09 82 a4 68 4b 7c 25 8e 6c 77 d2 b1 a7 8e e5 b8 9d 49 3a 9e 23 70 20 20 e2 25 e0 20 8a 72 f4 83 fa 37 fa cb ba 7b 87 c7 01 04 65 27 f9 52 e6 21 de de be 77 6f 6f f7 a4 85 cb 03 7f d5 5d b8 8c da ab 45 c0 38 25 2e e7 f1 80 5d 67 de cd 52 bb 88 42 ce 42 3e f8 b8 8f 99 46 2c b9 5a 6a 9c dd f2 21 52 ce 89 e5 d2 24 65 7c 99 71 67 70 a6 ad ba 9d 05 f7 b8 cf 56 ef a8 e7 93 df c8 a5 b7 09 07 5e b8 18 4a 28 6c a7 56 e2 c5 9c f8 34 dc 64 74 c3 96 da df e9 0d bd 14 40 8d a4 89 b5 d4 1c cf 67 e9 70 3c f5 c7 9c 5f d3 d0 da ae cf 47 6c cb 77 77 d7 d6 e6 ea 96 db c6 55 aa 11 0e 1a e5 8a 5c 01 03 c9 55 5b 2d 86 f2 1b 4a f2 bd 70 4b dc 84 39 05 cb e7 81 1d ed f6 ce 8d b9 9d 66 e3 68 3a
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 12 Jun 2019 21:38:42 GMTServer: ApacheLast-Modified: Mon, 18 Dec 2017 17:17:00 GMTETag: "a280b76-e4a-560a084a51b00-gzip"Accept-Ranges: bytesVary: Accept-Encoding,User-AgentContent-Encoding: gzipContent-Length: 1041Keep-Alive: timeout=5Connection: Keep-AliveContent-Type: application/javascriptData Raw: 1f 8b 08 00 00 00 00 00 00 03 c5 56 6b 93 da 36 14 fd 9e 99 fc 07 7d 2a b0 b0 18 5b 82 64 53 60 86 b0 9b 76 9b 26 7d 6c d2 47 1e 9d 31 b6 8c 9d 18 9b 4a 82 5d 92 d9 ff de 23 0b b0 17 9c 1a 36 33 ad 67 04 42 ba e7 dc ab 7b 75 0f 5e ba 82 3c 1d 5d 5d f4 d8 e0 f3 c3 07 04 8f 75 72 62 26 e4 84 bc 0a 23 49 96 ae 88 dc 49 cc 09 e6 5e ea 73 9f 7c e4 ab 16 e1 ae 17 12 2f 74 85 eb 29 2e b0 23 04 97 f3 34 f1 25 51 29 51 21 27 72 31 91 9e 88 e6 8a 44 8a 08 3e c7 3e 4f 94 cc f6 40 14 25 d3 8d 23 cb 4c 78 f2 9c af 9e 90 da e8 e9 f8 fc e2 d9 77 df 5f fe f0 fc c7 17 2f 7f fa f9 97 5f af 5e bd fe ed f7 3f fe 7c e3 4e 3c 9f 07 d3 30 fa f0 31 9e 25 e9 fc 6f 21 d5 62 79 7d b3 fa d4
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 12 Jun 2019 21:38:42 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Mon, 18 Dec 2017 17:17:00 GMTETag: "a280b82-7db-560a084a51b00-gzip"Accept-Ranges: bytesVary: Accept-Encoding,User-AgentContent-Encoding: gzipContent-Length: 707Keep-Alive: timeout=5Content-Type: text/cssData Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 55 db 8e d3 30 10 7d a6 52 ff c1 d2 0a 09 a4 a4 4a da 0d 50 e7 69 61 c5 17 f0 8e c6 b5 93 98 3a 76 70 9c dd ee 56 fc 3b b6 73 69 9b a4 05 21 dc 97 da e3 39 67 66 ce 8c 53 98 52 04 88 28 fa 82 8e 25 e8 9c 4b 1c a5 a8 02 4a b9 cc dd df 67 4e 4d 81 e3 28 7a 9b a2 82 f1 bc 30 ed 66 b9 78 93 29 69 c2 0c 4a 2e 5e f0 83 e6 20 82 1a 64 1d d6 4c f3 2c f8 06 85 2a 21 45 fe 52 cd 5f 19 8e d7 d5 21 45 3b 25 94 c6 77 1b bf 52 24 b8 64 61 8f 9b 38 12 02 bb 7d ae 55 23 69 d8 dd fd ea 97 63 ac 77 5a 09 41 40 5b da 1d eb ed 6c ed 7e 29 3a 59 37 54 38 c4 eb 17 40 6b f5 1c 8e 62 b9 20 30 da c6 31 06 38 43 a0 a0 f7 75 01 f4 04 33 65 21 50 8
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 12 Jun 2019 21:38:42 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Mon, 18 Dec 2017 17:17:00 GMTETag: "a280b7d-4e0-560a084a51b00-gzip"Accept-Ranges: bytesVary: Accept-Encoding,User-AgentContent-Encoding: gzipContent-Length: 514Keep-Alive: timeout=5Content-Type: text/cssData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 53 51 6e 9c 30 10 fd af d4 3b 58 8a 22 b5 1f 44 80 77 93 05 be 2a a5 07 f1 82 81 49 8c 0d c6 ec b2 bb ea c9 fa d1 23 f5 0a b5 b1 4d 12 96 68 6b 24 e4 31 c3 bc 79 ef 8d ff fe fe f3 50 00 61 a2 0a c4 81 4a 46 4e e8 d2 8a 1e 14 08 9e 92 7d 2f d8 a0 68 c6 68 a9 d2 30 53 a2 d5 ef bd 50 4a 34 7a 23 a1 aa cd f1 9e e4 af 95 14 03 2f 82 5c 30 21 d3 bb 72 5a 19 3a 07 c0 0b 3a a6 49 92 64 bf be 7e f1 48 0d 01 be 06 83 2c 00 72 70 a8 25 45 01 bc 32 db 86 c8 0a b8 d9 dd 46 8b c2 d0 e4 09 59 50 99 ea d2 50 a0 a8 1d d1 dd f6 f9 e9 e7 8f 6d 86 96 9d f8 a0 a6 44 ff 81 2e 47 28 54 6d aa dc 67 a8 a6 13 c9 78 db 8e 6b d0 be e4 db 97 74 90 e
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 12 Jun 2019 21:38:42 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Mon, 18 Dec 2017 17:17:00 GMTETag: "a280b7c-1fd7-560a084a51b00-gzip"Accept-Ranges: bytesVary: Accept-Encoding,User-AgentContent-Encoding: gzipContent-Length: 2215Keep-Alive: timeout=5Content-Type: application/javascriptData Raw: 1f 8b 08 00 00 00 00 00 00 03 bd 19 5d 6f db c8 f1 59 07 dc 7f d8 28 69 48 56 32 4d 3b b9 a0 91 2c df 83 af 40 83 06 77 38 5c 80 26 08 82 82 22 57 d2 9e 29 ae 40 ae 6c 2b 39 ff b2 3e f4 27 f5 2f 74 66 f6 83 4b 89 92 3f 9a f4 21 32 77 76 76 be 77 66 76 f2 9f 7f fd 3b 9c ad cb 4c 09 59 86 cf 22 f6 e5 fb ef 7a 57 69 c5 96 72 5d 73 36 61 5f 6e 46 c9 90 6d 46 c9 ed d8 ec c8 15 2f 79 fe 93 48 0b 39 af 01 e3 e3 27 bb 53 a4 e5 7c 9d ce 39 42 91 4e 4f 09 55 f0 11 0b de 94 33 59 2d 53 e4 11 0c 71 a3 90 69 2e ca 39 6c bd d5 5f 71 1c eb 1d 79 09 c0 5f fe ae 17 59 5a 66 bc 00 c0 05 7d 68 e0 86 d7 00 f9 c0 6b bd 2c 25 ac 7e 96 e6 40 21 6b 64 78 81 7f
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 12 Jun 2019 21:38:42 GMTServer: ApacheLast-Modified: Mon, 18 Dec 2017 17:17:00 GMTETag: "a280b80-169d5-560a084a51b00-gzip"Accept-Ranges: bytesVary: Accept-Encoding,User-AgentContent-Encoding: gzipContent-Length: 32775Keep-Alive: timeout=5Connection: Keep-AliveContent-Type: application/javascriptData Raw: 1f 8b 08 00 00 00 00 00 00 03 cd bd 6b 7b db 46 b2 2e fa 7d fd 0a 11 e3 a5 00 66 93 a2 9c 64 f6 1a 28 10 b7 63 27 13 cf 24 76 26 76 56 92 a1 98 3c 10 09 4a 88 49 80 01 40 4b 8a c8 f9 ed a7 de aa ee 46 e3 22 c7 b3 f6 3e cf 39 99 b1 08 34 fa 7e a9 ae 7b 9d 3c 1e 1c fd fa 8f 5d 52 dc 1d bd 3b 1d ff 65 7c 7a b4 3f f2 17 c1 d1 93 c9 e4 53 45 7f 4f 9f 98 cf 5f e6 bb 6c 19 57 69 9e a9 a3 17 d9 62 4c 19 7f fd 0d 5f c6 79 71 75 b2 4e 17 49 56 26 ff 71 72 f2 bf 8f ca 7c 57 2c 92 6f e2 ed 36 cd ae be ff ee eb 48 e7 db a4 d9 78 13 6f ff e3 f1 89 bf da 65 0b 54 e5 27 aa 0a ee df c5 c5 51 a6 0a 95 46 d5 dd 36 c9 57 47 95 ca a3 64 bc cc 17 bb 4d 92 55 2a a6 97 75 be 90 c6 4b
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 12 Jun 2019 21:38:58 GMTServer: ApacheX-Powered-By: PHP/7.2.17Upgrade: h2,h2cConnection: Upgrade, Keep-AliveVary: Accept-Encoding,User-AgentContent-Encoding: gzipContent-Length: 3101Keep-Alive: timeout=5Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 cd 1a 6b 73 db c6 f1 33 f9 2b ce b0 6b 90 95 09 82 a4 68 4b 7c a5 8e 6c 77 d2 b1 a7 8e e5 b8 9d 49 32 9e 23 70 20 20 e2 25 e0 20 8a 72 f4 83 fa 37 fa cb ba 7b 87 c7 01 04 65 27 f9 52 24 63 f2 f6 f6 bd 7b 7b bb a0 16 2e 0f fc 55 77 e1 32 6a af 16 01 e3 94 b8 9c c7 03 76 9d 79 37 4b ed 22 0a 39 0b f9 e0 e3 3e 66 1a b1 e4 6a a9 71 76 cb 87 48 39 27 96 4b 93 94 f1 65 c6 9d c1 99 b6 ea 76 16 dc e3 3e 5b bd a3 9e 4f 7e 23 97 de 26 1c 78 e1 62 28 a1 b0 9d 5a 89 17 73 e2 d3 70 93 d1 0d 5b 6a ff a0 37 f4 52 00 35 92 26 d6 52 73 3c 9f a5 c3 f1 d4 1f 73 7e 4d 43 6b bb 3e 1f b1 2d df dd 5d 5b 9b ab 5b 6e 1b 57 a9 46 38 68 94 2b 72 05 0c 24 57 6d b5 18 ca 6f 28 c9 f7 c2 2d 71 13 e6 14 2c 9f 07 76 b4
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 12 Jun 2019 21:39:55 GMTServer: ApacheX-Frame-Options: SAMEORIGINSet-Cookie: ask_name=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=magicwinmail.netSet-Cookie: ask_email=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=magicwinmail.netSet-Cookie: ask_ver=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=magicwinmail.netSet-Cookie: ask_regname=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=magicwinmail.netContent-Encoding: gzipVary: Accept-EncodingContent-Length: 3047Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 0b ed 1b 59 73 db 36 fa b9 9d e9 7f 40 98 69 d7 99 d1 41 49 56 6c d7 92 67 64 cb a9 d5 fa 5a 4b 5d b7 4f 19 88 04 25 d4 bc 02 80 52 95 6e ff fb 7e 38 48 91 14 7d a8 f6 4e 93 b6 f4 c4 26 41 e0 bb 4f 10 e9 bd 72 23 47 ac 62 82 ce 26 17 e7 e8 fa c7 e3 f3 d1 09 b2 ea cd e6
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 12 Jun 2019 21:40:25 GMTServer: ApacheX-Frame-Options: SAMEORIGINSet-Cookie: ask_name=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=magicwinmail.netSet-Cookie: ask_email=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=magicwinmail.netSet-Cookie: ask_ver=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=magicwinmail.netSet-Cookie: ask_regname=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=magicwinmail.netContent-Encoding: gzipVary: Accept-EncodingContent-Length: 5836Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 0b e5 5c 5b 73 db 38 b2 7e 5e 57 cd 7f c0 6a 6b 67 93 2a 5d ed 78 72 93 3d 25 df 62 9d b2 1d 6d a4 4c 66 9f 52 10 09 49 8c 29 82 43 90 56 b4 b5 ff e6 bc 9c 9f 79 ba 1b 00 ef 92 e5 c4 b3 93 a9 28 55 b1 44 81 8d ee 46 f7 d7 17 40 ec ff d5 95 4e bc 0e 05 bb 9c 5c 5f b1 d1
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /xnxx/index.php?email=ceo@cryptotelecom.com HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: kvsurgicals.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /xnxx/bycoon1c9mo4hzlcm53pm11r.php?GKDG901560375521b7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbec&email=ceo@cryptotelecom.com HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: kvsurgicals.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /xnxx/files/25l2ttqanckb91ektwzqcgjxtd.js HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?GKDG901560375521b7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbec&email=ceo@cryptotelecom.comAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: kvsurgicals.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /xnxx/files/6mdowyfv0k5u2o53i2za2za0k.css HTTP/1.1Accept: text/css, */*Referer: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?GKDG901560375521b7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbec&email=ceo@cryptotelecom.comAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: kvsurgicals.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /xnxx/files/3ck5cxcjdvota2rci97kovhztq.js HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?GKDG901560375521b7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbec&email=ceo@cryptotelecom.comAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: kvsurgicals.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /xnxx/files/3m71yrh4x2a2j2nkhzkrro2qcl.css HTTP/1.1Accept: text/css, */*Referer: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?GKDG901560375521b7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbec&email=ceo@cryptotelecom.comAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: kvsurgicals.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /xnxx/files/1pcl69g5oyhz36eyspqh37na8.js HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?GKDG901560375521b7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbec&email=ceo@cryptotelecom.comAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: kvsurgicals.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /xnxx/files/winmail_bg13_002.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?GKDG901560375521b7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbec&email=ceo@cryptotelecom.comAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: kvsurgicals.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /xnxx/files/2qbmau5rsj0r418xxfzq45ee9j.gif HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?GKDG901560375521b7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbec&email=ceo@cryptotelecom.comAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: kvsurgicals.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /xnxx/files/winmail_bg13.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?GKDG901560375521b7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbec&email=ceo@cryptotelecom.comAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: kvsurgicals.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /xnxx/files/winmail_bg13_002.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?GKDG901560375521b7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbec&email=ceo@cryptotelecom.comAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: kvsurgicals.comRange: bytes=29801-If-Range: "a280b7a-1a378-5609ae31b4ac0"Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /xnxx/files/login_bg.gif HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?GKDG901560375521b7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbec&email=ceo@cryptotelecom.comAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: kvsurgicals.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /xnxx/files/ixd481lrtotq10keebomtjfld.gif HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?GKDG901560375521b7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbec&email=ceo@cryptotelecom.comAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: kvsurgicals.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: kvsurgicals.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1User-Agent: AutoItHost: kvsurgicals.com
Source: global trafficHTTP traffic detected: GET /xnxx/bycoon1c9mo4hzlcm53pm11r.php? HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: kvsurgicals.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /?so=winmailcust HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.magicwinmail.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /winmailstyle.css HTTP/1.1Accept: text/css, */*Referer: http://www.magicwinmail.net/?so=winmailcustAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.magicwinmail.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/winmail_home_04.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.magicwinmail.net/?so=winmailcustAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.magicwinmail.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/winmail_home_02.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.magicwinmail.net/?so=winmailcustAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.magicwinmail.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /common.js HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://www.magicwinmail.net/?so=winmailcustAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.magicwinmail.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/winmail_home_01.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.magicwinmail.net/?so=winmailcustAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.magicwinmail.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/bg.gif HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.magicwinmail.net/?so=winmailcustAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.magicwinmail.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/spacer.gif HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.magicwinmail.net/?so=winmailcustAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.magicwinmail.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/wm_main1.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.magicwinmail.net/?so=winmailcustAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.magicwinmail.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/winmail_home_23b.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.magicwinmail.net/?so=winmailcustAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.magicwinmail.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/winmail_home_25b.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.magicwinmail.net/?so=winmailcustAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.magicwinmail.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/winmail_home_27b.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.magicwinmail.net/?so=winmailcustAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.magicwinmail.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/wm_arrow.gif HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.magicwinmail.net/?so=winmailcustAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.magicwinmail.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/winmail_home_03.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.magicwinmail.net/?so=winmailcustAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.magicwinmail.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/new1.gif HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.magicwinmail.net/?so=winmailcustAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.magicwinmail.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/disc.gif HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.magicwinmail.net/?so=winmailcustAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.magicwinmail.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.magicwinmail.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /technic.asp HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: http://www.magicwinmail.net/?so=winmailcustAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.magicwinmail.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/winmail_bg.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.magicwinmail.net/technic.aspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.magicwinmail.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/winmail_product_08.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.magicwinmail.net/technic.aspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.magicwinmail.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/winmail_product_16.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.magicwinmail.net/technic.aspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.magicwinmail.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/title_bg.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.magicwinmail.net/technic.aspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.magicwinmail.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/contactbg.gif HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.magicwinmail.net/technic.aspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.magicwinmail.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/winmail_bg.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.magicwinmail.net/technic.aspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.magicwinmail.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/more_b.gif HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://www.magicwinmail.net/technic.aspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.magicwinmail.netConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: technic[1].htm.2.drString found in binary or memory: Multi languages and Hotmail like webmail support that allow users equals www.hotmail.com (Hotmail)
Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xb4f14016,0x01d521b2</date><accdate>0xb4f14016,0x01d521b2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xb4f14016,0x01d521b2</date><accdate>0xb4f427c9,0x01d521b2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xb4fe95d3,0x01d521b2</date><accdate>0xb4fe95d3,0x01d521b2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xb4fe95d3,0x01d521b2</date><accdate>0xb4fe95d3,0x01d521b2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xb5010b33,0x01d521b2</date><accdate>0xb5010b33,0x01d521b2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xb5010b33,0x01d521b2</date><accdate>0xb5010b33,0x01d521b2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: kvsurgicals.com
Urls found in memory or binary dataShow sources
Source: {DF1995F9-8DA5-11E9-AADF-9CC1A2A860C6}.dat.1.drString found in binary or memory: http://kvsurgicals.com
Source: ~DF343C5312A6E4FC6F.TMP.1.drString found in binary or memory: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?
Source: {DF1995F9-8DA5-11E9-AADF-9CC1A2A860C6}.dat.1.drString found in binary or memory: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?GKDG901560375521b7d93b2ad6c42adbf2a4bff863c
Source: ~DF343C5312A6E4FC6F.TMP.1.drString found in binary or memory: http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?KDG901560375521b7d93b2ad6c42adbf2a4bff863c1
Source: 59ceo@cryptotelecom.comString found in binary or memory: http://kvsurgicals.com/xnxx/index.php?email=ceo
Source: msapplication.xml.1.drString found in binary or memory: http://www.amazon.com/
Source: technic[1].htm.2.drString found in binary or memory: http://www.google-analytics.com/urchin.js
Source: msapplication.xml1.1.drString found in binary or memory: http://www.google.com/
Source: technic[1].htm.2.drString found in binary or memory: http://www.google.com/custom
Source: msapplication.xml2.1.drString found in binary or memory: http://www.live.com/
Source: {DF1995F9-8DA5-11E9-AADF-9CC1A2A860C6}.dat.1.drString found in binary or memory: http://www.magicw.net/?so=winmailcust
Source: ~DF343C5312A6E4FC6F.TMP.1.drString found in binary or memory: http://www.magicwinmail.net/?so=winmailcust
Source: ~DF343C5312A6E4FC6F.TMP.1.drString found in binary or memory: http://www.magicwinmail.net/?so=winmailcustdWinmail
Source: ~DF343C5312A6E4FC6F.TMP.1.drString found in binary or memory: http://www.magicwinmail.net/?so=winmailcustm53pm11r.php?KDG901560375521b7d93b2ad6c42adbf2a4bff863c1c
Source: imagestore.dat.2.drString found in binary or memory: http://www.magicwinmail.net/favicon.ico~
Source: ~DF343C5312A6E4FC6F.TMP.1.drString found in binary or memory: http://www.magicwinmail.net/technic.asp
Source: ~DF343C5312A6E4FC6F.TMP.1.drString found in binary or memory: http://www.magicwinmail.net/technic.asp:Winmail
Source: ~DF343C5312A6E4FC6F.TMP.1.drString found in binary or memory: http://www.magicwinmail.net/technic.aspustm53pm11r.php?KDG901560375521b7d93b2ad6c42adbf2a4bff863c1cb
Source: bycoon1c9mo4hzlcm53pm11r[2].htm.2.drString found in binary or memory: http://www.magicwinmail.net?so=winmailcust
Source: msapplication.xml3.1.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.drString found in binary or memory: http://www.youtube.com/

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: clean2.winCOM@3/52@3/2
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user~1\AppData\Local\Temp\~DFBF706FB0906B2FDD.TMPJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4696 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4696 CREDAT:17410 /prefetch:2Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 141285 Sample: 59ceo@cryptotelecom.com Startdate: 12/06/2019 Architecture: WINDOWS Score: 2 11 kvsurgicals.com 2->11 6 iexplore.exe 3 89 2->6         started        process3 process4 8 iexplore.exe 1 74 6->8         started        dnsIp5 13 kvsurgicals.com 166.62.10.29, 49712, 49713, 49714 unknown United States 8->13 15 www.magicwinmail.net 209.172.89.247, 49723, 49724, 49725 unknown United States 8->15

Simulations

Behavior and APIs

No simulations

Antivirus and Machine Learning Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
kvsurgicals.com3%virustotalBrowse
www.magicwinmail.net0%virustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://kvsurgicals.com/xnxx/files/winmail_bg13.jpg0%Avira URL Cloudsafe
http://www.magicwinmail.net/images/winmail_bg.jpg0%Avira URL Cloudsafe
http://www.magicwinmail.net/?so=winmailcust0%virustotalBrowse
http://www.magicwinmail.net/?so=winmailcust0%Avira URL Cloudsafe
http://www.magicwinmail.net/?so=winmailcustdWinmail0%Avira URL Cloudsafe
http://www.magicwinmail.net/images/contactbg.gif0%Avira URL Cloudsafe
http://www.magicwinmail.net/images/more_b.gif0%Avira URL Cloudsafe
http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?GKDG901560375521b7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbecb7d93b2ad6c42adbf2a4bff863c1cbec&email=ceo@cryptotelecom.com0%Avira URL Cloudsafe
http://www.magicwinmail.net/technic.asp0%virustotalBrowse
http://www.magicwinmail.net/technic.asp0%Avira URL Cloudsafe
http://www.magicwinmail.net/images/new1.gif0%Avira URL Cloudsafe
http://kvsurgicals.com/xnxx/files/3m71yrh4x2a2j2nkhzkrro2qcl.css0%Avira URL Cloudsafe
http://www.magicwinmail.net/technic.asp:Winmail0%Avira URL Cloudsafe
http://www.magicwinmail.net/images/wm_main1.jpg0%Avira URL Cloudsafe
http://kvsurgicals.com/xnxx/files/ixd481lrtotq10keebomtjfld.gif0%Avira URL Cloudsafe
http://www.magicwinmail.net/common.js0%Avira URL Cloudsafe
http://www.magicwinmail.net/?so=winmailcustm53pm11r.php?KDG901560375521b7d93b2ad6c42adbf2a4bff863c1c0%Avira URL Cloudsafe
http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?0%Avira URL Cloudsafe
http://www.magicwinmail.net/images/winmail_home_01.jpg0%Avira URL Cloudsafe
http://www.magicwinmail.net/images/winmail_home_25b.jpg0%Avira URL Cloudsafe
http://www.magicwinmail.net/images/disc.gif0%Avira URL Cloudsafe
http://www.magicwinmail.net/favicon.ico0%virustotalBrowse
http://www.magicwinmail.net/favicon.ico0%Avira URL Cloudsafe
http://www.magicwinmail.net/images/winmail_product_16.jpg0%Avira URL Cloudsafe
http://kvsurgicals.com/xnxx/files/2qbmau5rsj0r418xxfzq45ee9j.gif0%Avira URL Cloudsafe
http://kvsurgicals.com/xnxx/files/25l2ttqanckb91ektwzqcgjxtd.js0%Avira URL Cloudsafe
http://kvsurgicals.com/favicon.ico0%Avira URL Cloudsafe
http://www.magicwinmail.net/images/winmail_home_02.jpg0%Avira URL Cloudsafe
http://kvsurgicals.com3%virustotalBrowse
http://kvsurgicals.com0%Avira URL Cloudsafe
http://www.magicwinmail.net/images/winmail_home_23b.jpg0%Avira URL Cloudsafe
http://kvsurgicals.com/xnxx/files/3ck5cxcjdvota2rci97kovhztq.js0%Avira URL Cloudsafe
http://www.magicwinmail.net/images/bg.gif0%Avira URL Cloudsafe
http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?GKDG901560375521b7d93b2ad6c42adbf2a4bff863c0%Avira URL Cloudsafe
http://www.magicwinmail.net/images/wm_arrow.gif0%Avira URL Cloudsafe
http://www.magicwinmail.net/images/winmail_home_03.jpg0%Avira URL Cloudsafe
http://kvsurgicals.com/xnxx/files/1pcl69g5oyhz36eyspqh37na8.js0%Avira URL Cloudsafe
http://www.magicwinmail.net/winmailstyle.css0%Avira URL Cloudsafe
http://www.magicwinmail.net/images/winmail_home_04.jpg0%Avira URL Cloudsafe
http://www.magicwinmail.net/images/title_bg.jpg0%Avira URL Cloudsafe
http://kvsurgicals.com/xnxx/files/winmail_bg13_002.jpg0%Avira URL Cloudsafe
http://www.magicwinmail.net/images/winmail_home_27b.jpg0%Avira URL Cloudsafe
http://www.magicwinmail.net?so=winmailcust0%virustotalBrowse
http://www.magicwinmail.net?so=winmailcust0%Avira URL Cloudsafe
http://kvsurgicals.com/xnxx/files/login_bg.gif0%Avira URL Cloudsafe
http://kvsurgicals.com/xnxx/index.php?email=ceo@cryptotelecom.com0%Avira URL Cloudsafe
http://kvsurgicals.com/xnxx/bycoon1c9mo4hzlcm53pm11r.php?KDG901560375521b7d93b2ad6c42adbf2a4bff863c10%Avira URL Cloudsafe
http://www.magicwinmail.net/favicon.ico~0%Avira URL Cloudsafe
http://kvsurgicals.com/xnxx/index.php?email=ceo0%Avira URL Cloudsafe
http://kvsurgicals.com/xnxx/files/6mdowyfv0k5u2o53i2za2za0k.css0%Avira URL Cloudsafe
http://www.magicwinmail.net/images/spacer.gif0%Avira URL Cloudsafe
http://www.magicwinmail.net/images/winmail_product_08.jpg0%Avira URL Cloudsafe
http://www.magicw.net/?so=winmailcust0%Avira URL Cloudsafe
http://www.magicwinmail.net/technic.aspustm53pm11r.php?KDG901560375521b7d93b2ad6c42adbf2a4bff863c1cb0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
166.62.10.298Vg1Ju49O.xlsxGet hashmaliciousBrowse
  • elanfirst.com/Z23/view.php

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
unknownrequest.docGet hashmaliciousBrowse
  • 192.168.0.44
FERK444259.docGet hashmaliciousBrowse
  • 192.168.0.44
b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7f3cd4e5bb150a4.jsGet hashmaliciousBrowse
  • 192.168.0.40
Setup.exeGet hashmaliciousBrowse
  • 192.168.0.40
base64.pdfGet hashmaliciousBrowse
  • 192.168.0.40
file.pdfGet hashmaliciousBrowse
  • 192.168.0.40
Spread sheet 2.pdfGet hashmaliciousBrowse
  • 192.168.0.40
request_08.30.docGet hashmaliciousBrowse
  • 192.168.0.44
P_2038402.xlsxGet hashmaliciousBrowse
  • 192.168.0.44
48b1cf747a678641566cd1778777ca72.apkGet hashmaliciousBrowse
  • 192.168.0.22
seu nome na lista de favorecidos.exeGet hashmaliciousBrowse
  • 192.168.0.40
Adm_Boleto.via2.comGet hashmaliciousBrowse
  • 192.168.0.40
QuitacaoVotorantim345309.exeGet hashmaliciousBrowse
  • 192.168.0.40
pptxb.pdfGet hashmaliciousBrowse
  • 192.168.0.40
unknownrequest.docGet hashmaliciousBrowse
  • 192.168.0.44
FERK444259.docGet hashmaliciousBrowse
  • 192.168.0.44
b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7f3cd4e5bb150a4.jsGet hashmaliciousBrowse
  • 192.168.0.40
Setup.exeGet hashmaliciousBrowse
  • 192.168.0.40
base64.pdfGet hashmaliciousBrowse
  • 192.168.0.40
file.pdfGet hashmaliciousBrowse
  • 192.168.0.40
Spread sheet 2.pdfGet hashmaliciousBrowse
  • 192.168.0.40
request_08.30.docGet hashmaliciousBrowse
  • 192.168.0.44
P_2038402.xlsxGet hashmaliciousBrowse
  • 192.168.0.44
48b1cf747a678641566cd1778777ca72.apkGet hashmaliciousBrowse
  • 192.168.0.22
seu nome na lista de favorecidos.exeGet hashmaliciousBrowse
  • 192.168.0.40
Adm_Boleto.via2.comGet hashmaliciousBrowse
  • 192.168.0.40
QuitacaoVotorantim345309.exeGet hashmaliciousBrowse
  • 192.168.0.40
pptxb.pdfGet hashmaliciousBrowse
  • 192.168.0.40

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.