simda | fd8b5802f4ae9db0248467e727d2a98b58f95ea2d8c060c140769446dbc0351c

Analysis

max time kernel
110s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/12/2024, 19:16 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd8b5802f4ae9db0248467e727d2a98b58f95ea2d8c060c140769446dbc0351c.exe
Size

204KB
MD5

4c60d92c2c5b2293b1b4b746dabd6866
SHA1

0c45715bb04dae2ddc5ba3334f797cc6d8c5d761
SHA256

fd8b5802f4ae9db0248467e727d2a98b58f95ea2d8c060c140769446dbc0351c
SHA512

ec6c9308e786264d959f3684444028b1fc956886369af3eccadfed356d1430aef3e1f2ec647b6df725a09be16a26dc3d0c86b651c48a52350fdf3b63a8d9589b
SSDEEP

3072:U5u7yT4TVbkuRaX1w71jnRkCoyJTarYWbV+HOFxg+z1WxJsqWkoyjOowUVl/TlA4:ULexkuRaX41xoyJV65gzyZko+uch

Score

10^/10

simda discovery persistence stealer trojan

Malware Config

Extracted

Family

simda

Attributes

dga
gatyfus.com

lyvyxor.com

vojyqem.com

qetyfuv.com

puvyxil.com

gahyqah.com

lyryfyd.com

vocyzit.com

qegyqaq.com

purydyv.com

gacyzuz.com

lygymoj.com

vowydef.com

qexylup.com

pufymoq.com

gaqydeb.com

lyxylux.com

vofymik.com

qeqysag.com

puzylyp.com

gadyniw.com

lymysan.com

volykyc.com

qedynul.com

pumypog.com

galykes.com

lysynur.com

vonypom.com

qekykev.com

pupybul.com

ganypih.com

lykyjad.com

vopybyt.com

qebytiq.com

pujyjav.com

gatyvyz.com

lyvytuj.com

vojyjof.com

qetyvep.com

puvytuq.com

gahyhob.com

lyryvex.com

vocyruk.com

qegyhig.com

purycap.com

gacyryw.com

lygygin.com

vowycac.com

qexyryl.com

pufygug.com

gaqycos.com

lyxywer.com

vofygum.com

qeqyxov.com

puzywel.com

gadyfuh.com

lymyxid.com

volyqat.com

qedyfyq.com

pumyxiv.com

galyqaz.com

lysyfyj.com

vonyzuf.com

qekyqop.com

pupydeq.com

ganyzub.com

lykymox.com

vopydek.com

qebylug.com

pujymip.com

gatydaw.com

lyvylyn.com

vojymic.com

qetysal.com

puvylyg.com

gahynus.com

lyrysor.com

vocykem.com

qegynuv.com

purypol.com

gacykeh.com

lygynud.com

vowypit.com

qexykaq.com

pufybyv.com

gaqypiz.com

lyxyjaj.com

vofybyf.com

qeqytup.com

puzyjoq.com

gadyveb.com

lymytux.com

volyjok.com

qedyveg.com

pumytup.com

galyhiw.com

lysyvan.com

vonyryc.com

qekyhil.com

pupycag.com

ganyrys.com

lykygur.com

vopycom.com

qebyrev.com

pujygul.com

gatycoh.com

lyvywed.com

vojygut.com

qetyxiq.com

puvywav.com

gahyfyz.com

lyryxij.com

vocyqaf.com

qegyfyp.com

puryxuq.com

gacyqob.com

lygyfex.com

vowyzuk.com

qexyqog.com

pufydep.com

gaqyzuw.com

lyxymin.com

vofydac.com

qeqylyl.com

puzymig.com

gadydas.com

lymylyr.com

volymum.com

qedysov.com

pumylel.com

galynuh.com

lysysod.com

vonyket.com

qekynuq.com

pupypiv.com

ganykaz.com

lykynyj.com

vopypif.com

qebykap.com

pujybyq.com

gatypub.com

lyvyjox.com

vojybek.com

qetytug.com

puvyjop.com

gahyvew.com

lyrytun.com

vocyjic.com

qegyval.com

purytyg.com

gacyhis.com

lygyvar.com

vowyrym.com

qexyhuv.com

pufycol.com

gaqyreh.com

lyxygud.com

vofycot.com

qeqyreq.com

puzyguv.com

gadyciz.com

lymywaj.com

volygyf.com

qedyxip.com

pumywaq.com

galyfyb.com

lysyxux.com

vonyqok.com

qekyfeg.com

pupyxup.com

ganyqow.com

lykyfen.com

vopyzuc.com

qebyqil.com

pujydag.com

gatyzys.com

lyvymir.com

vojydam.com

qetylyv.com

puvymul.com

gahydoh.com

lyryled.com

vocymut.com

qegysoq.com

purylev.com

gacynuz.com

lygysij.com

vowykaf.com

qexynyp.com

pufypiq.com

gaqykab.com

lyxynyx.com

vofypuk.com

qeqykog.com

puzybep.com

gadypuw.com

lymyjon.com

volybec.com

qedytul.com

pumyjig.com

galyvas.com

lysytyr.com

vonyjim.com

qekyvav.com

pupytyl.com

ganyhuh.com

lykyvod.com

vopyret.com

qebyhuq.com

pujycov.com

gatyrez.com

lyvyguj.com

vojycif.com

qetyrap.com

puvygyq.com

gahycib.com

lyrywax.com

vocygyk.com

qegyxug.com

purywop.com

gacyfew.com

lygyxun.com

vowyqoc.com

qexyfel.com

pufyxug.com

gaqyqis.com

lyxyfar.com

vofyzym.com

qeqyqiv.com

puzydal.com

gadyzyh.com

lymymud.com

volydot.com

qedyleq.com

pumymuv.com

galydoz.com

lysylej.com

vonymuf.com

qekysip.com

pupylaq.com

ganynyb.com

lykysix.com

vopykak.com

qebynyg.com

pujypup.com

gatykow.com

lyvynen.com

vojypuc.com

qetykol.com

puvybeg.com

gahypus.com

lyryjir.com

vocybam.com

qegytyv.com

puryjil.com

gacyvah.com

lygytyd.com

vowyjut.com

qexyvoq.com

pufytev.com

gaqyhuz.com

lyxyvoj.com

vofyref.com

qeqyhup.com

puzyciq.com

gadyrab.com

lymygyx.com

volycik.com

qedyrag.com

pumygyp.com

galycuw.com

lysywon.com

vonygec.com

qekyxul.com

pupywog.com

ganyfes.com

lykyxur.com

vopyqim.com

qebyfav.com

pujyxyl.com

gatyqih.com

lyvyfad.com

vojyzyt.com

qetyquq.com

puvydov.com

gahyzez.com

lyrymuj.com

vocydof.com

qegylep.com

purymuq.com

gacydib.com

lygylax.com

vowymyk.com

qexysig.com

pufylap.com

gaqynyw.com

lyxysun.com

vofykoc.com

qeqynel.com

puzypug.com

gadykos.com

lymyner.com

volypum.com

qedykiv.com

pumybal.com

galypyh.com

lysyjid.com

vonybat.com

qekytyq.com

pupyjuv.com

ganyvoz.com

lykytej.com

vopyjuf.com

qebyvop.com

pujyteq.com

gatyhub.com

lyvyvix.com

vojyrak.com

qetyhyg.com

puvycip.com

gahyraw.com

lyrygyn.com

vocycuc.com

qegyrol.com

purygeg.com

gacycus.com

lygywor.com

vowygem.com

qexyxuv.com

pufywil.com

gaqyfah.com

lyxyxyd.com

vofyqit.com

qeqyfaq.com

puzyxyv.com

gadyquz.com

lymyfoj.com

volyzef.com

qedyqup.com

pumydoq.com

galyzeb.com

lysymux.com

vonydik.com

qekylag.com

pupymyp.com

ganydiw.com

lykylan.com

vopymyc.com

qebysul.com

pujylog.com

gatynes.com

lyvysur.com

vojykom.com

qetynev.com

puvypul.com

gahykih.com

lyrynad.com

vocypyt.com

qegykiq.com

purybav.com

gacypyz.com

lygyjuj.com

vowybof.com

qexytep.com

pufyjuq.com

gaqyvob.com

lyxytex.com

vofyjuk.com

qeqyvig.com

puzytap.com

gadyhyw.com

lymyvin.com

volyrac.com

qedyhyl.com

pumycug.com

galyros.com

lysyger.com

vonycum.com

qekyrov.com

pupygel.com

ganycuh.com

lykywid.com

vopygat.com

qebyxyq.com

pujywiv.com

gatyfaz.com

lyvyxyj.com

vojyquf.com

qetyfop.com

puvyxeq.com

gahyqub.com

lyryfox.com

vocyzek.com

qegyqug.com

purydip.com

gacyzaw.com

lygymyn.com

vowydic.com

qexylal.com

pufymyg.com

gaqydus.com

lyxylor.com

vofymem.com

qeqysuv.com

puzylol.com

gadyneh.com

lymysud.com

volykit.com

qedynaq.com

pumypyv.com

galykiz.com

lysynaj.com

vonypyf.com

qekykup.com

pupyboq.com

ganypeb.com

lykyjux.com

vopybok.com

qebyteg.com

pujyjup.com

gatyviw.com

lyvytan.com

vojyjyc.com

qetyvil.com

puvytag.com

gahyhys.com

lyryvur.com

vocyrom.com

qegyhev.com

purycul.com

gacyroh.com

lygyged.com

vowycut.com

qexyriq.com

pufygav.com

gaqycyz.com

lyxywij.com

vofygaf.com

qeqyxyp.com

puzywuq.com

gadyfob.com

lymyxex.com

volyquk.com

qedyfog.com

pumyxep.com

galyquw.com

lysyfin.com

vonyzac.com

qekyqyl.com

pupydig.com

ganyzas.com

lykymyr.com

vopydum.com

qebylov.com

pujymel.com

gatyduh.com

lyvylod.com

vojymet.com

qetysuq.com

puvyliv.com

gahynaz.com

lyrysyj.com

vocykif.com

qegynap.com

purypyq.com

gacykub.com

lygynox.com

vowypek.com

qexykug.com

pufybop.com

gaqypew.com

lyxyjun.com

vofybic.com

qeqytal.com

puzyjyg.com

gadyvis.com

lymytar.com

volyjym.com

qedyvuv.com

pumytol.com

galyheh.com

lysyvud.com

vonyrot.com

qekyheq.com

pupycuv.com

ganyriz.com

lykygaj.com

vopycyf.com

qebyrip.com

pujygaq.com

gatycyb.com

lyvywux.com

vojygok.com

qetyxeg.com

puvywup.com

gahyfow.com

lyryxen.com

vocyquc.com

qegyfil.com

puryxag.com

gacyqys.com

lygyfir.com

vowyzam.com

qexyqyv.com

pufydul.com

gaqyzoh.com

lyxymed.com

vofydut.com

qeqyloq.com

puzymev.com

gadyduz.com

lymylij.com

volymaf.com

qedysyp.com

pumyliq.com

galynab.com

lysysyx.com

vonykuk.com

qekynog.com

pupypep.com

ganykuw.com

lykynon.com

vopypec.com

qebykul.com

pujybig.com

gatypas.com

lyvyjyr.com

vojybim.com

qetytav.com

puvyjyl.com

gahyvuh.com

lyrytod.com

vocyjet.com

qegyvuq.com

purytov.com

gacyhez.com

lygyvuj.com

vowyrif.com

qexyhap.com

pufycyq.com

gaqyrib.com

lyxygax.com

vofycyk.com

qeqyrug.com

puzygop.com

gadycew.com

lymywun.com

volygoc.com

qedyxel.com

pumywug.com

galyfis.com

lysyxar.com

vonyqym.com

qekyfiv.com

pupyxal.com

ganyqyh.com

lykyfud.com

vopyzot.com

qebyqeq.com

pujyduv.com

gatyzoz.com

lyvymej.com

vojyduf.com

qetylip.com

puvymaq.com

gahydyb.com

lyrylix.com

vocymak.com

qegysyg.com

purylup.com

gacynow.com

lygysen.com

vowykuc.com

qexynol.com

pufypeg.com

gaqykus.com

lyxynir.com

vofypam.com

qeqykyv.com

puzybil.com

gadypah.com

lymyjyd.com

volybut.com

qedytoq.com

pumyjev.com

galyvuz.com

lysytoj.com

vonyjef.com

qekyvup.com

pupytiq.com

ganyhab.com

lykyvyx.com

vopyrik.com

qebyhag.com

pujycyp.com

gatyruw.com

lyvygon.com

vojycec.com

qetyrul.com

puvygog.com

gahyces.com

lyrywur.com

vocygim.com

qegyxav.com

purywyl.com

gacyfih.com

lygyxad.com

vowyqyt.com

qexyfuq.com

pufyxov.com

gaqyqez.com

lyxyfuj.com

vofyzof.com

qeqyqep.com

puzyduq.com

gadyzib.com

lymymax.com

volydyk.com

qedylig.com

pumymap.com

galydyw.com

lysylun.com

vonymoc.com

qekysel.com

pupylug.com

ganynos.com

lykyser.com

vopykum.com

qebyniv.com

pujypal.com

gatykyh.com

lyvynid.com

vojypat.com

qetykyq.com

puvybuv.com

gahypoz.com

lyryjej.com

vocybuf.com

qegytop.com

puryjeq.com

gacyvub.com

lygytix.com

vowyjak.com

qexyvyg.com

pufytip.com

gaqyhaw.com

lyxyvyn.com

vofyruc.com

qeqyhol.com

puzyceg.com

gadyrus.com

lymygor.com

volycem.com

qedyruv.com

pumygil.com

galycah.com

lysywyd.com

vonygit.com

qekyxaq.com

pupywyv.com

ganyfuz.com

lykyxoj.com

vopyqef.com

qebyfup.com

pujyxoq.com

gatyqeb.com

lyvyfux.com

vojyzik.com

qetyqag.com

puvydyp.com

gahyziw.com

lyryman.com

vocydyc.com

qegylul.com

purymog.com

gacydes.com

lygylur.com

vowymom.com

qexysev.com

pufylul.com

gaqynih.com

lyxysad.com

vofykyt.com

qeqyniq.com

puzypav.com

gadykyz.com

lymynuj.com

volypof.com

qedykep.com

pumybuq.com

galypob.com

lysyjex.com

vonybuk.com

qekytig.com

pupyjap.com

ganyvyw.com

lykytin.com

vopyjac.com

qebyvyl.com

pujytug.com

gatyhos.com

lyvyver.com

vojyrum.com

qetyhov.com

puvycel.com

gahyruh.com

lyrygid.com

vocycat.com

qegyryq.com

purygiv.com

gacycaz.com

lygywyj.com

vowyguf.com

qexyxop.com

pufyweq.com

gaqyfub.com

lyxyxox.com

vofyqek.com

qeqyfug.com

puzyxip.com

gadyqaw.com

lymyfyn.com

volyzic.com

qedyqal.com

pumydyg.com

galyzus.com

lysymor.com

vonydem.com

qekyluv.com

pupymol.com

ganydeh.com

lykylud.com

vopymit.com

qebysaq.com

pujylyv.com

gatyniz.com

lyvysaj.com

vojykyf.com

qetynup.com

puvypoq.com

gahykeb.com

lyrynux.com

vocypok.com

qegykeg.com

purybup.com

gacypiw.com

lygyjan.com

vowybyc.com

qexytil.com

pufyjag.com

gaqyvys.com

lyxytur.com

vofyjom.com

qeqyvev.com

puzytul.com

gadyhoh.com

lymyved.com

volyrut.com

qedyhiq.com

pumycav.com

galyryz.com

lysygij.com

vonycaf.com

qekyryp.com

pupyguq.com

ganycob.com

lykywex.com

vopyguk.com

qebyxog.com

pujywep.com

gatyfuw.com

lyvyxin.com

vojyqac.com

qetyfyl.com

puvyxig.com

gahyqas.com

lyryfyr.com

vocyzum.com

qegyqov.com

purydel.com

gacyzuh.com

lygymod.com

vowydet.com

qexyluq.com

pufymiv.com

gaqydaz.com

lyxylyj.com

vofymif.com

qeqysap.com

puzylyq.com

gadynub.com

lymysox.com

volykek.com

qedynug.com

pumypop.com

galykew.com

lysynun.com

vonypic.com

qekykal.com

pupybyg.com

ganypis.com

lykyjar.com

vopybym.com

qebytuv.com

pujyjol.com

gatyveh.com

lyvytud.com

vojyjot.com

qetyveq.com

puvytuv.com

gahyhiz.com

lyryvaj.com

vocyryf.com

qegyhip.com

purycaq.com

gacyryb.com

lygygux.com

vowycok.com

qexyreg.com

pufygup.com

gaqycow.com

lyxywen.com

vofyguc.com

qeqyxil.com

puzywag.com

gadyfys.com

lymyxir.com

volyqam.com

qedyfyv.com

pumyxul.com

galyqoh.com

lysyfed.com

vonyzut.com

qekyqoq.com

pupydev.com

ganyzuz.com

lykymij.com

vopydaf.com

qebylyp.com

pujymiq.com

gatydab.com

lyvylyx.com

vojymuk.com

qetysog.com

puvylep.com

gahynuw.com

lyryson.com

vocykec.com

qegynul.com

purypig.com

gacykas.com

lygynyr.com

vowypim.com

qexykav.com

pufybyl.com

gaqypuh.com

lyxyjod.com

vofybet.com

qeqytuq.com

puzyjov.com

gadyvez.com

lymytuj.com

volyjif.com

qedyvap.com

pumytyq.com

galyhib.com

lysyvax.com

vonyryk.com

qekyhug.com

pupycop.com

ganyrew.com

lykygun.com

vopycoc.com

qebyrel.com

pujygug.com

gatycis.com

lyvywar.com

vojygym.com

qetyxiv.com

puvywal.com

gahyfyh.com

lyryxud.com

vocyqot.com

qegyfeq.com

puryxuv.com

gacyqoz.com

lygyfej.com

vowyzuf.com

qexyqip.com

pufydaq.com

gaqyzyb.com

lyxymix.com

vofydak.com

qeqylyg.com

puzymup.com

gadydow.com

lymylen.com

volymuc.com

qedysol.com

pumyleg.com

galynus.com

lysysir.com

vonykam.com

qekynyv.com

pupypil.com

ganykah.com

lykynyd.com

vopyput.com

qebykoq.com

pujybev.com

gatypuz.com

lyvyjoj.com

vojybef.com

qetytup.com

puvyjiq.com

gahyvab.com

lyrytyx.com

vocyjik.com

qegyvag.com

purytyp.com

gacyhuw.com

lygyvon.com

vowyrec.com

qexyhul.com

pufycog.com

gaqyres.com

lyxygur.com

vofycim.com

qeqyrav.com

puzygyl.com

gadycih.com

lymywad.com

volygyt.com

qedyxuq.com

pumywov.com

galyfez.com

lysyxuj.com

vonyqof.com

qekyfep.com

pupyxuq.com

ganyqib.com

lykyfax.com

vopyzyk.com

qebyqig.com

pujydap.com

gatyzyw.com

lyvymun.com

vojydoc.com

qetylel.com

puvymug.com

gahydos.com

lyryler.com

vocymum.com

qegysiv.com

purylal.com

gacynyh.com

lygysid.com

vowykat.com

qexynyq.com

pufypuv.com

gaqykoz.com

lyxynej.com

vofypuf.com

qeqykop.com

puzybeq.com

gadypub.com

lymyjix.com

volybak.com

qedytyg.com

pumyjip.com

galyvaw.com

lysytyn.com

vonyjuc.com

qekyvol.com

pupyteg.com

ganyhus.com

lykyvor.com

vopyrem.com

qebyhuv.com

pujycil.com

gatyrah.com

lyvygyd.com

vojycit.com

qetyraq.com

puvygyv.com

gahycuz.com

lyrywoj.com

vocygef.com

qegyxup.com

purywoq.com

gacyfeb.com

lygyxux.com

vowyqik.com

qexyfag.com

pufyxyp.com

gaqyqiw.com

lyxyfan.com

vofyzyc.com

qeqyqul.com

puzydog.com

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Simda family
simda
simda
Simda is an infostealer written in C++.
stealer trojan simda

Executes dropped EXE 1 IoCs

pid	Process
4996	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\94a56bd8 = "ù\b…\tË\t-µ\u00a0P³ôe¦’ÂŽ!1²Q\u0081\u0090¢øšóPöWÜš\"\nWGE™B\x17êÅ–Â\x7fZ2OV\x0fÁ\x117µM\x0fºåFAv:S\x0e™òªŸ6bvší\x1bÏåû\x7f\x1b:B?[‹â²²:±\x01'±›ßÕ\x15Šok…Mz\u009dÉç×z_\"¢•±Ú]Ÿµo‡Ê%ë\x1a_\x15¹µ\x05qú9kíQ9\x12y\x03Bÿ\x11O\t÷š§Å+Cf«v1Ò:©Ÿ—‡¶jÂ\n±ê\x1bªaçÚaÒA.—BîÂçÂýÏ÷Á\x7f¹¶ß:\u008d_¢eU\x12\x1fÍoy2‹\x13Žjï–Z…®¾.ŸÏ\x19/Q\u008fú¿¢âŠ¿….º\x1f?æâ·S{ç—}§¿qñ7ç¥\x03B§\x1aA¶ñ:îi\x12.‘7Æÿ\x1a‘"	fd8b5802f4ae9db0248467e727d2a98b58f95ea2d8c060c140769446dbc0351c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\94a56bd8 = "ù\b…\tË\t-µ\u00a0P³ôe¦’ÂŽ!1²Q\u0081\u0090¢øšóPöWÜš\"\nWGE™B\x17êÅ–Â\x7fZ2OV\x0fÁ\x117µM\x0fºåFAv:S\x0e™òªŸ6bvší\x1bÏåû\x7f\x1b:B?[‹â²²:±\x01'±›ßÕ\x15Šok…Mz\u009dÉç×z_\"¢•±Ú]Ÿµo‡Ê%ë\x1a_\x15¹µ\x05qú9kíQ9\x12y\x03Bÿ\x11O\t÷š§Å+Cf«v1Ò:©Ÿ—‡¶jÂ\n±ê\x1bªaçÚaÒA.—BîÂçÂýÏ÷Á\x7f¹¶ß:\u008d_¢eU\x12\x1fÍoy2‹\x13Žjï–Z…®¾.ŸÏ\x19/Q\u008fú¿¢âŠ¿….º\x1f?æâ·S{ç—}§¿qñ7ç¥\x03B§\x1aA¶ñ:îi\x12.‘7Æÿ\x1a‘"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	fd8b5802f4ae9db0248467e727d2a98b58f95ea2d8c060c140769446dbc0351c.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	fd8b5802f4ae9db0248467e727d2a98b58f95ea2d8c060c140769446dbc0351c.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd8b5802f4ae9db0248467e727d2a98b58f95ea2d8c060c140769446dbc0351c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4376	fd8b5802f4ae9db0248467e727d2a98b58f95ea2d8c060c140769446dbc0351c.exe
4376	fd8b5802f4ae9db0248467e727d2a98b58f95ea2d8c060c140769446dbc0351c.exe
4376	fd8b5802f4ae9db0248467e727d2a98b58f95ea2d8c060c140769446dbc0351c.exe
4376	fd8b5802f4ae9db0248467e727d2a98b58f95ea2d8c060c140769446dbc0351c.exe
4376	fd8b5802f4ae9db0248467e727d2a98b58f95ea2d8c060c140769446dbc0351c.exe
4376	fd8b5802f4ae9db0248467e727d2a98b58f95ea2d8c060c140769446dbc0351c.exe
4376	fd8b5802f4ae9db0248467e727d2a98b58f95ea2d8c060c140769446dbc0351c.exe
4376	fd8b5802f4ae9db0248467e727d2a98b58f95ea2d8c060c140769446dbc0351c.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe
4996	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4376	fd8b5802f4ae9db0248467e727d2a98b58f95ea2d8c060c140769446dbc0351c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 4996	4376	fd8b5802f4ae9db0248467e727d2a98b58f95ea2d8c060c140769446dbc0351c.exe	82
PID 4376 wrote to memory of 4996	4376	fd8b5802f4ae9db0248467e727d2a98b58f95ea2d8c060c140769446dbc0351c.exe	82
PID 4376 wrote to memory of 4996	4376	fd8b5802f4ae9db0248467e727d2a98b58f95ea2d8c060c140769446dbc0351c.exe	82

C:\Users\Admin\AppData\Local\Temp\fd8b5802f4ae9db0248467e727d2a98b58f95ea2d8c060c140769446dbc0351c.exe
"C:\Users\Admin\AppData\Local\Temp\fd8b5802f4ae9db0248467e727d2a98b58f95ea2d8c060c140769446dbc0351c.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4996

Network

DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

lyryfyd.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lyryfyd.com

IN A

Response
DNS

qetyfuv.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qetyfuv.com

IN A

Response

qetyfuv.com

IN A

44.221.84.105
DNS

vojyqem.com

svchost.exe

Remote address:

8.8.8.8:53

Request

vojyqem.com

IN A

Response

vojyqem.com

IN CNAME

77980.bodis.com

77980.bodis.com

IN A

199.59.243.227
DNS

lyvyxor.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lyvyxor.com

IN A

Response

lyvyxor.com

IN A

208.100.26.245
DNS

puvyxil.com

svchost.exe

Remote address:

8.8.8.8:53

Request

puvyxil.com

IN A

Response
DNS

vocyzit.com

svchost.exe

Remote address:

8.8.8.8:53

Request

vocyzit.com

IN A

Response

vocyzit.com

IN A

44.221.84.105
DNS

gahyqah.com

svchost.exe

Remote address:

8.8.8.8:53

Request

gahyqah.com

IN A

Response

gahyqah.com

IN A

162.255.119.102

gahyqah.com

IN A

23.253.46.64
DNS

qegyqaq.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qegyqaq.com

IN A

Response
DNS

purydyv.com

svchost.exe

Remote address:

8.8.8.8:53

Request

purydyv.com

IN A

Response
DNS

gacyzuz.com

svchost.exe

Remote address:

8.8.8.8:53

Request

gacyzuz.com

IN A

Response
DNS

lygymoj.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lygymoj.com

IN A

Response
DNS

vowydef.com

svchost.exe

Remote address:

8.8.8.8:53

Request

vowydef.com

IN A

Response
DNS

qexylup.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qexylup.com

IN A

Response
DNS

pufymoq.com

svchost.exe

Remote address:

8.8.8.8:53

Request

pufymoq.com

IN A

Response
DNS

gaqydeb.com

svchost.exe

Remote address:

8.8.8.8:53

Request

gaqydeb.com

IN A

Response
DNS

lyxylux.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lyxylux.com

IN A

Response
DNS

vofymik.com

svchost.exe

Remote address:

8.8.8.8:53

Request

vofymik.com

IN A

Response
DNS

qeqysag.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qeqysag.com

IN A

Response
DNS

puzylyp.com

svchost.exe

Remote address:

8.8.8.8:53

Request

puzylyp.com

IN A

Response

puzylyp.com

IN A

75.2.71.199

puzylyp.com

IN A

99.83.170.3
DNS

gadyniw.com

svchost.exe

Remote address:

8.8.8.8:53

Request

gadyniw.com

IN A

Response

gadyniw.com

IN A

154.212.231.82
DNS

lymysan.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lymysan.com

IN A

Response
DNS

volykyc.com

svchost.exe

Remote address:

8.8.8.8:53

Request

volykyc.com

IN A

Response
DNS

qedynul.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qedynul.com

IN A

Response
DNS

pumypog.com

svchost.exe

Remote address:

8.8.8.8:53

Request

pumypog.com

IN A

Response
DNS

gatyfus.com

svchost.exe

Remote address:

8.8.8.8:53

Request

gatyfus.com

IN A

Response

gatyfus.com

IN A

5.79.71.225

gatyfus.com

IN A

5.79.71.205

gatyfus.com

IN A

178.162.203.211

gatyfus.com

IN A

85.17.31.122

gatyfus.com

IN A

178.162.203.202

gatyfus.com

IN A

178.162.203.226

gatyfus.com

IN A

85.17.31.82

gatyfus.com

IN A

178.162.217.107
DNS

galykes.com

svchost.exe

Remote address:

8.8.8.8:53

Request

galykes.com

IN A

Response
DNS

lysynur.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lysynur.com

IN A

Response
DNS

qekykev.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qekykev.com

IN A

Response
DNS

vonypom.com

svchost.exe

Remote address:

8.8.8.8:53

Request

vonypom.com

IN A

Response

vonypom.com

IN A

34.227.7.138
DNS

pupybul.com

svchost.exe

Remote address:

8.8.8.8:53

Request

pupybul.com

IN A

Response
DNS

ganypih.com

svchost.exe

Remote address:

8.8.8.8:53

Request

ganypih.com

IN A

Response
DNS

lykyjad.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lykyjad.com

IN A

Response
DNS

vopybyt.com

svchost.exe

Remote address:

8.8.8.8:53

Request

vopybyt.com

IN A

Response
DNS

pujyjav.com

svchost.exe

Remote address:

8.8.8.8:53

Request

pujyjav.com

IN A

Response
DNS

gatyvyz.com

svchost.exe

Remote address:

8.8.8.8:53

Request

gatyvyz.com

IN A

Response
DNS

lyvytuj.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lyvytuj.com

IN A

Response
DNS

vojyjof.com

svchost.exe

Remote address:

8.8.8.8:53

Request

vojyjof.com

IN A

Response
DNS

qetyvep.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qetyvep.com

IN A

Response
DNS

puvytuq.com

svchost.exe

Remote address:

8.8.8.8:53

Request

puvytuq.com

IN A

Response
DNS

gahyhob.com

svchost.exe

Remote address:

8.8.8.8:53

Request

gahyhob.com

IN A

Response
DNS

lyryvex.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lyryvex.com

IN A

Response
DNS

vocyruk.com

svchost.exe

Remote address:

8.8.8.8:53

Request

vocyruk.com

IN A

Response
DNS

qegyhig.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qegyhig.com

IN A

Response

qegyhig.com

IN A

172.67.173.131

qegyhig.com

IN A

104.21.30.183
DNS

purycap.com

svchost.exe

Remote address:

8.8.8.8:53

Request

purycap.com

IN A

Response
DNS

gacyryw.com

svchost.exe

Remote address:

8.8.8.8:53

Request

gacyryw.com

IN A

Response
DNS

lygygin.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lygygin.com

IN A

Response
DNS

vowycac.com

svchost.exe

Remote address:

8.8.8.8:53

Request

vowycac.com

IN A

Response
DNS

qexyryl.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qexyryl.com

IN A

Response
DNS

pufygug.com

svchost.exe

Remote address:

8.8.8.8:53

Request

pufygug.com

IN A

Response
DNS

gaqycos.com

svchost.exe

Remote address:

8.8.8.8:53

Request

gaqycos.com

IN A

Response
DNS

lyxywer.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lyxywer.com

IN A

Response
DNS

vofygum.com

svchost.exe

Remote address:

8.8.8.8:53

Request

vofygum.com

IN A

Response
DNS

qeqyxov.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qeqyxov.com

IN A

Response
DNS

puzywel.com

svchost.exe

Remote address:

8.8.8.8:53

Request

puzywel.com

IN A

Response
DNS

gadyfuh.com

svchost.exe

Remote address:

8.8.8.8:53

Request

gadyfuh.com

IN A

Response
DNS

lymyxid.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lymyxid.com

IN A

Response

lymyxid.com

IN A

3.94.10.34
DNS

volyqat.com

svchost.exe

Remote address:

8.8.8.8:53

Request

volyqat.com

IN A

Response
DNS

qedyfyq.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qedyfyq.com

IN A

Response
DNS

lykygur.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lykygur.com

IN A

Response
DNS

pumyxiv.com

svchost.exe

Remote address:

8.8.8.8:53

Request

pumyxiv.com

IN A

Response
DNS

galyqaz.com

svchost.exe

Remote address:

8.8.8.8:53

Request

galyqaz.com

IN A

Response

galyqaz.com

IN A

199.191.50.83
DNS

lysyfyj.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lysyfyj.com

IN A

Response
DNS

vonyzuf.com

svchost.exe

Remote address:

8.8.8.8:53

Request

vonyzuf.com

IN A

Response
DNS

qekyqop.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qekyqop.com

IN A

Response
DNS

qebytiq.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qebytiq.com

IN A

Response
DNS

68.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

68.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

vojyqem.com

svchost.exe

Remote address:

8.8.8.8:53

Request

vojyqem.com

IN A

Response

vojyqem.com

IN CNAME

77980.bodis.com

77980.bodis.com

IN A

199.59.243.227
GET

http://vojyqem.com/login.php

svchost.exe

Remote address:

199.59.243.227:80

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: vojyqem.com
Content-Length: 6

Response

HTTP/1.1 200 OK

date: Tue, 17 Dec 2024 19:17:04 GMT
content-type: text/html; charset=utf-8
content-length: 1098
x-request-id: 00807140-731c-4921-bd7f-f26a2d8b8e63
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_VMytHbmmrfMc+kzmiPYTt2uS2PDnHHj/p/2nCNN04G2eOrYX/LSI9ifattC96o92xCzWruQ65ql9+oondzcTDQ==
set-cookie: parking_session=00807140-731c-4921-bd7f-f26a2d8b8e63; expires=Tue, 17 Dec 2024 19:32:05 GMT; path=/
DNS

qegyhig.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qegyhig.com

IN A

Response

qegyhig.com

IN A

104.21.30.183

qegyhig.com

IN A

172.67.173.131
DNS

vocyzit.com

svchost.exe

Remote address:

8.8.8.8:53

Request

vocyzit.com

IN A

Response

vocyzit.com

IN A

44.221.84.105
DNS

qetyfuv.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qetyfuv.com

IN A

Response

qetyfuv.com

IN A

44.221.84.105
GET

http://qegyhig.com/login.php

svchost.exe

Remote address:

104.21.30.183:80

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qegyhig.com
Content-Length: 6

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 17 Dec 2024 19:17:05 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://qegyhig.com/login.php
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=otFkQepbTyu662n%2BQiFNFkseoOZBrdLQw8mcnCNQKaItkg1cIDFXs95iwYO8OkLCVyy3fkDJpWRc2HBepYUnMSnJ%2BK8fkCh66Bg4JLtCT%2FxiNG3mAnP2W7RH7yhDPQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f394055db23653d-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=184302&min_rtt=184302&rtt_var=92151&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=268&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
GET

http://qegyhig.com/login.php

svchost.exe

Remote address:

104.21.30.183:80

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qegyhig.com
Content-Length: 6

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 17 Dec 2024 19:17:07 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://qegyhig.com/login.php
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PnBUDc579SO4FTVnwAr9Kv3l5v6DIXmw44Gh6wEBu5Ew2h10OjbImRqN6ZKvrCkua7QpMj5a9GG7aflEF%2BKgpIj%2F1U7NEA7UjPWxfNcFVXzKQMUYeamQbJiaQ0%2Fw3Q%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f3940619ac9653d-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=185862&min_rtt=184302&rtt_var=41074&sent=5&recv=7&lost=0&retrans=0&sent_bytes=999&recv_bytes=536&delivery_rate=21314&cwnd=252&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
DNS

gatyfus.com

svchost.exe

Remote address:

8.8.8.8:53

Request

gatyfus.com

IN A

Response

gatyfus.com

IN A

178.162.203.202

gatyfus.com

IN A

85.17.31.82

gatyfus.com

IN A

85.17.31.122

gatyfus.com

IN A

5.79.71.225

gatyfus.com

IN A

178.162.203.226

gatyfus.com

IN A

178.162.203.211

gatyfus.com

IN A

178.162.217.107

gatyfus.com

IN A

5.79.71.205
DNS

lymyxid.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lymyxid.com

IN A

Response

lymyxid.com

IN A

3.94.10.34
DNS

puzylyp.com

svchost.exe

Remote address:

8.8.8.8:53

Request

puzylyp.com

IN A

Response

puzylyp.com

IN A

75.2.71.199

puzylyp.com

IN A

99.83.170.3
DNS

gahyqah.com

svchost.exe

Remote address:

8.8.8.8:53

Request

gahyqah.com

IN A

Response

gahyqah.com

IN A

162.255.119.102

gahyqah.com

IN A

23.253.46.64
DNS

lyvyxor.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lyvyxor.com

IN A

Response

lyvyxor.com

IN A

208.100.26.245
DNS

gadyniw.com

svchost.exe

Remote address:

8.8.8.8:53

Request

gadyniw.com

IN A

Response

gadyniw.com

IN A

154.212.231.82
DNS

galyqaz.com

svchost.exe

Remote address:

8.8.8.8:53

Request

galyqaz.com

IN A

Response

galyqaz.com

IN A

199.191.50.83
DNS

vonypom.com

svchost.exe

Remote address:

8.8.8.8:53

Request

vonypom.com

IN A

Response

vonypom.com

IN A

34.227.7.138
GET

http://lymyxid.com/login.php

svchost.exe

Remote address:

3.94.10.34:80

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lymyxid.com
Content-Length: 6

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 17 Dec 2024 19:17:05 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=7819951a28b0025533505467ad6f0fc8|181.215.176.83|1734463025|1734463025|0|1|0; path=/; domain=.lymyxid.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
GET

http://gatyfus.com/login.php

svchost.exe

Remote address:

178.162.203.202:80

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: gatyfus.com
Content-Length: 6
GET

http://gadyniw.com/login.php

svchost.exe

Remote address:

154.212.231.82:80

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: gadyniw.com
Content-Length: 6

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Tue, 17 Dec 2024 19:17:06 GMT
Content-Type: text/html
Content-Length: 548
Connection: keep-alive
GET

http://gadyniw.com/login.php

svchost.exe

Remote address:

154.212.231.82:80

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: gadyniw.com
Content-Length: 6

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Tue, 17 Dec 2024 19:17:06 GMT
Content-Type: text/html
Content-Length: 548
Connection: keep-alive
GET

http://lyvyxor.com/login.php

svchost.exe

Remote address:

208.100.26.245:80

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lyvyxor.com
Content-Length: 6

Response

HTTP/1.1 404 Not Found

Server: nginx/1.14.0 (Ubuntu)
Date: Tue, 17 Dec 2024 19:17:05 GMT
Content-Type: text/html
Content-Length: 580
Connection: keep-alive
GET

http://lyvyxor.com/login.php

svchost.exe

Remote address:

208.100.26.245:80

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lyvyxor.com
Content-Length: 6

Response

HTTP/1.1 404 Not Found

Server: nginx/1.14.0 (Ubuntu)
Date: Tue, 17 Dec 2024 19:17:06 GMT
Content-Type: text/html
Content-Length: 580
Connection: keep-alive
GET

http://gahyqah.com/login.php

svchost.exe

Remote address:

162.255.119.102:80

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: gahyqah.com
Content-Length: 6

Response

HTTP/1.1 302 Found

Date: Tue, 17 Dec 2024 19:17:05 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 55
Connection: keep-alive
Location: http://www.gahyqah.com/login.php
X-Served-By: Namecheap URL Forward
Server: namecheap-nginx
GET

http://vonypom.com/login.php

svchost.exe

Remote address:

34.227.7.138:80

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: vonypom.com
Content-Length: 6

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 17 Dec 2024 19:17:05 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=e11481bd19862ca1c518d3eeaa71a9c7|181.215.176.83|1734463025|1734463025|0|1|0; path=/; domain=.vonypom.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
GET

http://puzylyp.com/login.php

svchost.exe

Remote address:

75.2.71.199:80

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: puzylyp.com
Content-Length: 6

Response

HTTP/1.1 308 Permanent Redirect

Connection: close
Location: https://puzylyp.com/login.php
Server: Caddy
Date: Tue, 17 Dec 2024 19:17:05 GMT
Content-Length: 0
GET

http://galyqaz.com/login.php

svchost.exe

Remote address:

199.191.50.83:80

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: galyqaz.com
Content-Length: 6

Response

HTTP/1.1 302 Found

Date: Tue, 17 Dec 2024 19:17:06 GMT
Server: Apache
Referrer-Policy: no-referrer-when-downgrade
Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version
Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com")
Set-Cookie: vsid=910vr4820086261300584; expires=Sun, 16-Dec-2029 19:17:06 GMT; Max-Age=157680000; path=/; domain=galyqaz.com; HttpOnly
Location: //ww3.galyqaz.com
Content-Length: 0
Content-Type: text/html; charset=UTF-8
GET

https://qegyhig.com/login.php

svchost.exe

Remote address:

104.21.30.183:443

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qegyhig.com
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Tue, 17 Dec 2024 19:17:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
link: <https://qegyhig.com/wp-json/>; rel="https://api.w.org/"
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RkYpGjnYwB4vOASJbC%2F9a%2Fp7yctBELGuSL5mri0KPXxuhntePeOboYl4VOuGBf0%2BDPmYTc6UEtEBse4J2OnS6hP08zOqADPMXjp8zNmMxcybE2YPI%2Bc1tXcjVr5Xow%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f39405f0b7b4145-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=165169&min_rtt=30766&rtt_var=44459&sent=6&recv=9&lost=0&retrans=0&sent_bytes=3281&recv_bytes=573&delivery_rate=44107&cwnd=252&unsent_bytes=0&cid=a0d4572849214736&ts=1211&x=0"
DNS

svchost.exe

Remote address:

104.21.30.183:443

Response

HTTP/1.1 400 Bad Request

Server: cloudflare
Date: Tue, 17 Dec 2024 19:17:07 GMT
Content-Type: text/html
Content-Length: 155
Connection: close
CF-RAY: -
GET

https://puzylyp.com/login.php

svchost.exe

Remote address:

75.2.71.199:443

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: puzylyp.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Alt-Svc: h3=":443"; ma=2592000
Cache-Control: private, no-cache, no-store, max-age=0, must-revalidate
Content-Type: text/html; charset=utf-8
Date: Tue, 17 Dec 2024 19:17:07 GMT
Etag: "vsd2ssumgd1cmb"
Server: Caddy
Server: awselb/2.0
Vary: Accept-Encoding
X-Powered-By: Next.js
Transfer-Encoding: chunked
DNS

www.gahyqah.com

svchost.exe

Remote address:

8.8.8.8:53

Request

www.gahyqah.com

IN A

Response

www.gahyqah.com

IN CNAME

parkingpage.namecheap.com

parkingpage.namecheap.com

IN A

91.195.240.19
GET

http://www.gahyqah.com/login.php

svchost.exe

Remote address:

91.195.240.19:80

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: www.gahyqah.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

date: Tue, 17 Dec 2024 19:17:06 GMT
content-type: text/html; charset=UTF-8
transfer-encoding: chunked
vary: Accept-Encoding
expires: Mon, 26 Jul 1997 05:00:00 GMT
cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
pragma: no-cache
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_g5rlXs9RuRW4dglqQ5LydJEttSTVBsfpTg5YbTbTgxQyCxJaX/4wWztIAOuRl2yVYhX0WGF1Yaew3U85nGI5uA==
last-modified: Tue, 17 Dec 2024 19:17:06 GMT
x-cache-miss-from: parking-dc6db864f-4hmqv
server: Parking/1.0
DNS

svchost.exe

Remote address:

91.195.240.19:80

Response

HTTP/1.1 400 Bad request

Content-length: 90
Cache-Control: no-cache
Connection: close
Content-Type: text/html
DNS

c.pki.goog

svchost.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.179.67
GET

http://c.pki.goog/r/gsr1.crl

svchost.exe

Remote address:

142.250.179.67:80

Request

GET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Tue, 17 Dec 2024 18:28:42 GMT
Expires: Tue, 17 Dec 2024 19:18:42 GMT
Cache-Control: public, max-age=3000
Age: 2904
Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

http://c.pki.goog/r/r4.crl

svchost.exe

Remote address:

142.250.179.67:80

Request

GET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Tue, 17 Dec 2024 19:00:41 GMT
Expires: Tue, 17 Dec 2024 19:50:41 GMT
Cache-Control: public, max-age=3000
Age: 985
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

ww3.galyqaz.com

svchost.exe

Remote address:

8.8.8.8:53

Request

ww3.galyqaz.com

IN A

Response

ww3.galyqaz.com

IN CNAME

sedoparking.com

sedoparking.com

IN A

64.190.63.136
DNS

ww3.galyqaz.com

svchost.exe

Remote address:

8.8.8.8:53

Request

ww3.galyqaz.com

IN A

Response

ww3.galyqaz.com

IN CNAME

sedoparking.com

sedoparking.com

IN A

64.190.63.136
DNS

34.143.101.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

34.143.101.95.in-addr.arpa

IN PTR

Response

34.143.101.95.in-addr.arpa

IN PTR

a95-101-143-34deploystaticakamaitechnologiescom
DNS

227.243.59.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

227.243.59.199.in-addr.arpa

IN PTR

Response
DNS

183.30.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.30.21.104.in-addr.arpa

IN PTR

Response
DNS

202.203.162.178.in-addr.arpa

Remote address:

8.8.8.8:53

Request

202.203.162.178.in-addr.arpa

IN PTR

Response
DNS

199.71.2.75.in-addr.arpa

Remote address:

8.8.8.8:53

Request

199.71.2.75.in-addr.arpa

IN PTR

Response

199.71.2.75.in-addr.arpa

IN PTR

af3ca1dc3c96d4fe3awsglobalacceleratorcom
DNS

34.10.94.3.in-addr.arpa

Remote address:

8.8.8.8:53

Request

34.10.94.3.in-addr.arpa

IN PTR

Response

34.10.94.3.in-addr.arpa

IN PTR

ec2-3-94-10-34 compute-1 amazonawscom
DNS

245.26.100.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

245.26.100.208.in-addr.arpa

IN PTR

Response

245.26.100.208.in-addr.arpa

IN PTR

ip245 208-100-26staticsteadfastdnsnet
DNS

102.119.255.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

102.119.255.162.in-addr.arpa

IN PTR

Response
DNS

138.7.227.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.7.227.34.in-addr.arpa

IN PTR

Response

138.7.227.34.in-addr.arpa

IN PTR

ec2-34-227-7-138 compute-1 amazonawscom
DNS

83.50.191.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

83.50.191.199.in-addr.arpa

IN PTR

Response
DNS

82.231.212.154.in-addr.arpa

Remote address:

8.8.8.8:53

Request

82.231.212.154.in-addr.arpa

IN PTR

Response
DNS

67.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.179.250.142.in-addr.arpa

IN PTR

Response

67.179.250.142.in-addr.arpa

IN PTR

par21s19-in-f31e100net
DNS

19.240.195.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.240.195.91.in-addr.arpa

IN PTR

Response
DNS

23.149.64.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.149.64.172.in-addr.arpa

IN PTR

Response
GET

http://ww3.galyqaz.com/

svchost.exe

Remote address:

64.190.63.136:80

Request

GET / HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ww3.galyqaz.com
Connection: Keep-Alive
Cookie: vsid=910vr4820086261300584

Response

HTTP/1.1 200 OK

date: Tue, 17 Dec 2024 19:17:07 GMT
content-type: text/html; charset=UTF-8
transfer-encoding: chunked
vary: Accept-Encoding
expires: Mon, 26 Jul 1997 05:00:00 GMT
cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
pragma: no-cache
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_evc7N5FfUOmf13Nl+8D7+0irHI6C5wXyjgvzJn+lB3E1Qfjr/bYz10KXDPAJSx76rgq4GXBHZuidQRM73OngZw==
last-modified: Tue, 17 Dec 2024 19:17:07 GMT
x-cache-miss-from: parking-dc6db864f-bxjvd
server: Parking/1.0
DNS

svchost.exe

Remote address:

64.190.63.136:80

Response

HTTP/1.1 400 Bad request

Content-length: 90
Cache-Control: no-cache
Connection: close
Content-Type: text/html
GET

https://qegyhig.com/login.php

svchost.exe

Remote address:

104.21.30.183:443

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qegyhig.com
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Tue, 17 Dec 2024 19:17:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
link: <https://qegyhig.com/wp-json/>; rel="https://api.w.org/"
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u9dzVZT4LBKpHZEUdYMC3rY8oK8xcpv8Hwo%2FYfqslv4dj97UnASsMfNCWtMitdjZHmoCRnvTlegMlzyVBOnJqkh%2BwLDXaHI9xhcEcSoxEqSmpxrmXU2p8TP7wZ1iSA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f3940634afdcd58-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=26474&min_rtt=26469&rtt_var=9936&sent=3&recv=6&lost=0&retrans=0&sent_bytes=115&recv_bytes=723&delivery_rate=51184&cwnd=250&unsent_bytes=0&cid=b73b592ee0e2a3c3&ts=360&x=0"
DNS

svchost.exe

Remote address:

104.21.30.183:443

Response

HTTP/1.1 400 Bad Request

Server: cloudflare
Date: Tue, 17 Dec 2024 19:17:08 GMT
Content-Type: text/html
Content-Length: 155
Connection: close
CF-RAY: -
DNS

233.38.18.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.38.18.104.in-addr.arpa

IN PTR

Response
DNS

136.63.190.64.in-addr.arpa

Remote address:

8.8.8.8:53

Request

136.63.190.64.in-addr.arpa

IN PTR

Response
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

53.210.109.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

53.210.109.20.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
GET

http://gatyfus.com/login.php

svchost.exe

Remote address:

178.162.203.202:80

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: gatyfus.com
Content-Length: 6
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom
DNS

pupydeq.com

svchost.exe

Remote address:

8.8.8.8:53

Request

pupydeq.com

IN A

Response

pupydeq.com

IN A

76.223.54.146

pupydeq.com

IN A

13.248.169.48
DNS

ganyzub.com

svchost.exe

Remote address:

8.8.8.8:53

Request

ganyzub.com

IN A

Response
DNS

lykymox.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lykymox.com

IN A

Response
DNS

vopydek.com

svchost.exe

Remote address:

8.8.8.8:53

Request

vopydek.com

IN A

Response
DNS

qebylug.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qebylug.com

IN A

Response
DNS

pujymip.com

svchost.exe

Remote address:

8.8.8.8:53

Request

pujymip.com

IN A

Response
DNS

gatydaw.com

svchost.exe

Remote address:

8.8.8.8:53

Request

gatydaw.com

IN A

Response
DNS

lyvylyn.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lyvylyn.com

IN A

Response
DNS

vojymic.com

svchost.exe

Remote address:

8.8.8.8:53

Request

vojymic.com

IN A

Response
DNS

qetysal.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qetysal.com

IN A

Response
DNS

puvylyg.com

svchost.exe

Remote address:

8.8.8.8:53

Request

puvylyg.com

IN A

Response
DNS

gahynus.com

svchost.exe

Remote address:

8.8.8.8:53

Request

gahynus.com

IN A

Response
DNS

lyrysor.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lyrysor.com

IN A

Response

lyrysor.com

IN CNAME

zz1985.qu200.com

zz1985.qu200.com

IN CNAME

gtm-sg-6l13ukk0m05.qu200.com

gtm-sg-6l13ukk0m05.qu200.com

IN A

61.158.134.198
DNS

vocykem.com

svchost.exe

Remote address:

8.8.8.8:53

Request

vocykem.com

IN A

Response
DNS

qegynuv.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qegynuv.com

IN A

Response
DNS

purypol.com

svchost.exe

Remote address:

8.8.8.8:53

Request

purypol.com

IN A

Response
DNS

gacykeh.com

svchost.exe

Remote address:

8.8.8.8:53

Request

gacykeh.com

IN A

Response
DNS

lygynud.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lygynud.com

IN A

Response

lygynud.com

IN A

3.94.10.34
DNS

qexykaq.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qexykaq.com

IN A

Response
DNS

vowypit.com

svchost.exe

Remote address:

8.8.8.8:53

Request

vowypit.com

IN A

Response
DNS

pufybyv.com

svchost.exe

Remote address:

8.8.8.8:53

Request

pufybyv.com

IN A

Response
DNS

gaqypiz.com

svchost.exe

Remote address:

8.8.8.8:53

Request

gaqypiz.com

IN A

Response
DNS

lyxyjaj.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lyxyjaj.com

IN A

Response
DNS

vofybyf.com

svchost.exe

Remote address:

8.8.8.8:53

Request

vofybyf.com

IN A

Response
DNS

qeqytup.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qeqytup.com

IN A

Response
DNS

puzyjoq.com

svchost.exe

Remote address:

8.8.8.8:53

Request

puzyjoq.com

IN A

Response
DNS

gadyveb.com

svchost.exe

Remote address:

8.8.8.8:53

Request

gadyveb.com

IN A

Response
DNS

lymytux.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lymytux.com

IN A

Response
DNS

volyjok.com

svchost.exe

Remote address:

8.8.8.8:53

Request

volyjok.com

IN A

Response
DNS

pumytup.com

svchost.exe

Remote address:

8.8.8.8:53

Request

pumytup.com

IN A

Response
DNS

qedyveg.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qedyveg.com

IN A

Response
DNS

galyhiw.com

svchost.exe

Remote address:

8.8.8.8:53

Request

galyhiw.com

IN A

Response
DNS

lysyvan.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lysyvan.com

IN A

Response

lysyvan.com

IN A

104.21.64.1

lysyvan.com

IN A

104.21.48.1

lysyvan.com

IN A

104.21.112.1

lysyvan.com

IN A

104.21.32.1

lysyvan.com

IN A

104.21.96.1

lysyvan.com

IN A

104.21.16.1

lysyvan.com

IN A

104.21.80.1
DNS

vonyryc.com

svchost.exe

Remote address:

8.8.8.8:53

Request

vonyryc.com

IN A

Response
DNS

qekyhil.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qekyhil.com

IN A

Response
DNS

pupycag.com

svchost.exe

Remote address:

8.8.8.8:53

Request

pupycag.com

IN A

Response

pupycag.com

IN A

34.227.7.138
DNS

ganyrys.com

svchost.exe

Remote address:

8.8.8.8:53

Request

ganyrys.com

IN A

Response
DNS

vopycom.com

svchost.exe

Remote address:

8.8.8.8:53

Request

vopycom.com

IN A

Response
DNS

pujygul.com

svchost.exe

Remote address:

8.8.8.8:53

Request

pujygul.com

IN A

Response
DNS

qebyrev.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qebyrev.com

IN A

Response
DNS

lyvywed.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lyvywed.com

IN A

Response
DNS

vojygut.com

svchost.exe

Remote address:

8.8.8.8:53

Request

vojygut.com

IN A

Response
DNS

qetyxiq.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qetyxiq.com

IN A

Response
DNS

gahyfyz.com

svchost.exe

Remote address:

8.8.8.8:53

Request

gahyfyz.com

IN A

Response
DNS

puvywav.com

svchost.exe

Remote address:

8.8.8.8:53

Request

puvywav.com

IN A

Response
DNS

lyryxij.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lyryxij.com

IN A

Response
DNS

vocyqaf.com

svchost.exe

Remote address:

8.8.8.8:53

Request

vocyqaf.com

IN A

Response
DNS

qegyfyp.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qegyfyp.com

IN A

Response
DNS

gacyqob.com

svchost.exe

Remote address:

8.8.8.8:53

Request

gacyqob.com

IN A

Response
DNS

puryxuq.com

svchost.exe

Remote address:

8.8.8.8:53

Request

puryxuq.com

IN A

Response
DNS

vowyzuk.com

svchost.exe

Remote address:

8.8.8.8:53

Request

vowyzuk.com

IN A

Response
DNS

lygyfex.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lygyfex.com

IN A

Response
DNS

gatycoh.com

svchost.exe

Remote address:

8.8.8.8:53

Request

gatycoh.com

IN A

Response
DNS

qexyqog.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qexyqog.com

IN A

Response
DNS

pufydep.com

svchost.exe

Remote address:

8.8.8.8:53

Request

pufydep.com

IN A

Response
DNS

gaqyzuw.com

svchost.exe

Remote address:

8.8.8.8:53

Request

gaqyzuw.com

IN A

Response
DNS

lyxymin.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lyxymin.com

IN A

Response
DNS

vofydac.com

svchost.exe

Remote address:

8.8.8.8:53

Request

vofydac.com

IN A

Response
DNS

qeqylyl.com

svchost.exe

Remote address:

8.8.8.8:53

Request

qeqylyl.com

IN A

Response
DNS

puzymig.com

svchost.exe

Remote address:

8.8.8.8:53

Request

puzymig.com

IN A

Response
DNS

gadydas.com

svchost.exe

Remote address:

8.8.8.8:53

Request

gadydas.com

IN A

Response
DNS

lymylyr.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lymylyr.com

IN A

Response
DNS

volymum.com

svchost.exe

Remote address:

8.8.8.8:53

Request

volymum.com

IN A

Response
DNS

lyrysor.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lyrysor.com

IN A

Response

lyrysor.com

IN CNAME

zz1985.qu200.com

zz1985.qu200.com

IN CNAME

gtm-sg-6l13ukk0m05.qu200.com

gtm-sg-6l13ukk0m05.qu200.com

IN A

61.158.134.198
DNS

pupydeq.com

svchost.exe

Remote address:

8.8.8.8:53

Request

pupydeq.com

IN A

Response

pupydeq.com

IN A

13.248.169.48

pupydeq.com

IN A

76.223.54.146
GET

http://pupydeq.com/login.php

svchost.exe

Remote address:

13.248.169.48:80

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: pupydeq.com
Content-Length: 6

Response

HTTP/1.1 500 Internal Server Error

content-length: 97
cache-control: no-cache
content-type: text/html
GET

http://pupydeq.com/login.php

svchost.exe

Remote address:

13.248.169.48:80

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: pupydeq.com
Content-Length: 6

Response

HTTP/1.1 500 Internal Server Error

content-length: 97
cache-control: no-cache
content-type: text/html
DNS

lygynud.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lygynud.com

IN A

Response

lygynud.com

IN A

3.94.10.34
DNS

lysyvan.com

svchost.exe

Remote address:

8.8.8.8:53

Request

lysyvan.com

IN A

Response

lysyvan.com

IN A

104.21.112.1

lysyvan.com

IN A

104.21.16.1

lysyvan.com

IN A

104.21.80.1

lysyvan.com

IN A

104.21.96.1

lysyvan.com

IN A

104.21.64.1

lysyvan.com

IN A

104.21.32.1

lysyvan.com

IN A

104.21.48.1
DNS

pupycag.com

svchost.exe

Remote address:

8.8.8.8:53

Request

pupycag.com

IN A

Response

pupycag.com

IN A

34.227.7.138
GET

http://lysyvan.com/login.php

svchost.exe

Remote address:

104.21.112.1:80

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lysyvan.com
Content-Length: 6

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 17 Dec 2024 19:18:24 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://lysyvan.com/login.php
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VXSnOkAqO%2BrParwGlbw1uCx4693R5KqV0hjyC8dHtBmjxlH%2FC7tXcq4tTKHuIqiFrpEB69ITMOhmS2tsFU365mxJQhwyvSdSaYVI83CHC2tgeYfK4%2FlYx9f2l0KsAQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f394243888388bf-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=27155&min_rtt=27155&rtt_var=13577&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=268&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
GET

http://lysyvan.com/login.php

svchost.exe

Remote address:

104.21.112.1:80

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lysyvan.com
Content-Length: 6

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 17 Dec 2024 19:18:25 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://lysyvan.com/login.php
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DoZHIcoQ5m5eeAYlCm0mX9AoRoET7UinD0%2Fwx4uKg6%2BXswXuRkObGxNHjhl7psjFzb%2FgxPGStqmsWKV5PFtm%2FPRmgicCBEIfuEQjPTzp4USRd9ICVN27Sc9PNfS66g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f394248ced088bf-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=27447&min_rtt=27155&rtt_var=8142&sent=4&recv=6&lost=0&retrans=0&sent_bytes=997&recv_bytes=536&delivery_rate=95392&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
GET

http://lygynud.com/login.php

svchost.exe

Remote address:

3.94.10.34:80

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lygynud.com
Content-Length: 6

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 17 Dec 2024 19:18:24 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=927f8eef5066d05e764d495f35ad0cc1|181.215.176.83|1734463104|1734463104|0|1|0; path=/; domain=.lygynud.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
GET

http://pupycag.com/login.php

svchost.exe

Remote address:

34.227.7.138:80

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: pupycag.com
Content-Length: 6

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 17 Dec 2024 19:18:24 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=f6e1dc80003bbb8e0dc9581b5b83091f|181.215.176.83|1734463104|1734463104|0|1|0; path=/; domain=.pupycag.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
GET

https://lysyvan.com/login.php

svchost.exe

Remote address:

104.21.112.1:443

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lysyvan.com
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Tue, 17 Dec 2024 19:18:25 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
link: <https://lysyvan.com/wp-json/>; rel="https://api.w.org/"
server-timing: amp_sanitizer;dur="28.5",amp_style_sanitizer;dur="12.9",amp_tag_and_attribute_sanitizer;dur="13.3",amp_optimizer;dur="4.1"
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kGynM87Z1Dn3OdJv4B%2F0khiuetID3q80S%2F0sCdBx83bW9IVqeZgtwzQC3oEQSnMdqNA464gkM19mNTC%2FSUHsWp0UJPLqPrJhLkKPDFQKFlJqwGuGO3a7GG17vaPGmQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f3942461d8f63d2-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=27566&min_rtt=27316&rtt_var=4694&sent=6&recv=9&lost=0&retrans=0&sent_bytes=3279&recv_bytes=573&delivery_rate=146586&cwnd=253&unsent_bytes=0&cid=788c8065c49769d3&ts=481&x=0"
DNS

svchost.exe

Remote address:

104.21.112.1:443

Response

HTTP/1.1 400 Bad Request

Server: cloudflare
Date: Tue, 17 Dec 2024 19:18:25 GMT
Content-Type: text/html
Content-Length: 155
Connection: close
CF-RAY: -
DNS

1.112.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.21.104.in-addr.arpa

IN PTR

Response
GET

https://lysyvan.com/login.php

svchost.exe

Remote address:

104.21.112.1:443

Request

GET /login.php HTTP/1.1
Referer: http://www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lysyvan.com
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Tue, 17 Dec 2024 19:18:26 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
link: <https://lysyvan.com/wp-json/>; rel="https://api.w.org/"
server-timing: amp_sanitizer;dur="23.8",amp_style_sanitizer;dur="9.9",amp_tag_and_attribute_sanitizer;dur="11.0",amp_optimizer;dur="2.7"
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TipzCqaPTx0P0%2FjucxzbeFanRsYOkMkUsDaoJm3KGB8VP%2BOsxi%2FtTGm4M0324XUyjN7bSzO5cMk3EphcCwyIvd0aPmq1N3lCCGjGNUYCCYx4%2FxPgplQevbq62iU%2FfQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f39424aecd8cd14-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=28103&min_rtt=27212&rtt_var=10841&sent=3&recv=6&lost=0&retrans=0&sent_bytes=115&recv_bytes=723&delivery_rate=49867&cwnd=250&unsent_bytes=0&cid=edf821ae1b832f9c&ts=418&x=0"
DNS

svchost.exe

Remote address:

104.21.112.1:443

Response

HTTP/1.1 400 Bad Request

Server: cloudflare
Date: Tue, 17 Dec 2024 19:18:26 GMT
Content-Type: text/html
Content-Length: 155
Connection: close
CF-RAY: -
DNS

48.169.248.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.169.248.13.in-addr.arpa

IN PTR

Response

48.169.248.13.in-addr.arpa

IN PTR

a904c694c05102f30awsglobalacceleratorcom
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response

95.101.143.34:80

www.bing.com

svchost.exe

190 B
92 B
4
2
199.59.243.227:80

http://vojyqem.com/login.php

http

svchost.exe

826 B
2.4kB
12
6

HTTP Request

GET http://vojyqem.com/login.php

HTTP Response

200
104.21.30.183:80

http://qegyhig.com/login.php

http

svchost.exe

1.1kB
2.4kB
12
10

HTTP Request

GET http://qegyhig.com/login.php

HTTP Response

301

HTTP Request

GET http://qegyhig.com/login.php

HTTP Response

301
44.221.84.105:80

qetyfuv.com

svchost.exe

260 B
5
44.221.84.105:80

qetyfuv.com

svchost.exe

260 B
5
3.94.10.34:80

http://lymyxid.com/login.php

http

svchost.exe

544 B
627 B
6
5

HTTP Request

GET http://lymyxid.com/login.php

HTTP Response

200
178.162.203.202:80

http://gatyfus.com/login.php

http

svchost.exe

452 B
88 B
4
2

HTTP Request

GET http://gatyfus.com/login.php
154.212.231.82:80

http://gadyniw.com/login.php

http

svchost.exe

1.0kB
1.6kB
11
6

HTTP Request

GET http://gadyniw.com/login.php

HTTP Response

404

HTTP Request

GET http://gadyniw.com/login.php

HTTP Response

404
208.100.26.245:80

http://lyvyxor.com/login.php

http

svchost.exe

898 B
1.7kB
8
5

HTTP Request

GET http://lyvyxor.com/login.php

HTTP Response

404

HTTP Request

GET http://lyvyxor.com/login.php

HTTP Response

404
162.255.119.102:80

http://gahyqah.com/login.php

http

svchost.exe

682 B
475 B
9
4

HTTP Request

GET http://gahyqah.com/login.php

HTTP Response

302
34.227.7.138:80

http://vonypom.com/login.php

http

svchost.exe

544 B
619 B
6
5

HTTP Request

GET http://vonypom.com/login.php

HTTP Response

200
75.2.71.199:80

http://puzylyp.com/login.php

http

svchost.exe

590 B
418 B
7
6

HTTP Request

GET http://puzylyp.com/login.php

HTTP Response

308
199.191.50.83:80

http://galyqaz.com/login.php

http

svchost.exe

544 B
928 B
6
4

HTTP Request

GET http://galyqaz.com/login.php

HTTP Response

302
104.21.30.183:443

https://qegyhig.com/login.php

tls, http

svchost.exe

4.4kB
97.1kB
83
79

HTTP Request

GET https://qegyhig.com/login.php

HTTP Response

404

HTTP Response

400
75.2.71.199:443

https://puzylyp.com/login.php

tls, http

svchost.exe

3.9kB
71.0kB
72
70

HTTP Request

GET https://puzylyp.com/login.php

HTTP Response

200
91.195.240.19:80

http://www.gahyqah.com/login.php

http

svchost.exe

1.4kB
26.4kB
24
22

HTTP Request

GET http://www.gahyqah.com/login.php

HTTP Response

200

HTTP Response

400
142.250.179.67:80

http://c.pki.goog/r/r4.crl

http

svchost.exe

602 B
3.9kB
8
7

HTTP Request

GET http://c.pki.goog/r/gsr1.crl

HTTP Response

200

HTTP Request

GET http://c.pki.goog/r/r4.crl

HTTP Response

200
64.190.63.136:80

http://ww3.galyqaz.com/

http

svchost.exe

1.4kB
26.9kB
24
22

HTTP Request

GET http://ww3.galyqaz.com/

HTTP Response

200

HTTP Response

400
104.21.30.183:443

https://qegyhig.com/login.php

tls, http

svchost.exe

4.5kB
93.9kB
83
79

HTTP Request

GET https://qegyhig.com/login.php

HTTP Response

404

HTTP Response

400
44.221.84.105:80

qetyfuv.com

svchost.exe

260 B
5
44.221.84.105:80

qetyfuv.com

svchost.exe

260 B
5
178.162.203.202:80

http://gatyfus.com/login.php

http

svchost.exe

660 B
88 B
8
2

HTTP Request

GET http://gatyfus.com/login.php
13.248.169.48:80

http://pupydeq.com/login.php

http

svchost.exe

950 B
622 B
9
5

HTTP Request

GET http://pupydeq.com/login.php

HTTP Response

500

HTTP Request

GET http://pupydeq.com/login.php

HTTP Response

500
104.21.112.1:80

http://lysyvan.com/login.php

http

svchost.exe

898 B
2.3kB
8
7

HTTP Request

GET http://lysyvan.com/login.php

HTTP Response

301

HTTP Request

GET http://lysyvan.com/login.php

HTTP Response

301
61.158.134.198:80

lyrysor.com

svchost.exe

260 B
5
3.94.10.34:80

http://lygynud.com/login.php

http

svchost.exe

544 B
627 B
6
5

HTTP Request

GET http://lygynud.com/login.php

HTTP Response

200
34.227.7.138:80

http://pupycag.com/login.php

http

svchost.exe

544 B
627 B
6
5

HTTP Request

GET http://pupycag.com/login.php

HTTP Response

200
104.21.112.1:443

https://lysyvan.com/login.php

tls, http

svchost.exe

3.1kB
51.6kB
55
51

HTTP Request

GET https://lysyvan.com/login.php

HTTP Response

404

HTTP Response

400
104.21.112.1:443

https://lysyvan.com/login.php

tls, http

svchost.exe

3.2kB
48.5kB
55
51

HTTP Request

GET https://lysyvan.com/login.php

HTTP Response

404

HTTP Response

400
61.158.134.198:80

lyrysor.com

svchost.exe

260 B
5

8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

lyryfyd.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

lyryfyd.com
8.8.8.8:53

qetyfuv.com

dns

svchost.exe

57 B
73 B
1
1

DNS Request

qetyfuv.com

DNS Response

44.221.84.105
8.8.8.8:53

vojyqem.com

dns

svchost.exe

57 B
99 B
1
1

DNS Request

vojyqem.com

DNS Response

199.59.243.227
8.8.8.8:53

lyvyxor.com

dns

svchost.exe

57 B
73 B
1
1

DNS Request

lyvyxor.com

DNS Response

208.100.26.245
8.8.8.8:53

puvyxil.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

puvyxil.com
8.8.8.8:53

vocyzit.com

dns

svchost.exe

57 B
73 B
1
1

DNS Request

vocyzit.com

DNS Response

44.221.84.105
8.8.8.8:53

gahyqah.com

dns

svchost.exe

57 B
89 B
1
1

DNS Request

gahyqah.com

DNS Response

162.255.119.102

23.253.46.64
8.8.8.8:53

qegyqaq.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

qegyqaq.com
8.8.8.8:53

purydyv.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

purydyv.com
8.8.8.8:53

gacyzuz.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

gacyzuz.com
8.8.8.8:53

lygymoj.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

lygymoj.com
8.8.8.8:53

vowydef.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

vowydef.com
8.8.8.8:53

qexylup.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

qexylup.com
8.8.8.8:53

pufymoq.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

pufymoq.com
8.8.8.8:53

gaqydeb.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

gaqydeb.com
8.8.8.8:53

lyxylux.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

lyxylux.com
8.8.8.8:53

vofymik.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

vofymik.com
8.8.8.8:53

qeqysag.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

qeqysag.com
8.8.8.8:53

puzylyp.com

dns

svchost.exe

57 B
89 B
1
1

DNS Request

puzylyp.com

DNS Response

75.2.71.199

99.83.170.3
8.8.8.8:53

gadyniw.com

dns

svchost.exe

57 B
73 B
1
1

DNS Request

gadyniw.com

DNS Response

154.212.231.82
8.8.8.8:53

lymysan.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

lymysan.com
8.8.8.8:53

volykyc.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

volykyc.com
8.8.8.8:53

qedynul.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

qedynul.com
8.8.8.8:53

pumypog.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

pumypog.com
8.8.8.8:53

gatyfus.com

dns

svchost.exe

57 B
185 B
1
1

DNS Request

gatyfus.com

DNS Response

5.79.71.225

5.79.71.205

178.162.203.211

85.17.31.122

178.162.203.202

178.162.203.226

85.17.31.82

178.162.217.107
8.8.8.8:53

galykes.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

galykes.com
8.8.8.8:53

lysynur.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

lysynur.com
8.8.8.8:53

qekykev.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

qekykev.com
8.8.8.8:53

vonypom.com

dns

svchost.exe

57 B
73 B
1
1

DNS Request

vonypom.com

DNS Response

34.227.7.138
8.8.8.8:53

pupybul.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

pupybul.com
8.8.8.8:53

ganypih.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

ganypih.com
8.8.8.8:53

lykyjad.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

lykyjad.com
8.8.8.8:53

vopybyt.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

vopybyt.com
8.8.8.8:53

pujyjav.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

pujyjav.com
8.8.8.8:53

gatyvyz.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

gatyvyz.com
8.8.8.8:53

lyvytuj.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

lyvytuj.com
8.8.8.8:53

vojyjof.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

vojyjof.com
8.8.8.8:53

qetyvep.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

qetyvep.com
8.8.8.8:53

puvytuq.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

puvytuq.com
8.8.8.8:53

gahyhob.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

gahyhob.com
8.8.8.8:53

lyryvex.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

lyryvex.com
8.8.8.8:53

vocyruk.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

vocyruk.com
8.8.8.8:53

qegyhig.com

dns

svchost.exe

57 B
89 B
1
1

DNS Request

qegyhig.com

DNS Response

172.67.173.131

104.21.30.183
8.8.8.8:53

purycap.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

purycap.com
8.8.8.8:53

gacyryw.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

gacyryw.com
8.8.8.8:53

lygygin.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

lygygin.com
8.8.8.8:53

vowycac.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

vowycac.com
8.8.8.8:53

qexyryl.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

qexyryl.com
8.8.8.8:53

pufygug.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

pufygug.com
8.8.8.8:53

gaqycos.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

gaqycos.com
8.8.8.8:53

lyxywer.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

lyxywer.com
8.8.8.8:53

vofygum.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

vofygum.com
8.8.8.8:53

qeqyxov.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

qeqyxov.com
8.8.8.8:53

puzywel.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

puzywel.com
8.8.8.8:53

gadyfuh.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

gadyfuh.com
8.8.8.8:53

lymyxid.com

dns

svchost.exe

57 B
73 B
1
1

DNS Request

lymyxid.com

DNS Response

3.94.10.34
8.8.8.8:53

volyqat.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

volyqat.com
8.8.8.8:53

qedyfyq.com

dns

svchost.exe

114 B
260 B
2
2

DNS Request

qedyfyq.com

DNS Request

lykygur.com
8.8.8.8:53

pumyxiv.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

pumyxiv.com
8.8.8.8:53

galyqaz.com

dns

svchost.exe

57 B
73 B
1
1

DNS Request

galyqaz.com

DNS Response

199.191.50.83
8.8.8.8:53

lysyfyj.com

dns

svchost.exe

57 B
57 B
1
1

DNS Request

lysyfyj.com
8.8.8.8:53

vonyzuf.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

vonyzuf.com
8.8.8.8:53

qekyqop.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

qekyqop.com
8.8.8.8:53

qebytiq.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

qebytiq.com
8.8.8.8:53

68.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

68.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

vojyqem.com

dns

svchost.exe

57 B
99 B
1
1

DNS Request

vojyqem.com

DNS Response

199.59.243.227
8.8.8.8:53

qegyhig.com

dns

svchost.exe

57 B
89 B
1
1

DNS Request

qegyhig.com

DNS Response

104.21.30.183

172.67.173.131
8.8.8.8:53

vocyzit.com

dns

svchost.exe

57 B
73 B
1
1

DNS Request

vocyzit.com

DNS Response

44.221.84.105
8.8.8.8:53

qetyfuv.com

dns

svchost.exe

57 B
73 B
1
1

DNS Request

qetyfuv.com

DNS Response

44.221.84.105
8.8.8.8:53

gatyfus.com

dns

svchost.exe

57 B
185 B
1
1

DNS Request

gatyfus.com

DNS Response

178.162.203.202

85.17.31.82

85.17.31.122

5.79.71.225

178.162.203.226

178.162.203.211

178.162.217.107

5.79.71.205
8.8.8.8:53

lymyxid.com

dns

svchost.exe

57 B
73 B
1
1

DNS Request

lymyxid.com

DNS Response

3.94.10.34
8.8.8.8:53

puzylyp.com

dns

svchost.exe

57 B
89 B
1
1

DNS Request

puzylyp.com

DNS Response

75.2.71.199

99.83.170.3
8.8.8.8:53

gahyqah.com

dns

svchost.exe

57 B
89 B
1
1

DNS Request

gahyqah.com

DNS Response

162.255.119.102

23.253.46.64
8.8.8.8:53

lyvyxor.com

dns

svchost.exe

57 B
73 B
1
1

DNS Request

lyvyxor.com

DNS Response

208.100.26.245
8.8.8.8:53

gadyniw.com

dns

svchost.exe

57 B
73 B
1
1

DNS Request

gadyniw.com

DNS Response

154.212.231.82
8.8.8.8:53

galyqaz.com

dns

svchost.exe

57 B
73 B
1
1

DNS Request

galyqaz.com

DNS Response

199.191.50.83
8.8.8.8:53

vonypom.com

dns

svchost.exe

57 B
73 B
1
1

DNS Request

vonypom.com

DNS Response

34.227.7.138
8.8.8.8:53

www.gahyqah.com

dns

svchost.exe

61 B
113 B
1
1

DNS Request

www.gahyqah.com

DNS Response

91.195.240.19
8.8.8.8:53

c.pki.goog

dns

svchost.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.179.67
8.8.8.8:53

ww3.galyqaz.com

dns

svchost.exe

122 B
206 B
2
2

DNS Request

ww3.galyqaz.com

DNS Request

ww3.galyqaz.com

DNS Response

64.190.63.136

DNS Response

64.190.63.136
8.8.8.8:53

34.143.101.95.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

34.143.101.95.in-addr.arpa
8.8.8.8:53

227.243.59.199.in-addr.arpa

dns

73 B
131 B
1
1

DNS Request

227.243.59.199.in-addr.arpa
8.8.8.8:53

183.30.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

183.30.21.104.in-addr.arpa
8.8.8.8:53

202.203.162.178.in-addr.arpa

dns

74 B
137 B
1
1

DNS Request

202.203.162.178.in-addr.arpa
8.8.8.8:53

199.71.2.75.in-addr.arpa

dns

70 B
126 B
1
1

DNS Request

199.71.2.75.in-addr.arpa
8.8.8.8:53

34.10.94.3.in-addr.arpa

dns

69 B
121 B
1
1

DNS Request

34.10.94.3.in-addr.arpa
8.8.8.8:53

245.26.100.208.in-addr.arpa

dns

73 B
127 B
1
1

DNS Request

245.26.100.208.in-addr.arpa
8.8.8.8:53

102.119.255.162.in-addr.arpa

dns

74 B
154 B
1
1

DNS Request

102.119.255.162.in-addr.arpa
8.8.8.8:53

138.7.227.34.in-addr.arpa

dns

71 B
125 B
1
1

DNS Request

138.7.227.34.in-addr.arpa
8.8.8.8:53

83.50.191.199.in-addr.arpa

dns

72 B
139 B
1
1

DNS Request

83.50.191.199.in-addr.arpa
8.8.8.8:53

82.231.212.154.in-addr.arpa

dns

73 B
134 B
1
1

DNS Request

82.231.212.154.in-addr.arpa
8.8.8.8:53

67.179.250.142.in-addr.arpa

dns

73 B
111 B
1
1

DNS Request

67.179.250.142.in-addr.arpa
8.8.8.8:53

19.240.195.91.in-addr.arpa

dns

72 B
156 B
1
1

DNS Request

19.240.195.91.in-addr.arpa
8.8.8.8:53

23.149.64.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

23.149.64.172.in-addr.arpa
8.8.8.8:53

233.38.18.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

233.38.18.104.in-addr.arpa
8.8.8.8:53

136.63.190.64.in-addr.arpa

dns

72 B
156 B
1
1

DNS Request

136.63.190.64.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

53.210.109.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

53.210.109.20.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa
8.8.8.8:53

pupydeq.com

dns

svchost.exe

57 B
89 B
1
1

DNS Request

pupydeq.com

DNS Response

76.223.54.146

13.248.169.48
8.8.8.8:53

ganyzub.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

ganyzub.com
8.8.8.8:53

lykymox.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

lykymox.com
8.8.8.8:53

vopydek.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

vopydek.com
8.8.8.8:53

qebylug.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

qebylug.com
8.8.8.8:53

pujymip.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

pujymip.com
8.8.8.8:53

gatydaw.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

gatydaw.com
8.8.8.8:53

lyvylyn.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

lyvylyn.com
8.8.8.8:53

vojymic.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

vojymic.com
8.8.8.8:53

qetysal.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

qetysal.com
8.8.8.8:53

puvylyg.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

puvylyg.com
8.8.8.8:53

gahynus.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

gahynus.com
8.8.8.8:53

lyrysor.com

dns

svchost.exe

57 B
133 B
1
1

DNS Request

lyrysor.com

DNS Response

61.158.134.198
8.8.8.8:53

vocykem.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

vocykem.com
8.8.8.8:53

qegynuv.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

qegynuv.com
8.8.8.8:53

purypol.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

purypol.com
8.8.8.8:53

gacykeh.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

gacykeh.com
8.8.8.8:53

lygynud.com

dns

svchost.exe

57 B
73 B
1
1

DNS Request

lygynud.com

DNS Response

3.94.10.34
8.8.8.8:53

vowypit.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

vowypit.com
8.8.8.8:53

qexykaq.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

qexykaq.com
8.8.8.8:53

pufybyv.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

pufybyv.com
8.8.8.8:53

gaqypiz.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

gaqypiz.com
8.8.8.8:53

lyxyjaj.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

lyxyjaj.com
8.8.8.8:53

vofybyf.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

vofybyf.com
8.8.8.8:53

qeqytup.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

qeqytup.com
8.8.8.8:53

puzyjoq.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

puzyjoq.com
8.8.8.8:53

gadyveb.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

gadyveb.com
8.8.8.8:53

lymytux.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

lymytux.com
8.8.8.8:53

volyjok.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

volyjok.com
8.8.8.8:53

pumytup.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

pumytup.com
8.8.8.8:53

qedyveg.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

qedyveg.com
8.8.8.8:53

galyhiw.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

galyhiw.com
8.8.8.8:53

lysyvan.com

dns

svchost.exe

57 B
169 B
1
1

DNS Request

lysyvan.com

DNS Response

104.21.64.1

104.21.48.1

104.21.112.1

104.21.32.1

104.21.96.1

104.21.16.1

104.21.80.1
8.8.8.8:53

vonyryc.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

vonyryc.com
8.8.8.8:53

qekyhil.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

qekyhil.com
8.8.8.8:53

pupycag.com

dns

svchost.exe

57 B
73 B
1
1

DNS Request

pupycag.com

DNS Response

34.227.7.138
8.8.8.8:53

ganyrys.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

ganyrys.com
8.8.8.8:53

vopycom.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

vopycom.com
8.8.8.8:53

pujygul.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

pujygul.com
8.8.8.8:53

qebyrev.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

qebyrev.com
8.8.8.8:53

lyvywed.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

lyvywed.com
8.8.8.8:53

vojygut.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

vojygut.com
8.8.8.8:53

qetyxiq.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

qetyxiq.com
8.8.8.8:53

gahyfyz.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

gahyfyz.com
8.8.8.8:53

puvywav.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

puvywav.com
8.8.8.8:53

lyryxij.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

lyryxij.com
8.8.8.8:53

vocyqaf.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

vocyqaf.com
8.8.8.8:53

qegyfyp.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

qegyfyp.com
8.8.8.8:53

gacyqob.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

gacyqob.com
8.8.8.8:53

puryxuq.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

puryxuq.com
8.8.8.8:53

vowyzuk.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

vowyzuk.com
8.8.8.8:53

lygyfex.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

lygyfex.com
8.8.8.8:53

gatycoh.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

gatycoh.com
8.8.8.8:53

qexyqog.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

qexyqog.com
8.8.8.8:53

pufydep.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

pufydep.com
8.8.8.8:53

gaqyzuw.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

gaqyzuw.com
8.8.8.8:53

lyxymin.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

lyxymin.com
8.8.8.8:53

vofydac.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

vofydac.com
8.8.8.8:53

qeqylyl.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

qeqylyl.com
8.8.8.8:53

puzymig.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

puzymig.com
8.8.8.8:53

gadydas.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

gadydas.com
8.8.8.8:53

lymylyr.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

lymylyr.com
8.8.8.8:53

volymum.com

dns

svchost.exe

57 B
130 B
1
1

DNS Request

volymum.com
8.8.8.8:53

lyrysor.com

dns

svchost.exe

57 B
133 B
1
1

DNS Request

lyrysor.com

DNS Response

61.158.134.198
8.8.8.8:53

pupydeq.com

dns

svchost.exe

57 B
89 B
1
1

DNS Request

pupydeq.com

DNS Response

13.248.169.48

76.223.54.146
8.8.8.8:53

lygynud.com

dns

svchost.exe

57 B
73 B
1
1

DNS Request

lygynud.com

DNS Response

3.94.10.34
8.8.8.8:53

lysyvan.com

dns

svchost.exe

57 B
169 B
1
1

DNS Request

lysyvan.com

DNS Response

104.21.112.1

104.21.16.1

104.21.80.1

104.21.96.1

104.21.64.1

104.21.32.1

104.21.48.1
8.8.8.8:53

pupycag.com

dns

svchost.exe

57 B
73 B
1
1

DNS Request

pupycag.com

DNS Response

34.227.7.138
8.8.8.8:53

1.112.21.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

1.112.21.104.in-addr.arpa
8.8.8.8:53

48.169.248.13.in-addr.arpa

dns

72 B
128 B
1
1

DNS Request

48.169.248.13.in-addr.arpa
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

48.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BEBD.tmp

Filesize
24KB

MD5
886fa3a152d872032bd5759a19ee54e4

SHA1
c8e5b8f2dc89dfa5f0d9d7c9b301b48422313aad

SHA256
3d685c7e80514bc94a42ee15641345edaafe0831317e05f81d458ec96053f3d1

SHA512
997b408cf2237f65302a05a179d936023ffa2951f9a1dfb64559031847120271212bb37edc54c7219312961e07774907e814305edea520e11cf597f80727df90

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEBF.tmp

Filesize
1KB

MD5
5e5d47b4183e6b5a135ead4beaaf7051

SHA1
3efcdb68d9d83afc05fc7c8072c3ac5a4d6f28cc

SHA256
b2cfdd13c40645a1ed0bce28f3219d8a1e8a1592b74b65f7f040aa93c8d090dd

SHA512
2e366aa45fd09cf917f53700023d351c1fad009cceca897158754498b69ddd2eae9eb7564dbb2ec1ce3380beb8f2e1a3a280d5f3727ed54256ad978f96a2c4e5

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
204KB

MD5
9a907d8cdbf23de4c38d0ea57fdd8b02

SHA1
f1801212519fd0fd965e0515ddfd54698f69b467

SHA256
ae92ce234e9b5a3a42eeaee5463632bc218320fcd6d319de4f556caa03fac3c8

SHA512
e7671313152b8b25c4c0e651c4ecd26c2c90ef61780793440b7ca6ecfe75c9eb9a15bcf04214df9ed8955dfdabed913ae7706cc8efd00e2d3df18ae98c56706b

Download Submit
memory/4376-0-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/4376-1-0x00000000022E0000-0x0000000002331000-memory.dmp

Filesize
324KB

Download
memory/4376-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4376-14-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/4376-16-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4376-15-0x00000000022E0000-0x0000000002331000-memory.dmp

Filesize
324KB

Download
memory/4996-61-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-57-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-17-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/4996-18-0x0000000002AB0000-0x0000000002B58000-memory.dmp

Filesize
672KB

Download
memory/4996-19-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/4996-20-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-24-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-22-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-32-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-40-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-79-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-78-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-77-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-76-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-75-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-74-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-73-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-72-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-71-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-70-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-69-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-67-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-66-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-65-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-64-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-63-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-62-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-12-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/4996-60-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-59-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-58-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-13-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/4996-56-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-55-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-54-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-52-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-51-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-50-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-49-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-48-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-46-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-45-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-44-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-43-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-42-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-41-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-39-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-38-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-37-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-36-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-35-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-34-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-33-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-30-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-31-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-29-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-28-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-27-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-26-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-68-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-53-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-47-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download
memory/4996-25-0x0000000002CA0000-0x0000000002D56000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response