Malware Analysis Report

2024-12-07 15:00

Sample ID 241030-ytlpeszhrl
Target 82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N
SHA256 82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7
Tags
simda discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7

Threat Level: Known bad

The file 82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N was found to be: Known bad.

Malicious Activity Summary

simda discovery persistence stealer trojan

Simda family

Modifies WinLogon for persistence

simda

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-30 20:04

Signatures

Simda family

simda

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-30 20:04

Reported

2024-10-30 20:06

Platform

win7-20241010-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Simda family

simda

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\7224c796 = "K‹µ" C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\7224c796 = "K‹µ" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe

"C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
US 95.100.195.41:80 www.bing.com tcp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 gatyfus.com udp
US 104.21.30.183:80 qegyhig.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 75.2.71.199:80 puzylyp.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 199.191.50.83:80 galyqaz.com tcp
NL 85.17.31.122:80 gatyfus.com tcp
US 69.162.80.58:80 lysyfyj.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 75.2.71.199:80 puzylyp.com tcp
US 104.21.30.183:443 qegyhig.com tcp
US 69.162.80.58:80 lysyfyj.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 8.8.8.8:53 ww8.galyqaz.com udp
US 104.21.30.183:443 qegyhig.com tcp
US 45.33.23.183:80 ww8.galyqaz.com tcp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 lygynud.com udp
US 104.155.138.21:80 lygynud.com tcp
US 76.223.54.146:80 pupydeq.com tcp
US 104.21.26.151:80 lysyvan.com tcp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 pupycag.com udp
US 104.21.26.151:443 lysyvan.com tcp
CN 111.6.96.18:80 lyrysor.com tcp
US 18.208.156.248:80 pupycag.com tcp
US 76.223.54.146:80 pupydeq.com tcp
US 104.21.26.151:443 lysyvan.com tcp
CN 111.6.96.18:80 lyrysor.com tcp
US 8.8.8.8:53 qedysov.com udp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 pumylel.com udp
US 8.8.8.8:53 vonyket.com udp
US 8.8.8.8:53 lysysod.com udp
US 8.8.8.8:53 qekynuq.com udp
US 8.8.8.8:53 ganykaz.com udp
US 8.8.8.8:53 pupypiv.com udp
US 8.8.8.8:53 lykynyj.com udp
US 8.8.8.8:53 qebykap.com udp
US 8.8.8.8:53 vopypif.com udp
US 8.8.8.8:53 gatypub.com udp
US 8.8.8.8:53 pujybyq.com udp
US 8.8.8.8:53 vojybek.com udp
US 8.8.8.8:53 lyrytun.com udp
US 8.8.8.8:53 puvyjop.com udp
US 8.8.8.8:53 lyvyjox.com udp
US 8.8.8.8:53 qegyval.com udp
US 8.8.8.8:53 qetytug.com udp
US 8.8.8.8:53 gacyhis.com udp
US 8.8.8.8:53 gahyvew.com udp
US 8.8.8.8:53 purytyg.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 gaqyreh.com udp
US 8.8.8.8:53 vocyjic.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 puzyguv.com udp
US 8.8.8.8:53 lymywaj.com udp
US 8.8.8.8:53 qedyxip.com udp
US 8.8.8.8:53 pufycol.com udp
US 8.8.8.8:53 vowyrym.com udp
US 8.8.8.8:53 galyfyb.com udp
US 8.8.8.8:53 vonyqok.com udp
US 8.8.8.8:53 pupyxup.com udp
US 8.8.8.8:53 lyxygud.com udp
US 8.8.8.8:53 lykyfen.com udp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 volygyf.com udp
US 8.8.8.8:53 qebyqil.com udp
US 8.8.8.8:53 gatyzys.com udp
US 8.8.8.8:53 pumywaq.com udp
US 8.8.8.8:53 vojydam.com udp
US 8.8.8.8:53 lysyxux.com udp
US 8.8.8.8:53 qekyfeg.com udp
US 8.8.8.8:53 ganyqow.com udp
US 8.8.8.8:53 puvymul.com udp
US 8.8.8.8:53 lyryled.com udp
US 8.8.8.8:53 qegysoq.com udp
US 8.8.8.8:53 vopyzuc.com udp
US 8.8.8.8:53 pujydag.com udp
US 8.8.8.8:53 gacynuz.com udp
US 8.8.8.8:53 vowykaf.com udp
US 8.8.8.8:53 pufypiq.com udp
US 8.8.8.8:53 qetylyv.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 8.8.8.8:53 lyvymir.com udp
US 8.8.8.8:53 gahydoh.com udp
US 8.8.8.8:53 vocymut.com udp
US 8.8.8.8:53 lygysij.com udp
US 8.8.8.8:53 qexynyp.com udp
US 8.8.8.8:53 purylev.com udp
US 8.8.8.8:53 gaqykab.com udp
US 8.8.8.8:53 galynuh.com udp
US 64.225.91.73:80 galynuh.com tcp
US 8.8.8.8:53 qegyval.com udp
HK 154.85.183.50:80 qegyval.com tcp
US 8.8.8.8:53 lyxynyx.com udp
US 103.224.212.210:80 lyxynyx.com tcp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 vofycot.com udp
US 103.224.182.252:80 vofycot.com tcp
US 44.221.84.105:80 gadyciz.com tcp
US 8.8.8.8:53 ww25.lyxynyx.com udp
DE 64.190.63.136:80 ww16.vofycot.com tcp
US 199.59.243.227:80 ww25.lyxynyx.com tcp
US 8.8.8.8:53 qexyhuv.com udp
US 15.197.240.20:80 qexyhuv.com tcp
US 15.197.240.20:80 qexyhuv.com tcp
US 8.8.8.8:53 vofypuk.com udp
US 8.8.8.8:53 puzybep.com udp
US 8.8.8.8:53 qeqykog.com udp
US 8.8.8.8:53 gadypuw.com udp
US 8.8.8.8:53 volybec.com udp
US 8.8.8.8:53 pumyjig.com udp
US 8.8.8.8:53 lysytyr.com udp
US 8.8.8.8:53 qekyvav.com udp
US 8.8.8.8:53 ganyhuh.com udp
US 8.8.8.8:53 vopyret.com udp
US 8.8.8.8:53 pujycov.com udp
US 8.8.8.8:53 lyvyguj.com udp
US 8.8.8.8:53 qetyrap.com udp
US 8.8.8.8:53 gahycib.com udp
US 8.8.8.8:53 vocygyk.com udp
US 8.8.8.8:53 purywop.com udp
US 8.8.8.8:53 qexyfel.com udp
US 8.8.8.8:53 lygyxun.com udp
US 8.8.8.8:53 gaqyqis.com udp
US 8.8.8.8:53 vofyzym.com udp
US 8.8.8.8:53 puzydal.com udp
US 8.8.8.8:53 lymymud.com udp
US 8.8.8.8:53 galydoz.com udp
US 8.8.8.8:53 qedyleq.com udp
US 8.8.8.8:53 vonymuf.com udp
US 8.8.8.8:53 lykysix.com udp
US 8.8.8.8:53 qebynyg.com udp
US 8.8.8.8:53 gatykow.com udp
US 8.8.8.8:53 pupylaq.com udp
US 8.8.8.8:53 vojypuc.com udp
US 8.8.8.8:53 puvybeg.com udp
US 8.8.8.8:53 lyryjir.com udp
US 8.8.8.8:53 qegytyv.com udp
US 8.8.8.8:53 gacyvah.com udp
US 8.8.8.8:53 qedytul.com udp
US 8.8.8.8:53 galyvas.com udp
US 8.8.8.8:53 vonyjim.com udp
US 8.8.8.8:53 pupytyl.com udp
US 8.8.8.8:53 lymyjon.com udp
US 8.8.8.8:53 gatyrez.com udp
US 8.8.8.8:53 qebyhuq.com udp
US 8.8.8.8:53 vojycif.com udp
US 8.8.8.8:53 puvygyq.com udp
US 8.8.8.8:53 lyrywax.com udp
US 8.8.8.8:53 qegyxug.com udp
US 8.8.8.8:53 gacyfew.com udp
US 8.8.8.8:53 vowyqoc.com udp
US 8.8.8.8:53 pufyxug.com udp
US 8.8.8.8:53 lyxyfar.com udp
US 8.8.8.8:53 gadyzyh.com udp
US 8.8.8.8:53 qeqyqiv.com udp
US 8.8.8.8:53 volydot.com udp
US 8.8.8.8:53 pumymuv.com udp
US 8.8.8.8:53 lysylej.com udp
US 8.8.8.8:53 ganynyb.com udp
US 8.8.8.8:53 qekysip.com udp
US 8.8.8.8:53 vopykak.com udp
US 8.8.8.8:53 pujypup.com udp
US 8.8.8.8:53 gahypus.com udp
US 8.8.8.8:53 lyvynen.com udp
US 8.8.8.8:53 qetykol.com udp
US 8.8.8.8:53 vocybam.com udp
US 8.8.8.8:53 puryjil.com udp
US 8.8.8.8:53 vowyjut.com udp
US 8.8.8.8:53 pufytev.com udp
US 8.8.8.8:53 lyxyvoj.com udp
US 8.8.8.8:53 qeqyhup.com udp
US 8.8.8.8:53 gadyrab.com udp
US 8.8.8.8:53 volycik.com udp
US 8.8.8.8:53 pumygyp.com udp
US 8.8.8.8:53 lysywon.com udp
US 8.8.8.8:53 qekyxul.com udp
US 8.8.8.8:53 ganyfes.com udp
US 8.8.8.8:53 vopyqim.com udp
US 8.8.8.8:53 pujyxyl.com udp
US 8.8.8.8:53 lyvyfad.com udp
US 8.8.8.8:53 qetyquq.com udp
US 8.8.8.8:53 gahyzez.com udp
US 8.8.8.8:53 purymuq.com udp
US 8.8.8.8:53 lygylax.com udp
US 8.8.8.8:53 vocydof.com udp
US 8.8.8.8:53 qexysig.com udp
US 8.8.8.8:53 gaqynyw.com udp
US 8.8.8.8:53 puzypug.com udp
US 8.8.8.8:53 vofykoc.com udp
US 8.8.8.8:53 lymyner.com udp
US 8.8.8.8:53 qedykiv.com udp
US 8.8.8.8:53 galypyh.com udp
US 8.8.8.8:53 vonybat.com udp
US 8.8.8.8:53 pupyjuv.com udp
US 8.8.8.8:53 lykytej.com udp
US 8.8.8.8:53 qebyvop.com udp
US 8.8.8.8:53 gatyhub.com udp
US 8.8.8.8:53 vojyrak.com udp
US 8.8.8.8:53 puvycip.com udp
US 8.8.8.8:53 lygytyd.com udp
US 8.8.8.8:53 gatyqih.com udp
US 8.8.8.8:53 qexyvoq.com udp
US 8.8.8.8:53 vofyref.com udp
US 8.8.8.8:53 puzyciq.com udp
US 8.8.8.8:53 qedyrag.com udp
US 8.8.8.8:53 galycuw.com udp
US 8.8.8.8:53 vonygec.com udp
US 8.8.8.8:53 pupywog.com udp
US 8.8.8.8:53 lykyxur.com udp
US 8.8.8.8:53 lymygyx.com udp
US 8.8.8.8:53 qebyfav.com udp
US 8.8.8.8:53 vojyzyt.com udp
US 8.8.8.8:53 lyrymuj.com udp
US 8.8.8.8:53 puvydov.com udp
US 8.8.8.8:53 qegylep.com udp
US 8.8.8.8:53 gacydib.com udp
US 8.8.8.8:53 vowymyk.com udp
US 8.8.8.8:53 pufylap.com udp
US 8.8.8.8:53 lyxysun.com udp
US 8.8.8.8:53 qeqynel.com udp
US 8.8.8.8:53 gadykos.com udp
US 8.8.8.8:53 volypum.com udp
US 8.8.8.8:53 pumybal.com udp
US 8.8.8.8:53 qekytyq.com udp
US 8.8.8.8:53 ganyvoz.com udp
US 8.8.8.8:53 vopyjuf.com udp
US 8.8.8.8:53 lysyjid.com udp
US 8.8.8.8:53 pujyteq.com udp
US 8.8.8.8:53 lyvyvix.com udp
US 8.8.8.8:53 qetyhyg.com udp
US 8.8.8.8:53 qetyhyg.com udp
US 64.225.91.73:80 qetyhyg.com tcp
US 8.8.8.8:53 gatyhub.com udp
US 72.52.179.174:80 gatyhub.com tcp
US 72.52.179.174:80 gatyhub.com tcp
US 8.8.8.8:53 gahyraw.com udp
US 8.8.8.8:53 vocycuc.com udp
US 8.8.8.8:53 purygeg.com udp
US 8.8.8.8:53 gaqyfah.com udp
US 8.8.8.8:53 qexyxuv.com udp
US 8.8.8.8:53 vofyqit.com udp
US 8.8.8.8:53 puzyxyv.com udp
US 8.8.8.8:53 lygywor.com udp
US 8.8.8.8:53 lymyfoj.com udp
US 8.8.8.8:53 qedyqup.com udp
US 8.8.8.8:53 galyzeb.com udp
US 8.8.8.8:53 vonydik.com udp
US 8.8.8.8:53 lykylan.com udp
US 8.8.8.8:53 pupymyp.com udp
US 8.8.8.8:53 qebysul.com udp
US 8.8.8.8:53 gatynes.com udp
US 8.8.8.8:53 vojykom.com udp
US 8.8.8.8:53 puvypul.com udp
US 8.8.8.8:53 qegykiq.com udp
US 8.8.8.8:53 gacypyz.com udp
US 8.8.8.8:53 lyrynad.com udp
US 8.8.8.8:53 vowybof.com udp
US 8.8.8.8:53 lyxytex.com udp
US 8.8.8.8:53 pufyjuq.com udp
US 8.8.8.8:53 qeqyvig.com udp
US 8.8.8.8:53 volyrac.com udp
US 8.8.8.8:53 gadyhyw.com udp
US 8.8.8.8:53 pumycug.com udp
US 8.8.8.8:53 lysyger.com udp
US 8.8.8.8:53 qekyrov.com udp
US 8.8.8.8:53 ganycuh.com udp
US 8.8.8.8:53 vopygat.com udp
US 8.8.8.8:53 lyrygyn.com udp
US 8.8.8.8:53 qegyrol.com udp
US 8.8.8.8:53 gacycus.com udp
US 8.8.8.8:53 vowygem.com udp
US 8.8.8.8:53 pufywil.com udp
US 8.8.8.8:53 lyxyxyd.com udp
US 8.8.8.8:53 pujylog.com udp
US 8.8.8.8:53 gadyquz.com udp
US 8.8.8.8:53 volyzef.com udp
US 8.8.8.8:53 pumydoq.com udp
US 8.8.8.8:53 qeqyfaq.com udp
US 8.8.8.8:53 lysymux.com udp
US 8.8.8.8:53 qekylag.com udp
US 8.8.8.8:53 vopymyc.com udp
US 8.8.8.8:53 ganydiw.com udp
US 8.8.8.8:53 lyvysur.com udp
US 8.8.8.8:53 qetynev.com udp
US 8.8.8.8:53 vocypyt.com udp
US 8.8.8.8:53 purybav.com udp
US 8.8.8.8:53 gahykih.com udp
US 8.8.8.8:53 lygyjuj.com udp
US 8.8.8.8:53 qexytep.com udp
US 8.8.8.8:53 gaqyvob.com udp
US 8.8.8.8:53 lymyvin.com udp
US 8.8.8.8:53 qedyhyl.com udp
US 8.8.8.8:53 vofyjuk.com udp
US 8.8.8.8:53 galyros.com udp
US 8.8.8.8:53 vonycum.com udp
US 8.8.8.8:53 qebyxyq.com udp
US 8.8.8.8:53 pupygel.com udp
US 8.8.8.8:53 lykywid.com udp
US 8.8.8.8:53 lyvyxyj.com udp
US 8.8.8.8:53 qetyfop.com udp
US 8.8.8.8:53 vocyzek.com udp
US 8.8.8.8:53 purydip.com udp
US 8.8.8.8:53 lygymyn.com udp
US 8.8.8.8:53 pujywiv.com udp
US 8.8.8.8:53 qexylal.com udp
US 8.8.8.8:53 gaqydus.com udp
US 8.8.8.8:53 vofymem.com udp
US 8.8.8.8:53 puzylol.com udp
US 8.8.8.8:53 gahyqub.com udp
US 8.8.8.8:53 lymysud.com udp
US 8.8.8.8:53 galykiz.com udp
US 8.8.8.8:53 vonypyf.com udp
US 8.8.8.8:53 qebyteg.com udp
US 8.8.8.8:53 qedynaq.com udp
US 8.8.8.8:53 gatyviw.com udp
US 8.8.8.8:53 vojyjyc.com udp
US 8.8.8.8:53 pupyboq.com udp
US 8.8.8.8:53 lyryvur.com udp
US 8.8.8.8:53 puvytag.com udp
US 8.8.8.8:53 qegyhev.com udp
US 8.8.8.8:53 gacyroh.com udp
US 8.8.8.8:53 lykyjux.com udp
US 8.8.8.8:53 vowycut.com udp
US 8.8.8.8:53 lyxywij.com udp
US 8.8.8.8:53 pufygav.com udp
US 8.8.8.8:53 qeqyxyp.com udp
US 8.8.8.8:53 gadyfob.com udp
US 8.8.8.8:53 volyquk.com udp
US 8.8.8.8:53 lysyfin.com udp
US 8.8.8.8:53 gatyfaz.com udp
US 8.8.8.8:53 vojyquf.com udp
US 8.8.8.8:53 puvyxeq.com udp
US 8.8.8.8:53 lyryfox.com udp
US 8.8.8.8:53 pumyxep.com udp
US 8.8.8.8:53 qeqysuv.com udp
US 8.8.8.8:53 qegyqug.com udp
US 8.8.8.8:53 gacyzaw.com udp
US 8.8.8.8:53 vowydic.com udp
US 8.8.8.8:53 pufymyg.com udp
US 8.8.8.8:53 lyxylor.com udp
US 8.8.8.8:53 gadyneh.com udp
US 8.8.8.8:53 volykit.com udp
US 8.8.8.8:53 pumypyv.com udp
US 8.8.8.8:53 lysynaj.com udp
US 8.8.8.8:53 qekykup.com udp
US 8.8.8.8:53 ganypeb.com udp
US 8.8.8.8:53 vopybok.com udp
US 8.8.8.8:53 gahyhys.com udp
US 8.8.8.8:53 qetyvil.com udp
US 8.8.8.8:53 vocyrom.com udp
US 8.8.8.8:53 purycul.com udp
US 8.8.8.8:53 lygyged.com udp
US 8.8.8.8:53 qexyriq.com udp
US 8.8.8.8:53 gaqycyz.com udp
US 8.8.8.8:53 vofygaf.com udp
US 8.8.8.8:53 lymyxex.com udp
US 8.8.8.8:53 puzywuq.com udp
US 8.8.8.8:53 qedyfog.com udp
US 8.8.8.8:53 galyquw.com udp
US 8.8.8.8:53 vonyzac.com udp
US 8.8.8.8:53 ganyzas.com udp
US 8.8.8.8:53 gaqypew.com udp
US 8.8.8.8:53 qekyqyl.com udp
US 8.8.8.8:53 gacykub.com udp
US 8.8.8.8:53 pupydig.com udp
US 8.8.8.8:53 pujymel.com udp
US 8.8.8.8:53 lykymyr.com udp
US 8.8.8.8:53 lyvylod.com udp
US 8.8.8.8:53 qebylov.com udp
US 8.8.8.8:53 qetysuq.com udp
US 8.8.8.8:53 gahynaz.com udp
US 8.8.8.8:53 vofybic.com udp
US 8.8.8.8:53 gatyduh.com udp
US 8.8.8.8:53 vocykif.com udp
US 8.8.8.8:53 vojymet.com udp
US 8.8.8.8:53 purypyq.com udp
US 8.8.8.8:53 puvyliv.com udp
US 8.8.8.8:53 lygynox.com udp
US 8.8.8.8:53 lyrysyj.com udp
US 8.8.8.8:53 qexykug.com udp
US 8.8.8.8:53 qegynap.com udp
US 8.8.8.8:53 vowypek.com udp
US 8.8.8.8:53 puzyjyg.com udp
US 8.8.8.8:53 pufybop.com udp
US 8.8.8.8:53 lymytar.com udp
US 8.8.8.8:53 lyxyjun.com udp
US 8.8.8.8:53 qedyvuv.com udp
US 8.8.8.8:53 galyheh.com udp
US 8.8.8.8:53 gadyvis.com udp
US 8.8.8.8:53 pupycuv.com udp
US 8.8.8.8:53 volyjym.com udp
US 8.8.8.8:53 lykygaj.com udp
US 8.8.8.8:53 vonyrot.com udp
US 8.8.8.8:53 pumytol.com udp
US 8.8.8.8:53 qebyrip.com udp
US 8.8.8.8:53 lysyvud.com udp
US 8.8.8.8:53 gatycyb.com udp
US 8.8.8.8:53 qekyheq.com udp
US 8.8.8.8:53 vojygok.com udp
US 8.8.8.8:53 ganyriz.com udp
US 8.8.8.8:53 puvywup.com udp
US 8.8.8.8:53 vopycyf.com udp
US 8.8.8.8:53 lyryxen.com udp
US 8.8.8.8:53 pujygaq.com udp
US 8.8.8.8:53 qegyfil.com udp
US 8.8.8.8:53 lyvywux.com udp
US 8.8.8.8:53 gacyqys.com udp
US 8.8.8.8:53 qetyxeg.com udp
US 8.8.8.8:53 gahyfow.com udp
US 8.8.8.8:53 pufydul.com udp
US 8.8.8.8:53 vocyquc.com udp
US 8.8.8.8:53 lyxymed.com udp
US 8.8.8.8:53 qeqyloq.com udp
US 8.8.8.8:53 puryxag.com udp
US 8.8.8.8:53 lygyfir.com udp
US 8.8.8.8:53 gadyduz.com udp
US 8.8.8.8:53 qexyqyv.com udp
US 8.8.8.8:53 gaqyzoh.com udp
US 8.8.8.8:53 vofydut.com udp
US 8.8.8.8:53 puzymev.com udp
US 8.8.8.8:53 lymylij.com udp
US 8.8.8.8:53 volymaf.com udp
US 8.8.8.8:53 pumyliq.com udp
US 8.8.8.8:53 lysysyx.com udp
US 8.8.8.8:53 qekynog.com udp
US 8.8.8.8:53 vopypec.com udp
US 8.8.8.8:53 pujybig.com udp
US 8.8.8.8:53 ganykuw.com udp
US 8.8.8.8:53 lyvyjyr.com udp
US 8.8.8.8:53 qetytav.com udp
US 8.8.8.8:53 gahyvuh.com udp
US 8.8.8.8:53 vocyjet.com udp
US 8.8.8.8:53 purytov.com udp
US 8.8.8.8:53 lygyvuj.com udp
US 8.8.8.8:53 gaqyrib.com udp
US 8.8.8.8:53 vofycyk.com udp
US 8.8.8.8:53 qexyhap.com udp
US 8.8.8.8:53 puzygop.com udp
US 8.8.8.8:53 lymywun.com udp
US 8.8.8.8:53 qedyxel.com udp
US 8.8.8.8:53 galyfis.com udp
US 8.8.8.8:53 vonyqym.com udp
US 8.8.8.8:53 qebyqeq.com udp
US 8.8.8.8:53 lykyfud.com udp
US 8.8.8.8:53 gatyzoz.com udp
US 8.8.8.8:53 vojyduf.com udp
US 8.8.8.8:53 puvymaq.com udp
US 8.8.8.8:53 lyrylix.com udp
US 8.8.8.8:53 qegysyg.com udp
US 8.8.8.8:53 gacynow.com udp
US 8.8.8.8:53 vowykuc.com udp
US 8.8.8.8:53 pufypeg.com udp
US 8.8.8.8:53 qedysyp.com udp
US 8.8.8.8:53 vonykuk.com udp
US 8.8.8.8:53 galynab.com udp
US 8.8.8.8:53 pupypep.com udp
US 8.8.8.8:53 lykynon.com udp
US 8.8.8.8:53 qebykul.com udp
US 8.8.8.8:53 gatypas.com udp
US 8.8.8.8:53 vojybim.com udp
US 8.8.8.8:53 lyrytod.com udp
US 8.8.8.8:53 puvyjyl.com udp
US 8.8.8.8:53 qegyvuq.com udp
US 8.8.8.8:53 gacyhez.com udp
US 8.8.8.8:53 vowyrif.com udp
US 8.8.8.8:53 pufycyq.com udp
US 8.8.8.8:53 lyxygax.com udp
US 8.8.8.8:53 qeqyrug.com udp
US 8.8.8.8:53 gadycew.com udp
US 8.8.8.8:53 volygoc.com udp
US 8.8.8.8:53 pumywug.com udp
US 8.8.8.8:53 lysyxar.com udp
US 8.8.8.8:53 qekyfiv.com udp
US 8.8.8.8:53 ganyqyh.com udp
US 8.8.8.8:53 vopyzot.com udp
US 8.8.8.8:53 pujyduv.com udp
US 8.8.8.8:53 lyvymej.com udp
US 8.8.8.8:53 qetylip.com udp
US 8.8.8.8:53 gahydyb.com udp
US 8.8.8.8:53 vocymak.com udp
US 8.8.8.8:53 lygysen.com udp
US 8.8.8.8:53 qexynol.com udp
US 8.8.8.8:53 gaqykus.com udp
US 8.8.8.8:53 lygyvuj.com udp
US 52.34.198.229:80 lygyvuj.com tcp
US 8.8.8.8:53 lyxynir.com udp
US 8.8.8.8:53 qeqykyv.com udp
US 8.8.8.8:53 gadypah.com udp
US 8.8.8.8:53 volybut.com udp
US 8.8.8.8:53 pumyjev.com udp
US 8.8.8.8:53 lysytoj.com udp
US 8.8.8.8:53 qekyvup.com udp
US 8.8.8.8:53 vofypam.com udp
US 8.8.8.8:53 ganyhab.com udp
US 8.8.8.8:53 pujycyp.com udp
US 8.8.8.8:53 vopyrik.com udp
US 8.8.8.8:53 puzybil.com udp
US 8.8.8.8:53 lyvygon.com udp
US 8.8.8.8:53 lymyjyd.com udp
US 8.8.8.8:53 qetyrul.com udp
US 8.8.8.8:53 gahyces.com udp
US 8.8.8.8:53 qedytoq.com udp
US 8.8.8.8:53 purywyl.com udp
US 8.8.8.8:53 vocygim.com udp
US 8.8.8.8:53 lygyxad.com udp
US 8.8.8.8:53 qexyfuq.com udp
US 8.8.8.8:53 gaqyqez.com udp
US 8.8.8.8:53 vofyzof.com udp
US 8.8.8.8:53 puzyduq.com udp
US 8.8.8.8:53 lymymax.com udp
US 8.8.8.8:53 qedylig.com udp
US 8.8.8.8:53 galydyw.com udp
US 8.8.8.8:53 vonymoc.com udp
US 8.8.8.8:53 pupylug.com udp
US 8.8.8.8:53 lykyser.com udp
US 8.8.8.8:53 qebyniv.com udp
US 8.8.8.8:53 gatykyh.com udp
US 8.8.8.8:53 puvybuv.com udp
US 8.8.8.8:53 vojypat.com udp
US 8.8.8.8:53 lyryjej.com udp
US 8.8.8.8:53 galyvuz.com udp
US 8.8.8.8:53 qegytop.com udp
US 8.8.8.8:53 vonyjef.com udp
US 8.8.8.8:53 pupytiq.com udp
US 8.8.8.8:53 lykyvyx.com udp
US 8.8.8.8:53 qebyhag.com udp
US 8.8.8.8:53 gatyruw.com udp
US 8.8.8.8:53 vojycec.com udp
US 8.8.8.8:53 puvygog.com udp
US 8.8.8.8:53 lyrywur.com udp
US 8.8.8.8:53 qegyxav.com udp
US 8.8.8.8:53 gacyfih.com udp
US 8.8.8.8:53 vowyqyt.com udp
US 8.8.8.8:53 pufyxov.com udp
US 8.8.8.8:53 lyxyfuj.com udp
US 8.8.8.8:53 vopykum.com udp
US 8.8.8.8:53 gadyzib.com udp
US 8.8.8.8:53 volydyk.com udp
US 8.8.8.8:53 qeqyqep.com udp
US 8.8.8.8:53 pumymap.com udp
US 8.8.8.8:53 lysylun.com udp
US 8.8.8.8:53 qekysel.com udp
US 8.8.8.8:53 ganynos.com udp
US 8.8.8.8:53 pujypal.com udp
US 8.8.8.8:53 qetykyq.com udp
US 8.8.8.8:53 lyvynid.com udp
US 8.8.8.8:53 gahypoz.com udp
US 8.8.8.8:53 puryjeq.com udp
US 8.8.8.8:53 gacyvub.com udp
US 8.8.8.8:53 vowyjak.com udp
US 8.8.8.8:53 pufytip.com udp
US 8.8.8.8:53 lyxyvyn.com udp
US 8.8.8.8:53 lygytix.com udp
US 8.8.8.8:53 qexyvyg.com udp
US 8.8.8.8:53 gaqyhaw.com udp
US 8.8.8.8:53 vofyruc.com udp
US 8.8.8.8:53 qeqyhol.com udp
US 8.8.8.8:53 lysywyd.com udp
US 8.8.8.8:53 puzyceg.com udp
US 8.8.8.8:53 lymygor.com udp
US 8.8.8.8:53 gadyrus.com udp
US 8.8.8.8:53 qedyruv.com udp
US 8.8.8.8:53 galycah.com udp
US 8.8.8.8:53 volycem.com udp
US 8.8.8.8:53 qebyfup.com udp
US 8.8.8.8:53 vonygit.com udp
US 8.8.8.8:53 pumygil.com udp
US 8.8.8.8:53 pupywyv.com udp
US 8.8.8.8:53 lykyxoj.com udp
US 8.8.8.8:53 gatyqeb.com udp
US 8.8.8.8:53 ganyfuz.com udp
US 8.8.8.8:53 vopyqef.com udp
US 8.8.8.8:53 vojyzik.com udp
US 8.8.8.8:53 pujyxoq.com udp
US 8.8.8.8:53 puvydyp.com udp
US 8.8.8.8:53 lyvyfux.com udp
US 8.8.8.8:53 lyryman.com udp
US 8.8.8.8:53 qetyqag.com udp
US 8.8.8.8:53 qegylul.com udp
US 8.8.8.8:53 gahyziw.com udp
US 8.8.8.8:53 vowymom.com udp
US 8.8.8.8:53 vocydyc.com udp
US 8.8.8.8:53 purymog.com udp
US 8.8.8.8:53 pufylul.com udp
US 8.8.8.8:53 lygylur.com udp
US 8.8.8.8:53 lyxysad.com udp
US 8.8.8.8:53 qexysev.com udp
US 8.8.8.8:53 gaqynih.com udp
US 8.8.8.8:53 qeqyniq.com udp
US 8.8.8.8:53 vofykyt.com udp
US 8.8.8.8:53 gadykyz.com udp
US 8.8.8.8:53 puzypav.com udp
US 8.8.8.8:53 lymynuj.com udp
US 8.8.8.8:53 qedykep.com udp
US 8.8.8.8:53 volypof.com udp
US 8.8.8.8:53 pumybuq.com udp
US 8.8.8.8:53 galypob.com udp
US 8.8.8.8:53 lysyjex.com udp
US 8.8.8.8:53 vonybuk.com udp
US 8.8.8.8:53 pupyjap.com udp
US 8.8.8.8:53 lykytin.com udp
US 8.8.8.8:53 qekytig.com udp
US 8.8.8.8:53 qebyvyl.com udp
US 8.8.8.8:53 ganyvyw.com udp
US 8.8.8.8:53 gatyhos.com udp
US 8.8.8.8:53 vopyjac.com udp
US 8.8.8.8:53 vojyrum.com udp
US 8.8.8.8:53 pujytug.com udp
US 8.8.8.8:53 lyvyver.com udp
US 8.8.8.8:53 qetyhov.com udp
US 8.8.8.8:53 puvycel.com udp
US 8.8.8.8:53 lyrygid.com udp
US 8.8.8.8:53 gahyruh.com udp
US 8.8.8.8:53 vocycat.com udp
US 8.8.8.8:53 purygiv.com udp
US 8.8.8.8:53 lygywyj.com udp
US 8.8.8.8:53 qexyxop.com udp
US 8.8.8.8:53 gaqyfub.com udp
US 8.8.8.8:53 vofyqek.com udp
US 8.8.8.8:53 puzyxip.com udp
US 8.8.8.8:53 lymyfyn.com udp
US 8.8.8.8:53 qedyqal.com udp
US 8.8.8.8:53 galyzus.com udp
US 8.8.8.8:53 vonydem.com udp
US 8.8.8.8:53 pupymol.com udp
US 8.8.8.8:53 lykylud.com udp
US 8.8.8.8:53 qebysaq.com udp
US 8.8.8.8:53 gatyniz.com udp
US 8.8.8.8:53 vojykyf.com udp
US 8.8.8.8:53 puvypoq.com udp
US 8.8.8.8:53 lyrynux.com udp
US 8.8.8.8:53 qegykeg.com udp
US 8.8.8.8:53 gacypiw.com udp
US 8.8.8.8:53 vowybyc.com udp
US 8.8.8.8:53 pufyjag.com udp
US 8.8.8.8:53 lyxytur.com udp
US 8.8.8.8:53 qeqyvev.com udp
US 8.8.8.8:53 volyrut.com udp
US 8.8.8.8:53 pumycav.com udp
US 8.8.8.8:53 gacycaz.com udp
US 8.8.8.8:53 lysygij.com udp
US 8.8.8.8:53 ganycob.com udp
US 8.8.8.8:53 vopyguk.com udp
US 8.8.8.8:53 vowyguf.com udp
US 8.8.8.8:53 pufyweq.com udp
US 8.8.8.8:53 lyxyxox.com udp
US 8.8.8.8:53 qeqyfug.com udp
US 8.8.8.8:53 volyzic.com udp
US 8.8.8.8:53 gadyqaw.com udp
US 8.8.8.8:53 qekyryp.com udp
US 8.8.8.8:53 pumydyg.com udp
US 8.8.8.8:53 lysymor.com udp
US 8.8.8.8:53 qekyluv.com udp
US 8.8.8.8:53 vopymit.com udp
US 8.8.8.8:53 pujylyv.com udp
US 8.8.8.8:53 lyvysaj.com udp
US 8.8.8.8:53 qetynup.com udp
US 8.8.8.8:53 ganydeh.com udp
US 8.8.8.8:53 gahykeb.com udp
US 8.8.8.8:53 vocypok.com udp
US 8.8.8.8:53 purybup.com udp
US 8.8.8.8:53 lygyjan.com udp
US 8.8.8.8:53 qexytil.com udp
US 8.8.8.8:53 gaqyvys.com udp
US 8.8.8.8:53 lymyved.com udp
US 8.8.8.8:53 vofyjom.com udp
US 8.8.8.8:53 qedyhiq.com udp
US 8.8.8.8:53 puzytul.com udp
US 8.8.8.8:53 vonycaf.com udp
US 8.8.8.8:53 pupyguq.com udp
US 8.8.8.8:53 lykywex.com udp
US 8.8.8.8:53 pujywep.com udp
US 8.8.8.8:53 lyvyxin.com udp
US 8.8.8.8:53 gahyqas.com udp
US 8.8.8.8:53 vocyzum.com udp
US 8.8.8.8:53 purydel.com udp
US 8.8.8.8:53 lygymod.com udp
US 8.8.8.8:53 qexyluq.com udp
US 8.8.8.8:53 vofymif.com udp
US 8.8.8.8:53 puzylyq.com udp
US 8.8.8.8:53 lymysox.com udp
US 8.8.8.8:53 qedynug.com udp
US 8.8.8.8:53 galykew.com udp
US 8.8.8.8:53 vonypic.com udp
US 8.8.8.8:53 pupybyg.com udp
US 8.8.8.8:53 lykyjar.com udp
US 8.8.8.8:53 qebytuv.com udp
US 8.8.8.8:53 vojyjot.com udp
US 8.8.8.8:53 lyryvaj.com udp
US 8.8.8.8:53 puvytuv.com udp
US 8.8.8.8:53 gacyryb.com udp
US 8.8.8.8:53 qegyhip.com udp
US 8.8.8.8:53 vowycok.com udp
US 8.8.8.8:53 pufygup.com udp
US 8.8.8.8:53 lyxywen.com udp
US 8.8.8.8:53 qeqyxil.com udp
US 8.8.8.8:53 gadyfys.com udp
US 8.8.8.8:53 volyqam.com udp
US 8.8.8.8:53 pumyxul.com udp
US 8.8.8.8:53 lysyfed.com udp
US 8.8.8.8:53 qebyxog.com udp
US 8.8.8.8:53 gatyfuw.com udp
US 8.8.8.8:53 vojyqac.com udp
US 8.8.8.8:53 puvyxig.com udp
US 8.8.8.8:53 lyryfyr.com udp
US 8.8.8.8:53 qegyqov.com udp
US 8.8.8.8:53 gacyzuh.com udp
US 8.8.8.8:53 pufymiv.com udp
US 8.8.8.8:53 vowydet.com udp
US 8.8.8.8:53 qeqysap.com udp
US 8.8.8.8:53 lyxylyj.com udp
US 8.8.8.8:53 volykek.com udp
US 8.8.8.8:53 gadynub.com udp
US 8.8.8.8:53 pumypop.com udp
US 8.8.8.8:53 lysynun.com udp
US 8.8.8.8:53 qekykal.com udp
US 8.8.8.8:53 ganypis.com udp
US 8.8.8.8:53 vopybym.com udp
US 8.8.8.8:53 lyvytud.com udp
US 8.8.8.8:53 pujyjol.com udp
US 8.8.8.8:53 qetyveq.com udp
US 8.8.8.8:53 gahyhiz.com udp
US 8.8.8.8:53 vocyryf.com udp
US 8.8.8.8:53 purycaq.com udp
US 8.8.8.8:53 lygygux.com udp
US 8.8.8.8:53 qexyreg.com udp
US 8.8.8.8:53 gaqycow.com udp
US 8.8.8.8:53 vofyguc.com udp
US 8.8.8.8:53 puzywag.com udp
US 8.8.8.8:53 lymyxir.com udp
US 8.8.8.8:53 galyqoh.com udp
US 8.8.8.8:53 gahyhiz.com udp
US 44.221.84.105:80 gahyhiz.com tcp

Files

\Windows\AppPatch\svchost.exe

MD5 4828ec16569b7ab9e7f0a88eaf4e1b05
SHA1 30a6bbafe27913b8577cbdbb4b486c2b1f1540ad
SHA256 edb95aa51bfa9913e3b3427d2ec811687a291a9c70e3b0b3e2317078f9119db6
SHA512 e599c86ee7aff7ede71b6391a0f4c9761be9a572bfc54fc2540cc8b9ff9bf894c436e0a4b063916905d26d03416384f2e8f218640e4b8b34a132fb9e81f838a9

memory/1528-13-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2712-14-0x00000000020A0000-0x0000000002148000-memory.dmp

memory/2712-22-0x00000000020A0000-0x0000000002148000-memory.dmp

memory/2712-24-0x00000000020A0000-0x0000000002148000-memory.dmp

memory/2712-20-0x00000000020A0000-0x0000000002148000-memory.dmp

memory/2712-18-0x00000000020A0000-0x0000000002148000-memory.dmp

memory/2712-17-0x00000000020A0000-0x0000000002148000-memory.dmp

memory/2712-27-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-30-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-28-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-37-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-48-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-78-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-77-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-76-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-75-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-74-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-72-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-71-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-70-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-69-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-68-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-67-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-66-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-65-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-64-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-63-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-62-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-61-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-60-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-59-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-58-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-57-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-56-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-55-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-54-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-53-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-52-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-51-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-50-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-49-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-47-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-46-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-45-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-73-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-44-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-43-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-42-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-41-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-40-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-39-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-38-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-36-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-35-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-34-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-33-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-32-0x00000000023C0000-0x0000000002476000-memory.dmp

memory/2712-183-0x00000000023C0000-0x0000000002476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6A9A.tmp

MD5 926512864979bc27cf187f1de3f57aff
SHA1 acdeb9d6187932613c7fa08eaf28f0cd8116f4b5
SHA256 b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f
SHA512 f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-30 20:04

Reported

2024-10-30 20:06

Platform

win10v2004-20241007-en

Max time kernel

112s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Simda family

simda

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\97767b80 = "0Ÿªv*!ŠR$îº7£3Ž\f#\fÞ\r\x10\tU7‚M‡]sç0\x05']kéOŸ_\a\x17µgùæ>y\vÛ]ßQuÃ+6ŸïE\x03\r®o±·Ó\x055\x0f\x15\u0081Þ?«\x1f\x1b;³…£Í\x17._“½í\x11V6¥ó\x0e›Æ\x17v\x0f[YƒÓ\rçûM®I¯ó›—…Æëñ–ƒ\u008d–C½~F\u009d[ã^Çsæ/ß?ÉÇ71\u00adw“'.Þ\x19×\x1dÛY=á±;‡Í\x1f}E‹—·óF×f-ד†¥e?Í\r·'ÑÏ]ý}\x0f\rÑEe‹'¯/³ï3\x1d;«n¥\x0fyf]Ù½ýó\x06¿ÏVÛ\x13Ái½v=&kmÓ5·\x06¦Åu¿g™.þõ\x06£\x1fÍ\x17±£\x0eß{y\x0fæ–Þá¾–\r\aö1\x19î6å\x05" C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\97767b80 = "0Ÿªv*!ŠR$îº7£3Ž\f#\fÞ\r\x10\tU7‚M‡]sç0\x05']kéOŸ_\a\x17µgùæ>y\vÛ]ßQuÃ+6ŸïE\x03\r®o±·Ó\x055\x0f\x15\u0081Þ?«\x1f\x1b;³…£Í\x17._“½í\x11V6¥ó\x0e›Æ\x17v\x0f[YƒÓ\rçûM®I¯ó›—…Æëñ–ƒ\u008d–C½~F\u009d[ã^Çsæ/ß?ÉÇ71\u00adw“'.Þ\x19×\x1dÛY=á±;‡Í\x1f}E‹—·óF×f-ד†¥e?Í\r·'ÑÏ]ý}\x0f\rÑEe‹'¯/³ï3\x1d;«n¥\x0fyf]Ù½ýó\x06¿ÏVÛ\x13Ái½v=&kmÓ5·\x06¦Åu¿g™.þõ\x06£\x1fÍ\x17±£\x0eß{y\x0fæ–Þá¾–\r\aö1\x19î6å\x05" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe

"C:\Users\Admin\AppData\Local\Temp\82e876ddae985b0ff651481e0fab88bebd9258eee7a7399ea0bbc33d2b0ebeb7N.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
US 95.100.195.62:80 www.bing.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 62.195.100.95.in-addr.arpa udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 gatyfus.com udp
US 172.234.222.143:80 vojyqem.com tcp
US 162.255.119.102:80 gahyqah.com tcp
US 8.8.8.8:53 vonypom.com udp
US 208.100.26.245:80 lyvyxor.com tcp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 44.221.84.105:80 vocyzit.com tcp
US 18.208.156.248:80 vonypom.com tcp
DE 178.162.203.211:80 gatyfus.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 69.162.80.58:80 lysyfyj.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 172.67.173.131:80 qegyhig.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 75.2.71.199:80 puzylyp.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 8.8.8.8:53 www.gahyqah.com udp
DE 91.195.240.19:80 www.gahyqah.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 69.162.80.58:80 lysyfyj.com tcp
US 172.67.173.131:443 qegyhig.com tcp
US 75.2.71.199:443 puzylyp.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 8.8.8.8:53 131.173.67.172.in-addr.arpa udp
US 8.8.8.8:53 102.119.255.162.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 143.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 83.50.191.199.in-addr.arpa udp
US 8.8.8.8:53 199.71.2.75.in-addr.arpa udp
US 8.8.8.8:53 58.80.162.69.in-addr.arpa udp
US 8.8.8.8:53 19.240.195.91.in-addr.arpa udp
US 8.8.8.8:53 82.231.212.154.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 ww5.galyqaz.com udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 76.223.26.96:80 ww5.galyqaz.com tcp
US 172.67.173.131:443 qegyhig.com tcp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 96.26.223.76.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
DE 178.162.203.226:80 gatyfus.com tcp
DE 178.162.203.202:80 gatyfus.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
NL 5.79.71.205:80 gatyfus.com tcp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 205.71.79.5.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
NL 5.79.71.205:80 gatyfus.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Windows\apppatch\svchost.exe

MD5 71eaaf16441f0da728fd8e880f74f6ea
SHA1 aa914a1d6e1c030bab030406eba74ca8f8936b1d
SHA256 f1aeff89ae77e1c5fa79566a9fe4bb1dc656a98845145ca928738a826c18c11e
SHA512 3a826cc54cfc0e587fee036c276cbfbdb51b5afa92fc0dda7e4e5b9f2b52aa1787529cdba4151baf8e904f5b022a38dfec87da535106f619543a9472b66f4d76

memory/5036-8-0x0000000000400000-0x000000000045F000-memory.dmp

memory/740-10-0x0000000002940000-0x00000000029E8000-memory.dmp

memory/740-15-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-13-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-11-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-17-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-21-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-70-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-72-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-71-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-69-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-67-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-66-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-65-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-64-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-63-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-61-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-60-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-59-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-58-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-57-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-56-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-55-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-68-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-62-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-54-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-53-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-52-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-50-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-49-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-48-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-47-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-45-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-41-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-38-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-39-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-37-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-36-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-35-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-34-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-32-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-29-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-28-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-26-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-25-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-23-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-22-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-20-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-19-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-18-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-51-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-46-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-44-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-42-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-43-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-40-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-33-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-31-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-30-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-27-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-24-0x0000000002B30000-0x0000000002BE6000-memory.dmp

memory/740-16-0x0000000002B30000-0x0000000002BE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7244.tmp

MD5 fb2540ed67331de7a2f36b85b4ecfccc
SHA1 9c38224415758a01833a967764d5ed7e3d159c30
SHA256 9804fc0f51c2f0235b92aa65ad2c7c3adcd442d390284a6254ca81c6e5a84861
SHA512 63d602be64ccfd9d329d96175ff19668c2f4d0eca4769bcb040178d2fa067eff9076463e6e7091b7f975a53a8191896656c079aa1d2bf0f87dec9667617973d3

C:\Users\Admin\AppData\Local\Temp\748E.tmp

MD5 3abbcc4a381002de3f5237989cc2994b
SHA1 04848ee9b26116c308b63333fafca8c2bb4635c4
SHA256 ffd92dc37c64bbac288c25e33b6f7475d09a491752a589b39a9de29725d8ef5c
SHA512 45c1c5639cbf41d70ef40ec7d930063041bd181cf2e7a28e162daf2520319c0afcacfb4c2861af6c4f985476ccf03926cc47aa15b94a47732b7e5da0548ec87c

C:\Users\Admin\AppData\Local\Temp\7390.tmp

MD5 34291ae450c67112732e6f7cd82a9465
SHA1 ba7e50685dfb5e73c0d4d5ec076a9a4454ddf52b
SHA256 dca6e572a28fcf10f45fdc747a70e7dd7fb238fbfc8ef6f0a925b30b1cbbfc42
SHA512 3f6acee36fe24089439a211aafaf96a84b7e394bc508cbda72d576ada20d4a4968edb5c2914fb92499b2f80c6a9dc4f20101460808fdf5066db41701d083df29

memory/740-176-0x0000000002B30000-0x0000000002BE6000-memory.dmp