osiris | dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19

Resubmissions

13/09/2021, 07:53 UTC

210913-jqz1badce3 10

Analysis

max time kernel
151s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2024, 14:40 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
Size

1.2MB
MD5

46418f7453541b35f5962bc93588c8d4
SHA1

f6d57ef7add3039a956dd4a86f0efafb375d5eaf
SHA256

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19
SHA512

cb7c7acc6496155f96f357be50ff789ab5bbe668f7624592f27cd9093914026848e476ea367ca6177e66f78f2c59300b78b9ac8092d5c2e0499069a21097620b
SSDEEP

12288:u+rq0yKJ7KZeBA4DVzlzEyn2QFqTjCAjkTnV/QH7OTzId2nfpN3fXx:FW0yreAkpzP/QCAjkTmbOwYRZB

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Executes dropped EXE 1 IoCs

pid	Process
908	GetX64BTIT.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	api.ipify.org
17	api.ipify.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 1236	1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe	89
PID 1496 wrote to memory of 1236	1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe	89
PID 1496 wrote to memory of 908	1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe	90
PID 1496 wrote to memory of 908	1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe	90
PID 1496 wrote to memory of 3476	1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe	76
PID 1496 wrote to memory of 4916	1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe	77
PID 1496 wrote to memory of 4452	1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe	78
PID 1496 wrote to memory of 4260	1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe	79
PID 1496 wrote to memory of 2012	1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe	80
PID 1496 wrote to memory of 5016	1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe	82
PID 1496 wrote to memory of 4492	1496	dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe	83
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99
PID 3476 wrote to memory of 4424	3476	msedge.exe	99

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ff89b692e98,0x7ff89b692ea4,0x7ff89b692eb0
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2688 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:2
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2984 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2852 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5400 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5416 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2984 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:4200

C:\Users\Admin\AppData\Local\Temp\dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe
"C:\Users\Admin\AppData\Local\Temp\dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1496
- C:\windows\hh.exe
  "C:\windows\hh.exe"
  2⤵
  PID:1236
- C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
  "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
  2⤵
  - Executes dropped EXE
  PID:908

Network

DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
GET

http://204.13.164.118/tor/status-vote/current/consensus

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

204.13.164.118:80

Request

GET /tor/status-vote/current/consensus HTTP/1.0
Host: 204.13.164.118

Response

HTTP/1.0 200 OK

Date: Sun, 14 Apr 2024 14:40:42 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Sun, 14 Apr 2024 15:00:00 GMT
Vary: X-Or-Diff-From-Consensus
DNS

73.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.159.190.20.in-addr.arpa

IN PTR

Response
DNS

118.164.13.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

118.164.13.204.in-addr.arpa

IN PTR

Response

118.164.13.204.in-addr.arpa

IN PTR

bastetreadthefinemanualnet
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

api.ipify.org

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

8.8.8.8:53

Request

api.ipify.org

IN A

Response

api.ipify.org

IN A

104.26.12.205

api.ipify.org

IN A

172.67.74.152

api.ipify.org

IN A

104.26.13.205
GET

https://api.ipify.org/

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

104.26.12.205:443

Request

GET / HTTP/1.0
Host: api.ipify.org

Response

HTTP/1.1 200 OK

Date: Sun, 14 Apr 2024 14:40:45 GMT
Content-Type: text/plain
Content-Length: 14
Connection: close
Vary: Origin
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 874473eccd196317-LHR
GET

http://217.196.147.77/tor/server/fp/81ae230d4e2915cc562c0d202d19b3f0f385144a

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

217.196.147.77:80

Request

GET /tor/server/fp/81ae230d4e2915cc562c0d202d19b3f0f385144a HTTP/1.0
Host: 217.196.147.77

Response

HTTP/1.0 200 OK

Date: Sun, 14 Apr 2024 14:40:45 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Tue, 16 Apr 2024 14:40:45 GMT
DNS

time-a.nist.gov

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

8.8.8.8:53

Request

time-a.nist.gov

IN A

Response

time-a.nist.gov

IN CNAME

time-a-g.nist.gov

time-a-g.nist.gov

IN A

129.6.15.28
DNS

77.147.196.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

77.147.196.217.in-addr.arpa

IN PTR

Response

77.147.196.217.in-addr.arpa

IN CNAME

77.72-79.147.196.217.in-addr.arpa

77.72-79.147.196.217.in-addr.arpa

IN PTR

torcypherpunkseu
DNS

205.12.26.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.12.26.104.in-addr.arpa

IN PTR

Response
DNS

time-a-g.nist.gov

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

8.8.8.8:53

Request

time-a-g.nist.gov

IN A

Response

time-a-g.nist.gov

IN A

129.6.15.28
DNS

time.nist.gov

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

8.8.8.8:53

Request

time.nist.gov

IN A

Response

time.nist.gov

IN CNAME

ntp1.glb.nist.gov

ntp1.glb.nist.gov

IN A

132.163.96.1
GET

http://216.218.219.41/tor/server/fp/8f11b2e253cec4c5c463bf38ab1ca645b7294d52

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

216.218.219.41:80

Request

GET /tor/server/fp/8f11b2e253cec4c5c463bf38ab1ca645b7294d52 HTTP/1.0
Host: 216.218.219.41

Response

HTTP/1.0 200 OK

Date: Sun, 14 Apr 2024 14:40:47 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Tue, 16 Apr 2024 14:40:47 GMT
DNS

202.189.111.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

202.189.111.23.in-addr.arpa

IN PTR

Response

202.189.111.23.in-addr.arpa

IN PTR

23-111-189-202statichvvcus
DNS

28.15.6.129.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.15.6.129.in-addr.arpa

IN PTR

Response

28.15.6.129.in-addr.arpa

IN PTR

time-a-gnistgov
DNS

1.96.163.132.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.96.163.132.in-addr.arpa

IN PTR

Response

1.96.163.132.in-addr.arpa

IN PTR

time-a-bnistgov
GET

http://216.218.219.41/tor/server/fp/330a5d4f9d5d5326b9aac12c339eb49279d60237

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

216.218.219.41:80

Request

GET /tor/server/fp/330a5d4f9d5d5326b9aac12c339eb49279d60237 HTTP/1.0
Host: 216.218.219.41

Response

HTTP/1.0 200 OK

Date: Sun, 14 Apr 2024 14:40:48 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Tue, 16 Apr 2024 14:40:48 GMT
DNS

41.219.218.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.219.218.216.in-addr.arpa

IN PTR

Response
GET

http://216.218.219.41/tor/server/fp/2500f9daba5e4682d035203e968de6bf020c73c4

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

216.218.219.41:80

Request

GET /tor/server/fp/2500f9daba5e4682d035203e968de6bf020c73c4 HTTP/1.0
Host: 216.218.219.41

Response

HTTP/1.0 200 OK

Date: Sun, 14 Apr 2024 14:40:51 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Tue, 16 Apr 2024 14:40:51 GMT
GET

http://217.196.147.77/tor/server/fp/253e7c6802f75bd54616872693a5922ed2a1534d

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

217.196.147.77:80

Request

GET /tor/server/fp/253e7c6802f75bd54616872693a5922ed2a1534d HTTP/1.0
Host: 217.196.147.77

Response

HTTP/1.0 200 OK

Date: Sun, 14 Apr 2024 14:40:52 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Tue, 16 Apr 2024 14:40:52 GMT
GET

http://216.218.219.41/tor/server/fp/254c0a96a24f639fefb49a0c94847def158afaae

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

216.218.219.41:80

Request

GET /tor/server/fp/254c0a96a24f639fefb49a0c94847def158afaae HTTP/1.0
Host: 216.218.219.41

Response

HTTP/1.0 200 OK

Date: Sun, 14 Apr 2024 14:40:54 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Tue, 16 Apr 2024 14:40:54 GMT
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
GET

http://216.218.219.41/tor/server/fp/941985cde2dc9d67fec0703a8ffd061e3b4ba8a9

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

216.218.219.41:80

Request

GET /tor/server/fp/941985cde2dc9d67fec0703a8ffd061e3b4ba8a9 HTTP/1.0
Host: 216.218.219.41

Response

HTTP/1.0 200 OK

Date: Sun, 14 Apr 2024 14:40:56 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Tue, 16 Apr 2024 14:40:56 GMT
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
GET

http://45.66.35.11/tor/server/fp/941c3d20bd0563d15ce7298301b5f7269b0ef0f8

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

45.66.35.11:80

Request

GET /tor/server/fp/941c3d20bd0563d15ce7298301b5f7269b0ef0f8 HTTP/1.0
Host: 45.66.35.11

Response

HTTP/1.0 200 OK

Date: Sun, 14 Apr 2024 14:40:57 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Tue, 16 Apr 2024 14:40:57 GMT
GET

http://45.66.35.11/tor/server/fp/9423a72bbc8b5c6ac9de9f57735eb2b08e4156e8

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

45.66.35.11:80

Request

GET /tor/server/fp/9423a72bbc8b5c6ac9de9f57735eb2b08e4156e8 HTTP/1.0
Host: 45.66.35.11

Response

HTTP/1.0 200 OK

Date: Sun, 14 Apr 2024 14:40:59 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Tue, 16 Apr 2024 14:40:59 GMT
DNS

11.35.66.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.35.66.45.in-addr.arpa

IN PTR

Response

11.35.66.45.in-addr.arpa

IN PTR

tordizumcom
GET

http://217.196.147.77/tor/server/fp/20f667f680eed64e5e7fc39563241736b3fd9f11

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

217.196.147.77:80

Request

GET /tor/server/fp/20f667f680eed64e5e7fc39563241736b3fd9f11 HTTP/1.0
Host: 217.196.147.77

Response

HTTP/1.0 200 OK

Date: Sun, 14 Apr 2024 14:41:02 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Tue, 16 Apr 2024 14:41:02 GMT
DNS

125.131.32.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

125.131.32.84.in-addr.arpa

IN PTR

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

134.71.91.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

134.71.91.104.in-addr.arpa

IN PTR

Response

134.71.91.104.in-addr.arpa

IN PTR

a104-91-71-134deploystaticakamaitechnologiescom
GET

http://216.218.219.41/tor/server/fp/14a1d6b6f417dec38bb05a3ffad566f6e003e0d9

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

216.218.219.41:80

Request

GET /tor/server/fp/14a1d6b6f417dec38bb05a3ffad566f6e003e0d9 HTTP/1.0
Host: 216.218.219.41

Response

HTTP/1.0 200 OK

Date: Sun, 14 Apr 2024 14:41:11 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Tue, 16 Apr 2024 14:41:11 GMT
GET

http://217.196.147.77/tor/server/fp/5d53a35fd74afb4614f982ef9983826c3dae08ef

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

217.196.147.77:80

Request

GET /tor/server/fp/5d53a35fd74afb4614f982ef9983826c3dae08ef HTTP/1.0
Host: 217.196.147.77

Response

HTTP/1.0 200 OK

Date: Sun, 14 Apr 2024 14:41:11 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Tue, 16 Apr 2024 14:41:11 GMT
DNS

chromewebstore.googleapis.com

Remote address:

8.8.8.8:53

Request

chromewebstore.googleapis.com

IN A

Response

chromewebstore.googleapis.com

IN A

172.217.169.10

chromewebstore.googleapis.com

IN A

216.58.212.202

chromewebstore.googleapis.com

IN A

216.58.212.234

chromewebstore.googleapis.com

IN A

172.217.169.74

chromewebstore.googleapis.com

IN A

172.217.169.42

chromewebstore.googleapis.com

IN A

142.250.179.234

chromewebstore.googleapis.com

IN A

142.250.180.10

chromewebstore.googleapis.com

IN A

142.250.187.202

chromewebstore.googleapis.com

IN A

142.250.187.234

chromewebstore.googleapis.com

IN A

142.250.178.10

chromewebstore.googleapis.com

IN A

172.217.16.234

chromewebstore.googleapis.com

IN A

142.250.200.10

chromewebstore.googleapis.com

IN A

142.250.200.42

chromewebstore.googleapis.com

IN A

216.58.201.106

chromewebstore.googleapis.com

IN A

216.58.204.74
DNS

10.169.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.169.217.172.in-addr.arpa

IN PTR

Response

10.169.217.172.in-addr.arpa

IN PTR

lhr25s26-in-f101e100net
GET

http://45.66.35.11/tor/server/fp/bc7bbfbbf4ae5469405591d28bf3ef8071b0f32e

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

45.66.35.11:80

Request

GET /tor/server/fp/bc7bbfbbf4ae5469405591d28bf3ef8071b0f32e HTTP/1.0
Host: 45.66.35.11

Response

HTTP/1.0 200 OK

Date: Sun, 14 Apr 2024 14:41:30 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Tue, 16 Apr 2024 14:41:30 GMT
DNS

206.92.89.152.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.92.89.152.in-addr.arpa

IN PTR

Response
GET

http://216.218.219.41/tor/server/fp/d0886a4af140123e476d7804ef51ca74bae1ce5f

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

216.218.219.41:80

Request

GET /tor/server/fp/d0886a4af140123e476d7804ef51ca74bae1ce5f HTTP/1.0
Host: 216.218.219.41

Response

HTTP/1.0 200 OK

Date: Sun, 14 Apr 2024 14:41:32 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Tue, 16 Apr 2024 14:41:32 GMT
GET

http://217.196.147.77/tor/server/fp/6bddb87bd4f79460b1484795c12d5d54b0a1c820

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

217.196.147.77:80

Request

GET /tor/server/fp/6bddb87bd4f79460b1484795c12d5d54b0a1c820 HTTP/1.0
Host: 217.196.147.77

Response

HTTP/1.0 200 OK

Date: Sun, 14 Apr 2024 14:41:32 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Tue, 16 Apr 2024 14:41:32 GMT
GET

http://45.66.35.11/tor/server/fp/66cc7059f89514dd604a3fcb5ded02dea859d5b2

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

45.66.35.11:80

Request

GET /tor/server/fp/66cc7059f89514dd604a3fcb5ded02dea859d5b2 HTTP/1.0
Host: 45.66.35.11

Response

HTTP/1.0 200 OK

Date: Sun, 14 Apr 2024 14:41:40 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Tue, 16 Apr 2024 14:41:40 GMT
GET

http://217.196.147.77/tor/server/fp/153460c0fe0945b0269999554e85534a2f709d8d

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

217.196.147.77:80

Request

GET /tor/server/fp/153460c0fe0945b0269999554e85534a2f709d8d HTTP/1.0
Host: 217.196.147.77

Response

HTTP/1.0 200 OK

Date: Sun, 14 Apr 2024 14:41:40 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Tue, 16 Apr 2024 14:41:40 GMT
GET

http://45.66.35.11/tor/server/fp/e7adc26703d5f9f7271eb93708ee4bc5184c8372

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

45.66.35.11:80

Request

GET /tor/server/fp/e7adc26703d5f9f7271eb93708ee4bc5184c8372 HTTP/1.0
Host: 45.66.35.11

Response

HTTP/1.0 200 OK

Date: Sun, 14 Apr 2024 14:41:40 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Tue, 16 Apr 2024 14:41:40 GMT
DNS

240.197.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.197.17.2.in-addr.arpa

IN PTR

Response

240.197.17.2.in-addr.arpa

IN PTR

a2-17-197-240deploystaticakamaitechnologiescom
DNS

2.223.216.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.223.216.88.in-addr.arpa

IN PTR

Response

2.223.216.88.in-addr.arpa

IN PTR

222321688kemmitde
GET

http://216.218.219.41/tor/server/fp/60fd4fc8ae76af71d3af70010eedee39b58d0296

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

216.218.219.41:80

Request

GET /tor/server/fp/60fd4fc8ae76af71d3af70010eedee39b58d0296 HTTP/1.0
Host: 216.218.219.41

Response

HTTP/1.0 200 OK

Date: Sun, 14 Apr 2024 14:41:57 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Tue, 16 Apr 2024 14:41:57 GMT
GET

http://217.196.147.77/tor/server/fp/2ec9170885695cbf9faa335a671dc3557cc57a54

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

217.196.147.77:80

Request

GET /tor/server/fp/2ec9170885695cbf9faa335a671dc3557cc57a54 HTTP/1.0
Host: 217.196.147.77

Response

HTTP/1.0 200 OK

Date: Sun, 14 Apr 2024 14:41:57 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Tue, 16 Apr 2024 14:41:57 GMT
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
DNS

149.47.6.81.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.47.6.81.in-addr.arpa

IN PTR

Response

149.47.6.81.in-addr.arpa

IN PTR

81-6-47-149init7net
GET

http://216.218.219.41/tor/server/fp/dbc93b0f5225291f5d1ebf2ca4f3f90b879f00f8

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

216.218.219.41:80

Request

GET /tor/server/fp/dbc93b0f5225291f5d1ebf2ca4f3f90b879f00f8 HTTP/1.0
Host: 216.218.219.41

Response

HTTP/1.0 200 OK

Date: Sun, 14 Apr 2024 14:42:02 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Tue, 16 Apr 2024 14:42:02 GMT
DNS

240.143.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.143.123.92.in-addr.arpa

IN PTR

Response

240.143.123.92.in-addr.arpa

IN PTR

a92-123-143-240deploystaticakamaitechnologiescom
GET

http://216.218.219.41/tor/server/fp/07c17931ae2e17f95681fa2a91c7f7cdb068bf48

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

216.218.219.41:80

Request

GET /tor/server/fp/07c17931ae2e17f95681fa2a91c7f7cdb068bf48 HTTP/1.0
Host: 216.218.219.41

Response

HTTP/1.0 200 OK

Date: Sun, 14 Apr 2024 14:42:09 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Tue, 16 Apr 2024 14:42:09 GMT
GET

http://216.218.219.41/tor/server/fp/c96601a972ee73b5683b61fbc0d6902d0e772585

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

216.218.219.41:80

Request

GET /tor/server/fp/c96601a972ee73b5683b61fbc0d6902d0e772585 HTTP/1.0
Host: 216.218.219.41

Response

HTTP/1.0 200 OK

Date: Sun, 14 Apr 2024 14:42:10 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Tue, 16 Apr 2024 14:42:10 GMT
DNS

86.20.68.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.20.68.77.in-addr.arpa

IN PTR

Response
GET

http://216.218.219.41/tor/server/fp/ec8e0af0670a443fdbc29806e77e81ee167de765

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

Remote address:

216.218.219.41:80

Request

GET /tor/server/fp/ec8e0af0670a443fdbc29806e77e81ee167de765 HTTP/1.0
Host: 216.218.219.41

Response

HTTP/1.0 200 OK

Date: Sun, 14 Apr 2024 14:42:11 GMT
Content-Type: text/plain
X-Your-Address-Is: 191.101.209.39
Content-Encoding: identity
Expires: Tue, 16 Apr 2024 14:42:11 GMT
DNS

225.162.46.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

225.162.46.104.in-addr.arpa

IN PTR

Response

204.13.164.118:80

http://204.13.164.118/tor/status-vote/current/consensus

http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

124.2kB
3.3MB
1897
2387

HTTP Request

GET http://204.13.164.118/tor/status-vote/current/consensus

HTTP Response

200
104.26.12.205:443

https://api.ipify.org/

tls, http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

902 B
5.7kB
12
13

HTTP Request

GET https://api.ipify.org/

HTTP Response

200
217.196.147.77:80

http://217.196.147.77/tor/server/fp/81ae230d4e2915cc562c0d202d19b3f0f385144a

http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

371 B
2.7kB
6
6

HTTP Request

GET http://217.196.147.77/tor/server/fp/81ae230d4e2915cc562c0d202d19b3f0f385144a

HTTP Response

200
23.111.189.202:443

tls, https

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

22.4kB
24.5kB
59
73
129.6.15.28:13

time-a.nist.gov

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

190 B
132 B
4
3
129.6.15.28:13

time-a-g.nist.gov

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

190 B
132 B
4
3
132.163.96.1:13

time.nist.gov

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

190 B
223 B
4
4
216.218.219.41:80

http://216.218.219.41/tor/server/fp/8f11b2e253cec4c5c463bf38ab1ca645b7294d52

http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

417 B
6.7kB
7
9

HTTP Request

GET http://216.218.219.41/tor/server/fp/8f11b2e253cec4c5c463bf38ab1ca645b7294d52

HTTP Response

200
216.218.219.41:80

http://216.218.219.41/tor/server/fp/330a5d4f9d5d5326b9aac12c339eb49279d60237

http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

509 B
11.3kB
9
12

HTTP Request

GET http://216.218.219.41/tor/server/fp/330a5d4f9d5d5326b9aac12c339eb49279d60237

HTTP Response

200
216.218.219.41:80

http://216.218.219.41/tor/server/fp/2500f9daba5e4682d035203e968de6bf020c73c4

http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

371 B
2.7kB
6
6

HTTP Request

GET http://216.218.219.41/tor/server/fp/2500f9daba5e4682d035203e968de6bf020c73c4

HTTP Response

200
217.196.147.77:80

http://217.196.147.77/tor/server/fp/253e7c6802f75bd54616872693a5922ed2a1534d

http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

371 B
2.7kB
6
6

HTTP Request

GET http://217.196.147.77/tor/server/fp/253e7c6802f75bd54616872693a5922ed2a1534d

HTTP Response

200
216.218.219.41:80

http://216.218.219.41/tor/server/fp/254c0a96a24f639fefb49a0c94847def158afaae

http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

371 B
2.7kB
6
6

HTTP Request

GET http://216.218.219.41/tor/server/fp/254c0a96a24f639fefb49a0c94847def158afaae

HTTP Response

200
216.218.219.41:80

http://216.218.219.41/tor/server/fp/941985cde2dc9d67fec0703a8ffd061e3b4ba8a9

http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

371 B
2.8kB
6
6

HTTP Request

GET http://216.218.219.41/tor/server/fp/941985cde2dc9d67fec0703a8ffd061e3b4ba8a9

HTTP Response

200
45.66.35.11:80

http://45.66.35.11/tor/server/fp/941c3d20bd0563d15ce7298301b5f7269b0ef0f8

http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

368 B
2.8kB
6
6

HTTP Request

GET http://45.66.35.11/tor/server/fp/941c3d20bd0563d15ce7298301b5f7269b0ef0f8

HTTP Response

200
45.66.35.11:80

http://45.66.35.11/tor/server/fp/9423a72bbc8b5c6ac9de9f57735eb2b08e4156e8

http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

414 B
6.7kB
7
9

HTTP Request

GET http://45.66.35.11/tor/server/fp/9423a72bbc8b5c6ac9de9f57735eb2b08e4156e8

HTTP Response

200
217.196.147.77:80

http://217.196.147.77/tor/server/fp/20f667f680eed64e5e7fc39563241736b3fd9f11

http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

371 B
2.7kB
6
6

HTTP Request

GET http://217.196.147.77/tor/server/fp/20f667f680eed64e5e7fc39563241736b3fd9f11

HTTP Response

200
84.32.131.125:443

tls, https

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

21.5kB
24.3kB
53
71
216.218.219.41:80

http://216.218.219.41/tor/server/fp/14a1d6b6f417dec38bb05a3ffad566f6e003e0d9

http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

371 B
2.8kB
6
6

HTTP Request

GET http://216.218.219.41/tor/server/fp/14a1d6b6f417dec38bb05a3ffad566f6e003e0d9

HTTP Response

200
217.196.147.77:80

http://217.196.147.77/tor/server/fp/5d53a35fd74afb4614f982ef9983826c3dae08ef

http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

417 B
7.7kB
7
9

HTTP Request

GET http://217.196.147.77/tor/server/fp/5d53a35fd74afb4614f982ef9983826c3dae08ef

HTTP Response

200
127.0.0.1:32767

msedge.exe
127.0.0.1:32768

msedge.exe
127.0.0.1:32767

msedge.exe
127.0.0.1:32768

msedge.exe
172.217.169.10:443

chromewebstore.googleapis.com

tls

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

1.0kB
5.0kB
8
8
127.0.0.1:32767

msedge.exe
127.0.0.1:32767

msedge.exe
127.0.0.1:32767

msedge.exe
127.0.0.1:32767

msedge.exe
127.0.0.1:32767

msedge.exe
127.0.0.1:32768

msedge.exe
45.66.35.11:80

http://45.66.35.11/tor/server/fp/bc7bbfbbf4ae5469405591d28bf3ef8071b0f32e

http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

368 B
2.7kB
6
6

HTTP Request

GET http://45.66.35.11/tor/server/fp/bc7bbfbbf4ae5469405591d28bf3ef8071b0f32e

HTTP Response

200
152.89.92.206:443

tls, https

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

21.4kB
24.1kB
51
66
216.218.219.41:80

http://216.218.219.41/tor/server/fp/d0886a4af140123e476d7804ef51ca74bae1ce5f

http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

371 B
2.7kB
6
6

HTTP Request

GET http://216.218.219.41/tor/server/fp/d0886a4af140123e476d7804ef51ca74bae1ce5f

HTTP Response

200
217.196.147.77:80

http://217.196.147.77/tor/server/fp/6bddb87bd4f79460b1484795c12d5d54b0a1c820

http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

371 B
4.0kB
6
7

HTTP Request

GET http://217.196.147.77/tor/server/fp/6bddb87bd4f79460b1484795c12d5d54b0a1c820

HTTP Response

200
45.66.35.11:80

http://45.66.35.11/tor/server/fp/66cc7059f89514dd604a3fcb5ded02dea859d5b2

http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

368 B
4.8kB
6
7

HTTP Request

GET http://45.66.35.11/tor/server/fp/66cc7059f89514dd604a3fcb5ded02dea859d5b2

HTTP Response

200
88.216.223.2:80

tls, http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

21.4kB
24.0kB
50
64
217.196.147.77:80

http://217.196.147.77/tor/server/fp/153460c0fe0945b0269999554e85534a2f709d8d

http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

417 B
7.2kB
7
9

HTTP Request

GET http://217.196.147.77/tor/server/fp/153460c0fe0945b0269999554e85534a2f709d8d

HTTP Response

200
45.66.35.11:80

http://45.66.35.11/tor/server/fp/e7adc26703d5f9f7271eb93708ee4bc5184c8372

http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

552 B
16.2kB
10
15

HTTP Request

GET http://45.66.35.11/tor/server/fp/e7adc26703d5f9f7271eb93708ee4bc5184c8372

HTTP Response

200
216.218.219.41:80

http://216.218.219.41/tor/server/fp/60fd4fc8ae76af71d3af70010eedee39b58d0296

http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

371 B
2.9kB
6
6

HTTP Request

GET http://216.218.219.41/tor/server/fp/60fd4fc8ae76af71d3af70010eedee39b58d0296

HTTP Response

200
81.6.47.149:443

tls, https

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

21.5kB
24.1kB
52
65
217.196.147.77:80

http://217.196.147.77/tor/server/fp/2ec9170885695cbf9faa335a671dc3557cc57a54

http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

371 B
2.7kB
6
6

HTTP Request

GET http://217.196.147.77/tor/server/fp/2ec9170885695cbf9faa335a671dc3557cc57a54

HTTP Response

200
216.218.219.41:80

http://216.218.219.41/tor/server/fp/dbc93b0f5225291f5d1ebf2ca4f3f90b879f00f8

http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

647 B
21.0kB
12
19

HTTP Request

GET http://216.218.219.41/tor/server/fp/dbc93b0f5225291f5d1ebf2ca4f3f90b879f00f8

HTTP Response

200
216.218.219.41:80

http://216.218.219.41/tor/server/fp/07c17931ae2e17f95681fa2a91c7f7cdb068bf48

http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

371 B
2.8kB
6
6

HTTP Request

GET http://216.218.219.41/tor/server/fp/07c17931ae2e17f95681fa2a91c7f7cdb068bf48

HTTP Response

200
77.68.20.86:443

tls, https

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

21.4kB
23.8kB
50
59
216.218.219.41:80

http://216.218.219.41/tor/server/fp/c96601a972ee73b5683b61fbc0d6902d0e772585

http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

371 B
2.7kB
6
6

HTTP Request

GET http://216.218.219.41/tor/server/fp/c96601a972ee73b5683b61fbc0d6902d0e772585

HTTP Response

200
216.218.219.41:80

http://216.218.219.41/tor/server/fp/ec8e0af0670a443fdbc29806e77e81ee167de765

http

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

417 B
7.2kB
7
9

HTTP Request

GET http://216.218.219.41/tor/server/fp/ec8e0af0670a443fdbc29806e77e81ee167de765

HTTP Response

200

8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

73.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

73.159.190.20.in-addr.arpa
8.8.8.8:53

118.164.13.204.in-addr.arpa

dns

73 B
115 B
1
1

DNS Request

118.164.13.204.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

api.ipify.org

dns

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

59 B
107 B
1
1

DNS Request

api.ipify.org

DNS Response

104.26.12.205

172.67.74.152

104.26.13.205
8.8.8.8:53

time-a.nist.gov

dns

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

61 B
100 B
1
1

DNS Request

time-a.nist.gov

DNS Response

129.6.15.28
8.8.8.8:53

77.147.196.217.in-addr.arpa

dns

73 B
128 B
1
1

DNS Request

77.147.196.217.in-addr.arpa
8.8.8.8:53

205.12.26.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

205.12.26.104.in-addr.arpa
8.8.8.8:53

time-a-g.nist.gov

dns

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

63 B
79 B
1
1

DNS Request

time-a-g.nist.gov

DNS Response

129.6.15.28
8.8.8.8:53

time.nist.gov

dns

dfe468bdad97b15c8ede2105a66c389b41f79e54de10747d6713140a70883a19.exe

59 B
98 B
1
1

DNS Request

time.nist.gov

DNS Response

132.163.96.1
8.8.8.8:53

202.189.111.23.in-addr.arpa

dns

73 B
116 B
1
1

DNS Request

202.189.111.23.in-addr.arpa
8.8.8.8:53

28.15.6.129.in-addr.arpa

dns

70 B
101 B
1
1

DNS Request

28.15.6.129.in-addr.arpa
8.8.8.8:53

1.96.163.132.in-addr.arpa

dns

71 B
102 B
1
1

DNS Request

1.96.163.132.in-addr.arpa
8.8.8.8:53

41.219.218.216.in-addr.arpa

dns

73 B
130 B
1
1

DNS Request

41.219.218.216.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

11.35.66.45.in-addr.arpa

dns

70 B
97 B
1
1

DNS Request

11.35.66.45.in-addr.arpa
8.8.8.8:53

125.131.32.84.in-addr.arpa

dns

72 B
153 B
1
1

DNS Request

125.131.32.84.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

134.71.91.104.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

134.71.91.104.in-addr.arpa
8.8.8.8:53

chromewebstore.googleapis.com

dns

75 B
315 B
1
1

DNS Request

chromewebstore.googleapis.com

DNS Response

172.217.169.10

216.58.212.202

216.58.212.234

172.217.169.74

172.217.169.42

142.250.179.234

142.250.180.10

142.250.187.202

142.250.187.234

142.250.178.10

172.217.16.234

142.250.200.10

142.250.200.42

216.58.201.106

216.58.204.74
8.8.8.8:53

10.169.217.172.in-addr.arpa

dns

73 B
112 B
1
1

DNS Request

10.169.217.172.in-addr.arpa
8.8.8.8:53

206.92.89.152.in-addr.arpa

dns

72 B
141 B
1
1

DNS Request

206.92.89.152.in-addr.arpa
8.8.8.8:53

240.197.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

240.197.17.2.in-addr.arpa
8.8.8.8:53

2.223.216.88.in-addr.arpa

dns

71 B
107 B
1
1

DNS Request

2.223.216.88.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa
8.8.8.8:53

149.47.6.81.in-addr.arpa

dns

70 B
105 B
1
1

DNS Request

149.47.6.81.in-addr.arpa
8.8.8.8:53

240.143.123.92.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

240.143.123.92.in-addr.arpa
8.8.8.8:53

86.20.68.77.in-addr.arpa

dns

70 B
135 B
1
1

DNS Request

86.20.68.77.in-addr.arpa
8.8.8.8:53

225.162.46.104.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

225.162.46.104.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
b381995a86335a5f812466e15c319ce7

SHA1
794d476a5d7a5dae6f67f2f991aa7bffc2dd03ea

SHA256
3bfac0271ffaf29bff14c91b186b3b465e1cb9c74ef6d35c7a25d8ce3db58f05

SHA512
9a8d12321bdb27f941b49d84758915efbe5c830cf9760639d14be13d26220092e69500df58af2822ed1a966802060235b2c47adef8c4aeb426ba57e78518d280

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt

Filesize
28B

MD5
6c94c70d0ee669959a7a9c8507d3bdf4

SHA1
1e7bc51745f134e8b208238bb7ac68bd3fbd760d

SHA256
013f9dfd9288cef03e09c2585918559bb3090525bc6cf88e8a8a71017dde9aa3

SHA512
6566229ce37c769de5449204ba0afc98b6089dfac690ae29298a032dbe77abe2d6babd7bb3f0ec79af6bcb131d04f3b04f3fc3f31838efce8e61f5d28d19b72d

Download Submit
memory/1496-18-0x0000000003520000-0x00000000035BF000-memory.dmp

Filesize
636KB

Download
memory/1496-26-0x0000000003520000-0x00000000035BF000-memory.dmp

Filesize
636KB

Download
memory/1496-7-0x0000000003520000-0x00000000035BF000-memory.dmp

Filesize
636KB

Download
memory/1496-8-0x0000000003520000-0x00000000035BF000-memory.dmp

Filesize
636KB

Download
memory/1496-5-0x0000000003520000-0x00000000035BF000-memory.dmp

Filesize
636KB

Download
memory/1496-14-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/1496-4-0x0000000003520000-0x00000000035BF000-memory.dmp

Filesize
636KB

Download
memory/1496-16-0x0000000003520000-0x00000000035BF000-memory.dmp

Filesize
636KB

Download
memory/1496-17-0x0000000003520000-0x00000000035BF000-memory.dmp

Filesize
636KB

Download
memory/1496-0-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/1496-20-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/1496-21-0x0000000003520000-0x00000000035BF000-memory.dmp

Filesize
636KB

Download
memory/1496-25-0x0000000003520000-0x00000000035BF000-memory.dmp

Filesize
636KB

Download
memory/1496-6-0x0000000003520000-0x00000000035BF000-memory.dmp

Filesize
636KB

Download
memory/1496-29-0x0000000003520000-0x00000000035BF000-memory.dmp

Filesize
636KB

Download
memory/1496-48-0x0000000003520000-0x00000000035BF000-memory.dmp

Filesize
636KB

Download
memory/1496-52-0x0000000003520000-0x00000000035BF000-memory.dmp

Filesize
636KB

Download
memory/1496-3-0x0000000003520000-0x00000000035BF000-memory.dmp

Filesize
636KB

Download
memory/1496-60-0x0000000003520000-0x00000000035BF000-memory.dmp

Filesize
636KB

Download
memory/1496-62-0x0000000003520000-0x00000000035BF000-memory.dmp

Filesize
636KB

Download
memory/1496-2-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/1496-1-0x0000000002950000-0x0000000002A32000-memory.dmp

Filesize
904KB

Download
memory/1496-75-0x0000000003520000-0x00000000035BF000-memory.dmp

Filesize
636KB

Download
memory/1496-78-0x0000000003520000-0x00000000035BF000-memory.dmp

Filesize
636KB

Download
memory/1496-80-0x0000000003520000-0x00000000035BF000-memory.dmp

Filesize
636KB

Download
memory/1496-83-0x0000000003520000-0x00000000035BF000-memory.dmp

Filesize
636KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request