n0kVoIP.exe
This report is generated from a file or URL submitted to this webservice on July 19th 2018 04:05:30 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.10 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Network Behavior
- Contacts 2 domains. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 4
-
External Systems
-
Sample was identified as malicious by a trusted Antivirus engine
- details
- No specific details available
- source
- External System
- relevance
- 5/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 4/64 Antivirus vendors marked sample as malicious (6% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a trusted Antivirus engine
-
Unusual Characteristics
-
Checks for a resource fork (ADS) file
- details
- "<Input Sample>" checked file "C:"
- source
- API Call
- relevance
- 5/10
-
Contains native function calls
- details
-
NtdllDefWindowProc_W@NTDLL.DLL from n0kVoIP.exe (PID: 3580) (Show Stream)
NtdllDefWindowProc_W@NTDLL.DLL from n0kVoIP.exe (PID: 3580) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Checks for a resource fork (ADS) file
-
Suspicious Indicators 28
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "<Input Sample>" at 00010884-00003580-00000033-7502652268
- source
- API Call
- relevance
- 6/10
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
- details
- "<Input Sample>" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- UPX1 with unusual entropies 7.91740802727
- source
- Static Parser
- relevance
- 10/10
-
PE file is packed with UPX
- details
-
"n0kVoIP.exe.bin" has a section named "UPX0"
"n0kVoIP.exe.bin" has a section named "UPX1" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
PE file has unusual entropy sections
-
Environment Awareness
-
Contains ability to query CPU information
- details
- cpuid from n0kVoIP.exe (PID: 3580) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to read monitor info
- details
- GetMonitorInfoW@USER32.DLL from n0kVoIP.exe (PID: 3580) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query CPU information
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 2/67 reputation engines marked "http://e.freewebhostingarea.com/403.html" as malicious (2% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.DLL from n0kVoIP.exe (PID: 3580) (Show Stream)
LockResource@KERNEL32.DLL from n0kVoIP.exe (PID: 3580) (Show Stream)
FindResourceW@KERNEL32.DLL from n0kVoIP.exe (PID: 3580) (Show Stream)
FindResourceW@KERNEL32.DLL from n0kVoIP.exe (PID: 3580) (Show Stream)
LockResource@KERNEL32.DLL from n0kVoIP.exe (PID: 3580) (Show Stream)
FindResourceW@KERNEL32.DLL from n0kVoIP.exe (PID: 3580) (Show Stream)
FindResourceW@KERNEL32.DLL from n0kVoIP.exe (PID: 3580) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Contains ability to download files from the internet
- details
-
URLDownloadToFileW@URLMON.DLL from n0kVoIP.exe (PID: 3580) (Show Stream)
URLDownloadToFileW@URLMON.DLL from n0kVoIP.exe (PID: 3580) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Monitors specific registry key for changes
- details
-
"<Input Sample>" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5" (Filter: 1; Subtree: 6388480)
"<Input Sample>" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9" (Filter: 1; Subtree: 6388480) - source
- API Call
- relevance
- 4/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to download files from the internet
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"216.143.130.36"
"203.113.125.82"
"81.89.194.16"
"91.121.19.149"
"81.95.148.12"
"207.218.246.146"
"203.176.131.7"
"79.134.121.233"
"85.13.205.218"
"91.191.210.5"
"74.222.2.21"
"212.150.158.100"
"203.2.134.1"
"202.122.99.60"
"123.30.69.4"
"84.45.70.14"
"200.119.223.228"
"85.90.225.100"
"213.175.221.14"
"62.80.200.53"
"95.154.218.39"
"83.138.185.146"
"85.204.232.10"
"77.72.174.129"
"85.119.188.3"
"77.72.174.160" - source
- File/Memory
- relevance
- 3/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
- source
- Network Traffic
- relevance
- 10/10
-
Found potential IP address in binary/memory
-
Pattern Matching
-
Contains ability to download files from the internet
- details
-
URLDownloadToFileW@URLMON.DLL from n0kVoIP.exe (PID: 3580) (Show Stream)
URLDownloadToFileW@URLMON.DLL from n0kVoIP.exe (PID: 3580) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to download files from the internet
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1076 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads terminal service related keys (often RDP related)
-
Spyware/Information Retrieval
-
Found an instant messenger related domain
- details
-
"skype.com" (Indicator: "skype.com"; File: "00010884-00003580.00000001.13126.00401000.00000040.mdmp")
"friendcaller.com" (Indicator: "friendcaller.com"; File: "00010884-00003580.00000001.13126.00401000.00000040.mdmp")
"sip.skype.com" (Indicator: "skype.com"; File: "00010884-00003580.00000001.13126.00401000.00000040.mdmp")
"proxy.friendcaller.com" (Indicator: "friendcaller.com"; File: "00010884-00003580.00000001.13126.00401000.00000040.mdmp") - source
- File/Memory
- relevance
- 10/10
-
Found an instant messenger related domain
-
System Destruction
-
Marks file for deletion
- details
- "C:\n0kVoIP.exe" marked "C:\version" for deletion
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
- "<Input Sample>" opened "C:\version" with delete access
- source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies proxy settings
- details
-
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries sensitive IE security settings
- details
- "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
-
Uncategorized Behavior
-
PE file has a section name known to be used by a packer/protector
- details
-
"n0kVoIP.exe.bin" has a section named "UPX0" which is known to be used by "UPX packer"
"n0kVoIP.exe.bin" has a section named "UPX1" which is known to be used by "UPX packer" - source
- Static Parser
- relevance
- 10/10
-
PE file has a section name known to be used by a packer/protector
-
Unusual Characteristics
-
Entrypoint in PE header is within an uncommon section
- details
- "n0kVoIP.exe.bin" has an entrypoint in section "UPX1"
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegEnumKeyW
VirtualProtect
GetProcAddress
VirtualAlloc
LoadLibraryA
ShellExecuteW
URLDownloadToFileW - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Entrypoint in PE header is within an uncommon section
-
Hiding 3 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 18
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from n0kVoIP.exe (PID: 3580) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from n0kVoIP.exe (PID: 3580) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from n0kVoIP.exe (PID: 3580) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
-
Found reference to API InitCommonControls@COMCTL32.DLL from n0kVoIP.exe (PID: 3580) (Show Stream)
Found reference to API InitializeCriticalSectionAndSpinCount@KERNEL32.DLL from n0kVoIP.exe (PID: 3580) (Show Stream)
Found reference to API InitCommonControlsEx@COMCTL32.DLL from n0kVoIP.exe (PID: 3580) (Show Stream)
Found reference to API FindActCtxSectionStringW@KERNEL32.DLL from n0kVoIP.exe (PID: 3580) (Show Stream)
Found reference to API NotifyWinEvent@USER32.DLL from n0kVoIP.exe (PID: 3580) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
PE file contains zero-size sections
- details
- Raw size of "UPX0" is zero
- source
- Static Parser
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from n0kVoIP.exe (PID: 3580) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from n0kVoIP.exe (PID: 3580) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
-
GetVersionExA@KERNEL32.DLL from n0kVoIP.exe (PID: 3580) (Show Stream)
GetVersion@KERNEL32.DLL from n0kVoIP.exe (PID: 3580) (Show Stream)
GetVersion@KERNEL32.DLL from n0kVoIP.exe (PID: 3580) (Show Stream)
GetVersionExA@KERNEL32.DLL from n0kVoIP.exe (PID: 3580) (Show Stream)
GetVersionExA@KERNEL32.DLL from n0kVoIP.exe (PID: 3580) (Show Stream)
GetVersionExA@KERNEL32.DLL from n0kVoIP.exe (PID: 3580) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersionExA@KERNEL32.DLL directly followed by "cmp dword ptr [ebp-00000088h], 02h" and "jne 00437948h" from n0kVoIP.exe (PID: 3580) (Show Stream)
Found API call GetVersionExA@KERNEL32.DLL directly followed by "cmp dword ptr [ebp-00000088h], 02h" and "xor ecx, ebp" from n0kVoIP.exe (PID: 3580) (Show Stream)
Found API call GetVersionExA@KERNEL32.DLL directly followed by "cmp dword ptr [ebp-10h], 02h" and "jne 00437B65h" from n0kVoIP.exe (PID: 3580) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
- GetProcessHeap@KERNEL32.DLL from n0kVoIP.exe (PID: 3580) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/13 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contacts domains
- details
-
"n0kvoip.orgfree.com"
"e.freewebhostingarea.com" - source
- Network Traffic
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCacheCounterMutex" - source
- Created Mutant
- relevance
- 3/10
-
GETs files from a webserver
- details
-
"GET //version HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)Host: n0kvoip.orgfree.comConnection: Keep-Alive"
"GET /403.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)Connection: Keep-AliveHost: e.freewebhostingarea.com" - source
- Network Traffic
- relevance
- 5/10
-
Contacts domains
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"403[1].htm" has type "HTML document UTF-8 Unicode (with BOM) text"
"version" has type "HTML document UTF-8 Unicode (with BOM) text" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "C:\Windows\Fonts\StaticCache.dat"
"<Input Sample>" touched file "C:\Windows\SysWOW64\rsaenh.dll"
"<Input Sample>" touched file "C:\Windows\SysWOW64\wshqos.dll"
"<Input Sample>" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "C:\Windows\SysWOW64\en-US\msctf.dll.mui"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\CP53U0VR\403[1].htm"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\counters.dat"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files"
"<Input Sample>" touched file "%APPDATA%\Microsoft\Windows\Cookies"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\History" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://192.168.56.151:2869/upnphost/udhisapi.dll?content=uuid:4f8e1a2d-3fec-4a15-86de-6f8fafe83a56"
Pattern match: "http://[fe80::8d8d:12f:f3a3:d4a9]:2869/upnphost/udhisapi.dll?content=uuid:4f8e1a2d-3fec-4a15-86de-6f8fafe83a56"
Pattern match: "http://e.freewebhostingarea.com/403.html"
Heuristic match: "GET /403.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4."
Pattern match: "http://www.freewebhostingarea.com/images/border.gif"
Pattern match: "http://www.freewebhostingarea.com"
Pattern match: "http://user99.freewebhostingarea.com/a/spot1e7xx.js"
Pattern match: "http://user99.freewebhostingarea.com/a/spot2e3xx.js"
Pattern match: "http://user99.freewebhostingarea.com/a/spot2e7xx.js"
Heuristic match: "n0kvoip.orgfree.com"
Heuristic match: "e.freewebhostingarea.com"
Pattern match: "http://www.w3.org/XML/1998/namespace"
Pattern match: "http://www.wapforum.org/DTD/prov.dtd"
Pattern match: "http://www.w3.org/2000/xmlns/"
Heuristic match: "zcu.cz"
Heuristic match: "zappglobalfree.ro"
Heuristic match: "zadarma.com"
Heuristic match: "xsip.de"
Heuristic match: "xs4all.nl"
Heuristic match: "xphone.cz"
Heuristic match: "xeloq.com"
Heuristic match: "whistlephone.com"
Heuristic match: "webcalldirect.com"
Heuristic match: "vylmedia.com"
Heuristic match: "vyke.com"
Heuristic match: "vtx.ch"
Heuristic match: "voxalot.com"
Heuristic match: "vortel.de"
Heuristic match: "vopium.com"
Heuristic match: "voocall.com"
Heuristic match: "falevono.com.br"
Heuristic match: "vonage.com"
Heuristic match: "volny.cz"
Heuristic match: "voise.com.au"
Heuristic match: "voipwise.com"
Heuristic match: "voipvoip.com"
Heuristic match: "voipuser.org"
Heuristic match: "voiptiger.com"
Heuristic match: "voiptalk.org"
Heuristic match: "voipstunt.com"
Heuristic match: "voipraider.com"
Heuristic match: "voipq.nl"
Heuristic match: "voipplanet.de"
Heuristic match: "voipmove.com"
Heuristic match: "voipmax.pl"
Heuristic match: "voiplip.com"
Heuristic match: "voipjumper.com"
Heuristic match: "voiphit.com"
Heuristic match: "voipgate.com"
Heuristic match: "voipgain.com"
Heuristic match: "voipfone.co.uk"
Heuristic match: "voiper.net.au"
Heuristic match: "voipdoup.com"
Heuristic match: "voipdegraca.com.br"
Heuristic match: "voipdiscount.com"
Heuristic match: "voipchief.com"
Heuristic match: "voipcheap.com"
Heuristic match: "voipcaptain.com"
Heuristic match: "voipbusterpro.com"
Heuristic match: "voipbuster.com"
Heuristic match: "voipblazer.com"
Heuristic match: "voipblast.com"
Heuristic match: "voipalot.com"
Heuristic match: "voip.co.uk"
Heuristic match: "voip.com"
Heuristic match: "voiceglobe.net"
Heuristic match: "voicehost.co.uk"
Heuristic match: "vodini.com"
Heuristic match: "vodafone.is"
Heuristic match: "viva.gr"
Heuristic match: "vitelity.net"
Heuristic match: "viatalk.com"
Heuristic match: "truevoip.com"
Heuristic match: "versafon.com"
Heuristic match: "vegatele.com"
Heuristic match: "vccs.ca"
Heuristic match: "vbuzzer.com"
Heuristic match: "vaboomz.com"
Heuristic match: "uvoipit.com"
Heuristic match: "upc.at"
Heuristic match: "unotel.dk"
Heuristic match: "ucallweconn.net"
Heuristic match: "tweak.nl"
Heuristic match: "tpg.com.au"
Heuristic match: "tpad.com"
Heuristic match: "totnetcall.com"
Heuristic match: "tml-service.eu"
Heuristic match: "thaitel.com"
Heuristic match: "tescointernetphone.com"
Heuristic match: "terrasip.com"
Heuristic match: "tenet.ua"
Heuristic match: "teliax.com"
Heuristic match: "telfort.nl"
Heuristic match: "telesur.sr"
Heuristic match: "telequant.com"
Heuristic match: "talktt.com"
Heuristic match: "talkfree.com"
Heuristic match: "t-online.de"
Heuristic match: "switzernet.com"
Heuristic match: "swissipcom.ch"
Heuristic match: "supersip.tk"
Heuristic match: "stuntcalls.com"
Heuristic match: "strato.de"
Heuristic match: "spikko.com"
Heuristic match: "speedsip.com"
Heuristic match: "sparvoip.de"
Heuristic match: "sonavoip.com.br"
Heuristic match: "solomo.de"
Heuristic match: "solcon.nl"
Heuristic match: "softcall.me"
Heuristic match: "smsdiscount.com"
Heuristic match: "smartvoip.com"
Heuristic match: "skystar.us"
Heuristic match: "skysiptel.com"
Heuristic match: "skype.com"
Heuristic match: "skylineteleco.com"
Heuristic match: "skyetel.net"
Heuristic match: "siptraffic.com"
Heuristic match: "sipsorcery.com"
Heuristic match: "sip2sip.info"
Heuristic match: "sipservice.eu"
Heuristic match: "sipphone.co.th"
Heuristic match: "sipnet.ru"
Heuristic match: "sipme.me"
Heuristic match: "sipme.com.au"
Heuristic match: "sipload.de"
Heuristic match: "sipkom.com"
Heuristic match: "sipgate.com"
Heuristic match: "sipgate.co.uk"
Heuristic match: "sipgate.de"
Heuristic match: "sipgate.at"
Heuristic match: "sipdiscount.com"
Heuristic match: "sipcall.cz"
Heuristic match: "sipcall.at"
Heuristic match: "sipbase.de"
Heuristic match: "sightspeed.com"
Heuristic match: "saunalahti.fi"
Heuristic match: "sapo.pt"
Heuristic match: "sacotechnology.com.au"
Heuristic match: "rynga.com"
Heuristic match: "roitel.com.tr"
Heuristic match: "ringcentral.com"
Heuristic match: "redspot.dk"
Heuristic match: "redlibre.cl"
Heuristic match: "rebvoice.com"
Heuristic match: "quantumvoice.com"
Heuristic match: "primetalker.com"
Heuristic match: "powervoip.com"
Heuristic match: "polfon.pl"
Heuristic match: "poivy.com"
Heuristic match: "plus.net"
Heuristic match: "plfon.pl"
Heuristic match: "planetphone.net"
Heuristic match: "phonzo.com"
Heuristic match: "phonevision.com.ar"
Heuristic match: "phonetoall.com"
Heuristic match: "phoneserve.com"
Heuristic match: "phonegnome.com"
Heuristic match: "pfingo.com"
Heuristic match: "personal-voip.de"
Heuristic match: "peoplefone.ch"
Heuristic match: "pennytel.com.au"
Heuristic match: "pccall.com"
Heuristic match: "ovh.com"
Heuristic match: "otelafrica.com"
Heuristic match: "orbtalk.co.uk"
Heuristic match: "openvoip.it"
Heuristic match: "omysip.com"
Heuristic match: "omnivoice.eu"
Heuristic match: "odorik.cz"
Heuristic match: "ocala-communications.com"
Heuristic match: "o-fone.com"
Heuristic match: "nymgo.com"
Heuristic match: "nonoh.net"
Heuristic match: "nomado.eu"
Heuristic match: "nimbuzzcalls.com"
Heuristic match: "nextvoiz.com"
Heuristic match: "newfon.pl"
Heuristic match: "neuftalk.sfr.fr"
Heuristic match: "netvoip.ch"
Heuristic match: "nettipuhelin.fi"
Heuristic match: "nettalk.com.au"
Heuristic match: "netappel.fr"
Heuristic match: "neophone.hu"
Heuristic match: "mywowcall.com"
Heuristic match: "mywebfon.com"
Heuristic match: "mywebcalls.com"
Heuristic match: "myvoice.sg"
Heuristic match: "mytcom.it"
Heuristic match: "myphone.ge"
Heuristic match: "mynetfone.com.au"
Heuristic match: "myfon.pl"
Heuristic match: "musimi.dk"
Heuristic match: "multifon.ru"
Heuristic match: "mukalameh.com"
Heuristic match: "mouthmun.com"
Heuristic match: "mondotalk.com"
Heuristic match: "mobeely.net"
Heuristic match: "mo-call.com"
Heuristic match: "mixvoip.com"
Heuristic match: "midwestsip.com"
Heuristic match: "voip.microtech.cz"
Heuristic match: "messagenet.it"
Heuristic match: "megavoip.com"
Heuristic match: "megafon.bg"
Heuristic match: "maxtelecom.bg"
Heuristic match: "maxo.com.au"
Heuristic match: "mailxxl.com"
Heuristic match: "lowratevoip.com"
Heuristic match: "lovelycall.com"
Heuristic match: "localphone.com"
Heuristic match: "llamadaip.com"
Heuristic match: "linphone.org"
Heuristic match: "liberailvoip.it"
Heuristic match: "les.net"
Heuristic match: "kiwilink.co.nz"
Heuristic match: "keyyo.fr"
Heuristic match: "kebu.it"
Heuristic match: "justvoip.com"
Heuristic match: "jumblo.com"
Heuristic match: "ivoz.net"
Heuristic match: "itellvoip.com"
Heuristic match: "israelnumber.com"
Heuristic match: "ipworldcom.ch"
Heuristic match: "ipvox.cz"
Heuristic match: "iptel24.net"
Heuristic match: "iptel.org"
Heuristic match: "ippi.fr"
Heuristic match: "iplink.no"
Heuristic match: "ipfon.pl"
Heuristic match: "ipcall.pl"
Heuristic match: "intervoip.com"
Heuristic match: "internode.on.net"
Heuristic match: "internetcalls.com"
Heuristic match: "intalk.com"
Heuristic match: "inphonex.com"
Heuristic match: "indivoip.com"
Heuristic match: "imax.sg"
Heuristic match: "iinet.net.au"
Heuristic match: "ifone.vnn.vn"
Heuristic match: "ifon.pl"
Heuristic match: "ideasip.com"
Heuristic match: "i3voiz.com"
Heuristic match: "i2voip.com"
Heuristic match: "hiptel.com"
Heuristic match: "happycall.ro"
Heuristic match: "happycall.pl"
Heuristic match: "halonet.pl"
Heuristic match: "gulfsip.com"
Heuristic match: "gulffoon.com"
Heuristic match: "gsmcall.com"
Heuristic match: "gradwell.net"
Heuristic match: "gotalk.com.au"
Heuristic match: "gmx.net"
Heuristic match: "glovip.com"
Heuristic match: "globe7.com"
Heuristic match: "getonsip.com"
Heuristic match: "getjive.com"
Heuristic match: "friendcaller.com"
Heuristic match: "freshtel.net"
Heuristic match: "freevoipdeal.com"
Heuristic match: "free.net.il"
Heuristic match: "freespeech.ie"
Heuristic match: "freephonie.org"
Heuristic match: "freenet.de"
Heuristic match: "freeconet.pl"
Heuristic match: "freecall.net.au"
Heuristic match: "freecall.com"
Heuristic match: "fonosip.com"
Heuristic match: "fonet.dk"
Heuristic match: "flaphone.com"
Heuristic match: "fivitel.com"
Heuristic match: "filiago.org"
Heuristic match: "fastvoip.com"
Heuristic match: "famocall.com"
Heuristic match: "faktortel.com.au"
Heuristic match: "ezytel.com.au"
Heuristic match: "exetel.com.au"
Heuristic match: "eutelia.it"
Heuristic match: "esky.co"
Heuristic match: "esiptel.pl"
Heuristic match: "ephone.hu"
Heuristic match: "engin.com.au"
Heuristic match: "ekiga.net"
Heuristic match: "efoneking.com"
Heuristic match: "ecocaller.com"
Heuristic match: "easyvoip.com"
Heuristic match: "easyofficephone.com"
Heuristic match: "easybell.de"
Heuristic match: "e-fon.ch"
Heuristic match: "dus.net"
Heuristic match: "draytel.org"
Heuristic match: "digisip.net"
Heuristic match: "diamondcard.us"
Heuristic match: "dcalling.de"
Heuristic match: "darmowytelefon.pl"
Heuristic match: "cybertel.at"
Heuristic match: "cubioworld.com"
Heuristic match: "cotas.com"
Heuristic match: "cosmovoice.com"
Heuristic match: "corbina.ru"
Heuristic match: "personal.coms.com"
Heuristic match: "connexin.co.uk"
Heuristic match: "comcen.com.au"
Heuristic match: "cip-tele.com"
Heuristic match: "cheapnet.it"
Heuristic match: "cellip.com"
Heuristic match: "carpo.de"
Heuristic match: "callwithus.com"
Heuristic match: "calltopbx.com"
Heuristic match: "callromania.ro"
Heuristic match: "callpal.net"
Heuristic match: "callnet.co.nz"
Heuristic match: "callcentric.com"
Heuristic match: "budgetsip.com"
Heuristic match: "budgetphone.nl"
Heuristic match: "broadvoice.com"
Heuristic match: "bravoip.com"
Heuristic match: "brasilconnecting.com.br"
Heuristic match: "braintel.net.pk"
Heuristic match: "brains.net"
Heuristic match: "bluesip.net"
Heuristic match: "blueface.ie"
Heuristic match: "bgopen.net"
Heuristic match: "bellsip.com"
Heuristic match: "bbpglobal.com"
Heuristic match: "barablu.com"
Heuristic match: "bankoi.com"
Heuristic match: "babytel.ca"
Heuristic match: "axvoice.com"
Heuristic match: "avego.de"
Heuristic match: "atpnet.com.au"
Heuristic match: "arcor.de"
Heuristic match: "aql.com"
Heuristic match: "aptela.com"
Heuristic match: "altecom.info"
Heuristic match: "alonia.ro"
Heuristic match: "allo.md"
Heuristic match: "annatel.net"
Heuristic match: "amivox.com"
Heuristic match: "airtelgold.com"
Heuristic match: "airtelasia.com"
Heuristic match: "adphone.com"
Heuristic match: "adeptotele.com"
Heuristic match: "adamvozip.es"
Heuristic match: "adam.com.au"
Heuristic match: "actionvoip.com"
Heuristic match: "actionring.com"
Heuristic match: "actio.pl"
Heuristic match: "acanac.com"
Heuristic match: "abbeyphone.com"
Heuristic match: "abbatel.com"
Heuristic match: "a1.net"
Heuristic match: "3starsnet.com"
Heuristic match: "2talk.co.nz"
Heuristic match: "2talk.com"
Heuristic match: "1und1.de"
Heuristic match: "1legcall.com"
Heuristic match: "12connect.com"
Heuristic match: "12voip.com"
Heuristic match: "007voip.com"
Heuristic match: "voip.zappmobile.ro"
Heuristic match: "sip.zadarma.com"
Heuristic match: "node1.xsip.de"
Heuristic match: "sip.xs4all.nl"
Heuristic match: "sip2.xphone.cz"
Heuristic match: "sip.goandcall.com"
Heuristic match: "proxy.whistlephone.com"
Heuristic match: "sip.webcalldirect.com"
Heuristic match: "rnktel.com"
Heuristic match: "sip:sip.vyke.com"
Heuristic match: "sip.vyke.com"
Heuristic match: "voip.vtx.ch"
Heuristic match: "us.voxalot.com"
Heuristic match: "eu.voxalot.com"
Heuristic match: "au.voxalot.com"
Heuristic match: "sip.vortel.de"
Heuristic match: "rtsip.vopium.com"
Heuristic match: "sip.voocall.cz"
Heuristic match: "vono.net.br"
Heuristic match: "sphone.vopr.vonage.net"
Heuristic match: "sip.volny.cz"
Heuristic match: "sip.voise.com.au"
Heuristic match: "sip.voipwise.com"
Heuristic match: "sip.voipuser.org"
Pattern match: "www.voiptigersip.com"
Heuristic match: "nat.voiptalk.org"
Heuristic match: "sip.voipstunt.com"
Heuristic match: "sip.voipraider.com"
Heuristic match: "pbx.voipq.nl"
Heuristic match: "sip3.voipplanet.nl"
Heuristic match: "sip.voipmove.com"
Heuristic match: "proxy.voipmax.pl"
Heuristic match: "sip.voipjumper.com"
Heuristic match: "sip.voiphit.com"
Heuristic match: "register.voipgate.com"
Heuristic match: "sip.voipgain.com"
Heuristic match: "sip.voipfone.ne"
Heuristic match: "registrar.proxy.mycg.net"
Heuristic match: "sip.voipdoup.com"
Heuristic match: "sip.voipdegraca.com.br"
Heuristic match: "sip.voipdiscount.com"
Heuristic match: "sip.voipchief.com"
Heuristic match: "sip.voipcaptain.com"
Heuristic match: "sip.voipbusterpro.com"
Heuristic match: "sip.voipbuster.com"
Heuristic match: "sip.voipblazer.com"
Heuristic match: "sip.voipblast.com"
Heuristic match: "sip.voipalot.com"
Heuristic match: "proxy.voip.co.uk"
Heuristic match: "sd1.voip.com"
Heuristic match: "sip1.voiceglobe.net"
Heuristic match: "sip.voicehost.co.uk"
Heuristic match: "sip.vodini.com"
Heuristic match: "sip.vodafone.is"
Heuristic match: "voip.viva.gr"
Heuristic match: "sip4.vitelity.net"
Heuristic match: "shockwave.vtnoc.net"
Heuristic match: "pbx.viapbx.com"
Heuristic match: "vg1.vegatele.com"
Heuristic match: "sip.vccs.ca"
Heuristic match: "sip3.voipvoip.com"
Heuristic match: "tel.vaboomz.com"
Heuristic match: "sip.uvoipit.com"
Heuristic match: "p1.voip.inode.at"
Heuristic match: "sip2.unotel.dk"
Heuristic match: "conus.ucallweconn.net"
Heuristic match: "sip.tweakphone.nl"
Heuristic match: "tpgphone.tpg.com.au"
Heuristic match: "sip.tpad.com"
Heuristic match: "gsm.thaitelplus.com"
Heuristic match: "sip.tescointernetphone.com"
Heuristic match: "sip:terrasip.net"
Heuristic match: "terrasip.net"
Heuristic match: "sip.tenet.ua"
Heuristic match: "den.teliax.net"
Heuristic match: "sip.telefoniedienst.nl"
Heuristic match: "tel.telefoniedienst.nl"
Heuristic match: "telesip.reasonnet.com"
Heuristic match: "voip.telequant.com"
Heuristic match: "sip.talktt.com"
Heuristic match: "sip04.us.overvoip.net"
Heuristic match: "tel.t-online.de"
Heuristic match: "sip.myvoipaccount.net"
Heuristic match: "sip4.supersip.tk"
Heuristic match: "sip3.supersip.tk"
Heuristic match: "sip2.supersip.tk"
Heuristic match: "sip.supersip.tk"
Heuristic match: "sip.stuntcalls.com"
Heuristic match: "strato-iphone.de"
Heuristic match: "sip.speedsip.com"
Heuristic match: "sip.sparvoip.de"
Heuristic match: "sip.sonavoip.com.br"
Heuristic match: "voip.solomo.de"
Heuristic match: "sip.solcon.nl"
Heuristic match: "sip.softcall.me"
Heuristic match: "sip.smsdiscount.com"
Heuristic match: "sip.smartvoip.com"
Heuristic match: "sip.skysiptel.com"
Heuristic match: "sip.skype.com"
Heuristic match: "sip.sky.od.ua"
Heuristic match: "sip.skyetel.net"
Heuristic match: "sip.siptraffic.com"
Heuristic match: "voip.sipservice.eu"
Heuristic match: "server5.sipphone.co.th"
Heuristic match: "sip.sipme.com.au"
Heuristic match: "sip.sipload.com"
Heuristic match: "sip.sipdiscount.com"
Heuristic match: "sip.backbone.ch"
Heuristic match: "voipgateway.org"
Heuristic match: "sip.sightspeed.com"
Heuristic match: "voip.saunalahti.fi"
Heuristic match: "proxy.voip.sapo.pt"
Heuristic match: "voip.sapo.pt"
Heuristic match: "sip.rynga.com"
Heuristic match: "sip.roitel.com.tr"
Heuristic match: "sip.ringcentral.com"
Heuristic match: "voice.redspot.dk"
Heuristic match: "sip.relibre.cl"
Heuristic match: "sip.rebvoice.com"
Heuristic match: "sipdr.quantumvoice-sip.com"
Heuristic match: "sip.primetalker.com"
Heuristic match: "sip.powervoip.com"
Heuristic match: "sip.polfon.com.pl"
Heuristic match: "sip.poivy.com"
Heuristic match: "natproxy.plus.net"
Heuristic match: "sip.plus.net"
Heuristic match: "app1.plfon.pl"
Heuristic match: "sip.planetphone.net"
Heuristic match: "sip.phonzo.com"
Heuristic match: "voip.phonevision.com.ar"
Heuristic match: "adp1.winnerip.com"
Heuristic match: "pgp01.televolution.net"
Heuristic match: "sip.pfingo.com"
Heuristic match: "app1.peoplefone.ch"
Heuristic match: "sip.pennytel.com"
Heuristic match: "call1.pccall.com"
Heuristic match: "sip.ovh.be"
Heuristic match: "sip01.otel.co.za"
Heuristic match: "nat.orbtalk.co.uk"
Heuristic match: "talk.orbtalk.co.uk"
Heuristic match: "sip.openvoip.it"
Heuristic match: "o7.omysip.com"
Heuristic match: "o6.omysip.com"
Heuristic match: "sip.omnivoice.eu"
Heuristic match: "sip.odorik.cz"
Heuristic match: "sip.varphonex.com"
Heuristic match: "sip.o-fone.com"
Heuristic match: "ata.nymgo.com"
Heuristic match: "sip.nonoh.net"
Heuristic match: "sip.nomado.eu"
Heuristic match: "sip.nimbuzzcalls.com"
Heuristic match: "gw.nimbuzzcalls.com"
Heuristic match: "dialnet.pl"
Heuristic match: "voip.wengo.fr"
Heuristic match: "sip.netvoip.ch"
Heuristic match: "sip.netappel.fr"
Heuristic match: "sip.neophonex.hu"
Heuristic match: "voip.mywowcall.com"
Heuristic match: "sip.mywebfon.com"
Heuristic match: "sipagate.com"
Heuristic match: "myaccount.ajpbiz.com"
Heuristic match: "sip.mytcom.it"
Heuristic match: "sip.myphone.ge"
Heuristic match: "sip01.mynetfone.com.au"
Heuristic match: "sip.myfon.pl"
Heuristic match: "sbc.multifon.ru"
Heuristic match: "sip.mukalameh.com"
Heuristic match: "voip.mouthmun.com"
Heuristic match: "sip99.mondotalk.com"
Heuristic match: "sip.mo-callnet.com"
Heuristic match: "sipregister.mixvoip.com"
Heuristic match: "sipreg.midwestsip.com"
Heuristic match: "mikrotech.sipcz.net"
Heuristic match: "sip.messagenet.it"
Heuristic match: "sip.megavoip.com"
Heuristic match: "sip.megafon.bg"
Heuristic match: "ast1.ozsite.net"
Heuristic match: "sip.mailxxl.com"
Heuristic match: "sip.lowratevoip.com"
Heuristic match: "proxy.localphone.com"
Heuristic match: "ar.llamadaip.org"
Heuristic match: "sip.linphone.org"
Heuristic match: "sip.liberailvoip.it"
Heuristic match: "did.voip.les.net"
Heuristic match: "sip.kiwilink.co.nz"
Heuristic match: "keyyo.net"
Heuristic match: "sip.kebu.it"
Heuristic match: "sip.justvoip.com"
Heuristic match: "sip.jumblo.com"
Heuristic match: "ca01.ivoz.net"
Heuristic match: "sip.itellvoip.com"
Heuristic match: "sip.com"
Heuristic match: "sip.worldcom.ch"
Heuristic match: "sip.ipvox.cz"
Heuristic match: "sip.iptel24.net"
Heuristic match: "sipit.iplink.no"
Heuristic match: "sip.ipfon.pl"
Heuristic match: "voip.ipcall.pl"
Heuristic match: "sip.intervoip.com"
Heuristic match: "sip.internode.on.net"
Heuristic match: "sip.internetcalls.com"
Heuristic match: "it.voipdnsservers.com"
Heuristic match: "sip.inphonex.com"
Heuristic match: "voip.IndiVoIP.com"
Heuristic match: "ip.asiaxl.com"
Heuristic match: "sip.wa.iinet.net.au"
Heuristic match: "iinetphone.iinet.net.au"
Heuristic match: "sip.ifon.pl"
Heuristic match: "proxy.ideasip.com"
Heuristic match: "sip.i3voiz.com"
Heuristic match: "sip.i2voip.com"
Heuristic match: "sip.vonworldwide.com"
Heuristic match: "sip.happycall.ro"
Heuristic match: "sip.2call.pl"
Heuristic match: "sip.halonet.pl"
Heuristic match: "sip.gulfsip.com"
Heuristic match: "gw.gulffoon.com"
Heuristic match: "voip.gsmcall.com"
Heuristic match: "nat.gradwell.net"
Heuristic match: "sip.gradwell.net"
Heuristic match: "sip.gotalk.com"
Heuristic match: "sip.gmx.net"
Heuristic match: "sx01.glovip.com"
Heuristic match: "sip.onsip.com"
Heuristic match: "proxy.friendcaller.com"
Heuristic match: "sip.freshtel.net"
Heuristic match: "fwd.pulver.com"
Heuristic match: "sip.freevoipdeal.com"
Heuristic match: "imfree.co.il"
Heuristic match: "freephonie.net"
Heuristic match: "sip.freeconet.pl"
Heuristic match: "proxy.freecall.net.au"
Heuristic match: "sip.voiparound.com"
Heuristic match: "gw1.fonet.dk"
Heuristic match: "proxy.sipthor.net"
Heuristic match: "sip.fivitel.com"
Heuristic match: "sip.voipcs.de"
Heuristic match: "sip.fastvoip.com"
Heuristic match: "sip.famocall.com"
Heuristic match: "sip.faktortel.com.au"
Heuristic match: "sip.ezytel.net.au"
Heuristic match: "sip1.exetel.com.au"
Heuristic match: "voip.eutelia.it"
Heuristic match: "enum.esky.co"
Heuristic match: "sip.inotel.pl"
Heuristic match: "inotel.pl"
Heuristic match: "sip.ephone.hu"
Heuristic match: "syd.byo.engin.com.au"
Heuristic match: "byo.engin.com.au"
Heuristic match: "proxy.voip.emt.ee"
Heuristic match: "voip.emt.ee"
Heuristic match: "sip.efoneking.com"
Heuristic match: "sip.ecocaller.com"
Heuristic match: "sip.easyvoip.com"
Heuristic match: "sip.enhancedvoip.net"
Heuristic match: "sip.easybell.de"
Heuristic match: "sip01.e-fon.ch"
Heuristic match: "proxy.dus.net"
Heuristic match: "proxy.digisip.net"
Heuristic match: "sip.diamondcard.us"
Heuristic match: "sip.dcalling.de"
Heuristic match: "sip.darmowytelefon.pl"
Heuristic match: "cubio.net"
Heuristic match: "sip.cosmovoice.com"
Heuristic match: "sip.corbina.net"
Heuristic match: "sip.coms.com"
Heuristic match: "voip.comcen.com.au"
Heuristic match: "sip.cheapnet.it"
Heuristic match: "sip.carpo.de"
Heuristic match: "sip.callwithus.com"
Heuristic match: "sip.calltopbx.com"
Heuristic match: "sip.callromania.ro"
Heuristic match: "voip1.callpal.net"
Heuristic match: "sip.budgetsip.com"
Heuristic match: "sip1.budgetphone.nl"
Heuristic match: "proxy.nyc.broadvoice.com"
Heuristic match: "sip.broadvoice.com"
Heuristic match: "sip.bravoip.com"
Heuristic match: "sip.brasilconnecting.com.br"
Heuristic match: "brain.net.pk"
Heuristic match: "sip.blueface.ie"
Heuristic match: "sip.bgopen.net"
Heuristic match: "bellshare.com"
Heuristic match: "gw.barablu.com"
Heuristic match: "voip3.bankoi.com"
Heuristic match: "nat.babytel.ca"
Heuristic match: "sip.babytel.ca"
Heuristic match: "s-p-voip.de"
Heuristic match: "gw1.atpnet.com.au"
Heuristic match: "02131.sip.arcor.de"
Heuristic match: "call.arcor.de"
Heuristic match: "sip.aql.com"
Heuristic match: "voip.aptela.com"
Heuristic match: "sip1.altecom.net"
Heuristic match: "altecom.net"
Heuristic match: "sip.allo.md"
Heuristic match: "sip.annatel.net"
Heuristic match: "m.amivox.com"
Heuristic match: "sip.airtelgold.com"
Heuristic match: "gw.Airtelasia.com"
Heuristic match: "sip04dk.call-it.biz"
Heuristic match: "sip.adamvozip.es"
Heuristic match: "sip.adam.com.au"
Heuristic match: "sip.actionvoip.com"
Heuristic match: "sip.voipcheap.com"
Heuristic match: "voip5.acanac.com"
Heuristic match: "sip.abbeyphone.com"
Heuristic match: "switch.Abbatel.com"
Heuristic match: "sip.a1.net"
Heuristic match: "sip.1und1.de"
Heuristic match: "sip03.us.overvoip.net"
Heuristic match: "sip.12connect.com"
Heuristic match: "sip.12voip.com"
Heuristic match: "sip1.007voip.com"
Heuristic match: "stun.goandcall.com"
Heuristic match: "stun.rnktel.com"
Heuristic match: "stun.webcalldirect.com"
Heuristic match: "stun.voxalot.com"
Heuristic match: "stun.vortel.de"
Heuristic match: "stun.voipwise.com"
Heuristic match: "stun.voipstunt.com"
Heuristic match: "stun.voipraider.com"
Heuristic match: "stun.voiphit.com"
Heuristic match: "stun.voipgate.com"
Heuristic match: "stun.voipgain.com"
Heuristic match: "stun.voipdiscount.com"
Heuristic match: "stun.voipcheap.com"
Heuristic match: "stun.voipcaptain.com"
Heuristic match: "stun.voipbusterpro.com"
Heuristic match: "stun.voipbuster.com"
Heuristic match: "stun.voicehost.co.uk"
Heuristic match: "stun.viva.gr"
Heuristic match: "stun.freeswitch.org"
Heuristic match: "stun.unotel.dk"
Heuristic match: "stun.terrasip.net"
Heuristic match: "stun.t-online.de"
Heuristic match: "stun.stuntcalls.com"
Heuristic match: "iphone-stun.strato-iphone.de"
Heuristic match: "sip.spikko.com"
Heuristic match: "stun.speedsip.com"
Heuristic match: "stun.sparvoip.de"
Heuristic match: "stun.softcall.me"
Heuristic match: "stun.smsdiscount.com"
Heuristic match: "stun.smartvoip.com"
Heuristic match: "stun.siptraffic.com"
Heuristic match: "stun.sipnet.ru"
Heuristic match: "stun1.sipload.com"
Heuristic match: "stun.sipkom.com"
Heuristic match: "stun.sipgate.net"
Heuristic match: "stun.sipdiscount.com"
Heuristic match: "stun.sightspeed.com"
Heuristic match: "stun.rynga.com"
Heuristic match: "stun.powervoip.com"
Heuristic match: "stun.poivy.com"
Heuristic match: "stun.personal-voip.de"
Heuristic match: "stun.voip.ovh.net"
Heuristic match: "sip.ovh.net"
Heuristic match: "stunserver.org"
Heuristic match: "stun.nonoh.net"
Heuristic match: "stun01.sipphone.com"
Heuristic match: "ip.dialnet.pl"
Heuristic match: "stun.netappel.fr"
Heuristic match: "stun.xten.net"
Heuristic match: "stun.sipagate.com"
Heuristic match: "stun.myphone.ge"
Heuristic match: "stun.musimi.dk"
Heuristic match: "stun.mixvoip.com"
Heuristic match: "stun.megavoip.com"
Heuristic match: "stun.lowratevoip.com"
Heuristic match: "stun.jumblo.com"
Heuristic match: "stun.intervoip.com"
Heuristic match: "stun.internetcalls.com"
Heuristic match: "stun.ideasip.com"
Heuristic match: "stun.vonworldwide.com"
Heuristic match: "stun.halonet.pl"
Heuristic match: "stun.gmx.net"
Heuristic match: "stun.voiparound.com"
Heuristic match: "stun.fonosip.com"
Heuristic match: "stun.voipcs.de"
Heuristic match: "stun.voip.eutelia.it"
Heuristic match: "stun.easybell.de"
Heuristic match: "stun.e-fon.ch"
Heuristic match: "stun.cosmovoice.com"
Heuristic match: "stun.carpo.de"
Heuristic match: "stun.callwithus.com"
Heuristic match: "stun.xten.com"
Heuristic match: "stun.budgetsip.com"
Heuristic match: "stun.bluesip.net"
Heuristic match: "stun.bellshare.com"
Heuristic match: "stun.voipinfocenter.com"
Heuristic match: "stun.actionvoip.com"
Heuristic match: "stun.fwdnet.net"
Heuristic match: "sip.actio.pl"
Heuristic match: "stun.2talk.com"
Heuristic match: "stun.1und1.de"
Heuristic match: "stun.12connect.com"
Heuristic match: "stun.12voip.com"
Heuristic match: "stun.007voip.com"
Pattern match: "www.umc.ua"
Pattern match: "www.jeans.ua"
Heuristic match: "general.t-mobile.uk"
Heuristic match: "payandgo.o2.co.uk"
Heuristic match: "mobile.o2.co.uk"
Pattern match: "www.dtac.co.th"
Heuristic match: "gprs.swisscom.ch"
Heuristic match: "isplnk1.swip.net"
Heuristic match: "online.telia.se"
Heuristic match: "airtelnet.es"
Heuristic match: "movistar.es"
Heuristic match: "internet.primtel.ru"
Heuristic match: "internet.mts.ru"
Heuristic match: "internet.beeline.ru"
Heuristic match: "internet.vodafone.pt"
Pattern match: "www.globe.com.ph"
Pattern match: "www.plusgsm.pl"
Pattern match: "www.idea.pl"
Heuristic match: "internet.netcom.no"
Pattern match: "www.vodafone.net.nz"
Heuristic match: "office.vodafone.nl"
Heuristic match: "web.vodafone.nl"
Heuristic match: "internet.itelcel.com"
Heuristic match: "timenet.com.my"
Heuristic match: "vox.lu"
Heuristic match: "web.pt.lu"
Heuristic match: "gprs.omnitel.net"
Heuristic match: "uni.tim.it"
Heuristic match: "web.omnitel.it"
Heuristic match: "isp.vodafone.ie"
Heuristic match: "satelindogprs.com"
Pattern match: "www.indosat-m3.net"
Heuristic match: "bplgprs.com"
Heuristic match: "airtelgprs.com"
Heuristic match: "standardnet.vodafone.hu"
Heuristic match: "vitamax.snet.internet.net"
Heuristic match: "web.orangehk.com"
Heuristic match: "internet.vodafone.gr"
Heuristic match: "gnet.b-online.gr"
Heuristic match: "quam.de"
Heuristic match: "internet.t-d1.de"
Heuristic match: "internet.eplus.de"
Heuristic match: "web.vodafone.de"
Heuristic match: "orange.fr"
Heuristic match: "b2bouygtel.com"
Heuristic match: "ebouygtel.com"
Heuristic match: "internet.emt.ee"
Heuristic match: "internet.vodafone.net"
Heuristic match: "web.orange.dk"
Heuristic match: "internet.t-mobile.cz"
Heuristic match: "gprs5.vipnet.hr"
Heuristic match: "gprs0.vipnet.hr"
Heuristic match: "imovil.entelpcs.cl"
Heuristic match: "internet.fido.ca"
Heuristic match: "vpn.com"
Heuristic match: "internet.com"
Heuristic match: "tim.br"
Heuristic match: "claro.com.br"
Heuristic match: "internet.proximus.be"
Heuristic match: "web.pro.be"
Heuristic match: "web@telering.at"
Heuristic match: "gprs@a1plus.at"
Heuristic match: "A1.net"
Heuristic match: "vfinternet.au"
Pattern match: "http://www.freewebhostingarea.com/agreement.html"
Pattern match: "http://www.freewebhostingarea.com/contact/"
Pattern match: "http://www.freewebhostingarea.com/images/app.png"
Pattern match: "http://user99.freewebhostingarea.com/a/spot1e3xx.js"
Pattern match: "http://www.freewebhostingarea.com/images/database.png"
Pattern match: "http://www.freewebhostingarea.com/images/users.png"
Pattern match: "http://www.1freecounter.com" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
- "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "n0kVoIP.exe.bin" was detected as "UPX v1.25 (Delphi) Stub"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1002 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
n0kVoIP.exe
- Filename
- n0kVoIP.exe
- Size
- 155KiB (158208 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
- Architecture
- WINDOWS
- SHA256
- 6261ba6acc1c69dfaf358ef7f063f62d5df5e070a63850055a4f6e70a94dde54
- MD5
- 80d84acaf65b6828c76307c9524c6020
- SHA1
- 98076837b4f7e460595546334834299a08e30145
- ssdeep
- 3072:MxcMLl8r2016EN3IND7J794EFLVM8zyYt3qTc+Ar3Z340rEvVCglSdJv4w:Cfs9wD71BVM8Pt6TTA7Z37raWd3
- imphash
- d3ed1643cc2b4282b7ea2c42d3b0ab0b
- authentihash
- d04970294cfcd028fb68341239f0b94a9ca7c2d54d0fe911ee8c56124d67cd30
- Compiler/Packer
- UPX v1.25 (Delphi) Stub
Version Info
- LegalCopyright
- All rights reserved.
- FileVersion
- 2014, 3, 16, 0
- ProductVersion
- 2014, 3, 16, 0
- Translation
- 0x0409 0x04e4
Classification (TrID)
- 42.3% (.EXE) UPX compressed Win32 Executable
- 36.7% (.EXE) Win32 EXE Yoda's Crypter
- 9.1% (.DLL) Win32 Dynamic Link Library (generic)
- 6.2% (.EXE) Win32 Executable (generic)
- 2.7% (.EXE) Generic Win/DOS Executable
File Metadata
- 1 .OBJ Files (COFF) linked with LINK.EXE 8.00 (Visual Studio 2005) (build: 50727)
- 1 .RES Files linked with CVTRES.EXE 8.00 (Visual Studio 2005) (build: 50727)
- 1 .EXP Files linked with LINK.EXE 8.00 (Visual Studio 2005) (build: 50727)
- 24 .CPP Files (with LTCG) compiled with CL.EXE 14.00 (Visual Studio 2005) (build: 50727)
- 114 .CPP Files compiled with CL.EXE 14.00 (Visual Studio 2005) (build: 50727)
- 161 .C Files compiled with CL.EXE 14.00 (Visual Studio 2005) (build: 50727)
- 26 .ASM Files assembled with MASM 8.00 (Visual Studio 2005) (build: 50727)
- 23 .LIB Files generated with LIB.EXE 7.10 (Visual Studio .NET 2003) (build: 4035)
- 7 .C Files compiled with CL.EXE 13.10 (Visual Studio .NET 2003) (build: 4035)
- 2 .OBJ Files linked with ALIASOBJ.EXE 8.00 (Internal OLDNAMES.LIB Tool) (build: 50327)
- File contains C++ code
- File contains assembly code
- File appears to contain raw COFF/OMF content
- File was optimized using LTCG and/or POGO
- File is the product of a large codebase (325 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- n0kVoIP.exe (PID: 3580) 3/73
Network Analysis
DNS Requests
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
173.208.195.156:80 (n0kvoip.orgfree.com) | GET | n0kvoip.orgfree.com//version | GET //version HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: n0kvoip.orgfree.com
Connection: Keep-Alive More Details |
72.9.150.244:80 (e.freewebhostingarea.com) | GET | e.freewebhostingarea.com/403.html | GET /403.html HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Connection: Keep-Alive
Host: e.freewebhostingarea.com More Details |
Memory Forensics
String | Context | Stream UID |
---|---|---|
stun.1und1.de | Domain/IP reference | 00010884-00003580-56441-4234-00415E42 |
n0kvoip.orgfree.com/ | Domain/IP reference | 00010884-00003580-56441-6043-00401EBE |
http://www.wapforum.org/dtd/prov.dtd | Domain/IP reference | 00010884-00003580-56441-4233-00414111 |
http://www.w3.org/xml/1998/namespace | Domain/IP reference | 00010884-00003580-56441-4028-00409204 |
Extracted Strings
Extracted Files
-
Informative Selection 1
-
-
version
- Size
- 6.6KiB (6801 bytes)
- Type
- html
- Description
- HTML document, UTF-8 Unicode (with BOM) text
- Runtime Process
- n0kVoIP.exe (PID: 3580)
- MD5
- 702c6cb1030a4915db71a2c591a0e841
- SHA1
- 65bdf7d2dcfd83f41a9772bf0de8297e0e2c16ba
- SHA256
- 1c40d229b64b3a32b3454751fd5bb55e2b886f09b17d70d425878b18abc39ee7
-
-
Informative 1
-
-
403[1].htm
- Size
- 6.6KiB (6801 bytes)
- Type
- html
- Description
- HTML document, UTF-8 Unicode (with BOM) text
- Runtime Process
- n0kVoIP.exe (PID: 3580)
- MD5
- 702c6cb1030a4915db71a2c591a0e841
- SHA1
- 65bdf7d2dcfd83f41a9772bf0de8297e0e2c16ba
- SHA256
- 1c40d229b64b3a32b3454751fd5bb55e2b886f09b17d70d425878b18abc39ee7
-