Play interactive tour

Edit tour

Windows Analysis Report nZdwtTEYoW.exe

Overview

General Information

Sample Name:	nZdwtTEYoW.exe
Analysis ID:	451394
MD5:	c8feb9d53b567cd1bfb0e59cf7d26bc2
SHA1:	82a22cb59d46bae21fa4877015e163eacc04a022
SHA256:	642a0df15a9b8e3124d638e755f0bdbacd0d1c3ff01b59b36213a190a5e5645a
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

GuLoader behavior detected

Multi AV Scanner detection for submitted file

Sigma detected: RegAsm connects to smtp port

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Hides threads from debuggers

Installs a global keyboard hook

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

nZdwtTEYoW.exe (PID: 6052 cmdline: 'C:\Users\user\Desktop\nZdwtTEYoW.exe' MD5: C8FEB9D53B567CD1BFB0E59CF7D26BC2)

RegAsm.exe (PID: 4180 cmdline: 'C:\Users\user\Desktop\nZdwtTEYoW.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 4816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

Networking:

Sigma detected: RegAsm connects to smtp port

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 198.54.122.60, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, Initiated: true, ProcessId: 4180, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49741

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: nZdwtTEYoW.exe	Virustotal: Detection: 25%			Perma Link
Source: nZdwtTEYoW.exe	ReversingLabs: Detection: 13%

Machine Learning detection for sample

Show sources

Source: nZdwtTEYoW.exe

Joe Sandbox ML: detected

Source: nZdwtTEYoW.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 142.250.203.110:443 -> 192.168.2.3:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.97:443 -> 192.168.2.3:49740 version: TLS 1.2

Networking:

Source: global traffic

TCP traffic: 192.168.2.3:49741 -> 198.54.122.60:587

Source: Joe Sandbox View

IP Address: 198.54.122.60 198.54.122.60

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

TCP traffic: 192.168.2.3:49741 -> 198.54.122.60:587

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: RegAsm.exe, 0000000D.00000003.710145063.0000000000CEB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegAsm.exe, 0000000D.00000003.710145063.0000000000CEB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegAsm.exe, 0000000D.00000003.710350087.0000000001491000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 0000000D.00000003.710350087.0000000001491000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: RegAsm.exe, 0000000D.00000003.710350087.0000000001491000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: RegAsm.exe, 0000000D.00000003.710145063.0000000000CEB000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: RegAsm.exe, 0000000D.00000003.710145063.0000000000CEB000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegAsm.exe, 0000000D.00000003.710350087.0000000001491000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: RegAsm.exe, 0000000D.00000003.710350087.0000000001491000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: RegAsm.exe, 0000000D.00000003.710572117.0000000000D35000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.
Source: RegAsm.exe, 0000000D.00000003.710145063.0000000000CEB000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: RegAsm.exe, 0000000D.00000003.710350087.0000000001491000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: RegAsm.exe, 0000000D.00000003.710508701.0000000001465000.00000004.00000001.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RegAsm.exe, 0000000D.00000003.710508701.0000000001465000.00000004.00000001.sdmp, RegAsm.exe, 0000000D.00000003.710522243.000000000146D000.00000004.00000001.sdmp	String found in binary or memory: https://doc-0k-ak-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/mf144o13
Source: RegAsm.exe, 0000000D.00000003.710350087.0000000001491000.00000004.00000001.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: RegAsm.exe, 0000000D.00000003.710572117.0000000000D35000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/C
Source: RegAsm.exe, 0000000D.00000003.710145063.0000000000CEB000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 142.250.203.110:443 -> 192.168.2.3:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.97:443 -> 192.168.2.3:49740 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Jump to behavior

Source: nZdwtTEYoW.exe, 00000000.00000002.480779785.00000000007BA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\nZdwtTEYoW.exe

Code function: 0_2_00401128

0_2_00401128

Source: nZdwtTEYoW.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: nZdwtTEYoW.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: nZdwtTEYoW.exe, 00000000.00000002.480723638.00000000005F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs nZdwtTEYoW.exe
Source: nZdwtTEYoW.exe, 00000000.00000000.219318988.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCALICOES.exe vs nZdwtTEYoW.exe
Source: nZdwtTEYoW.exe	Binary or memory string: OriginalFilenameCALICOES.exe vs nZdwtTEYoW.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: security.dll			Jump to behavior

Source: nZdwtTEYoW.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winEXE@4/2@25/3

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File created: C:\Users\user\AppData\Roaming\1t4tqdc1.agl

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4816:120:WilError_01

Source: C:\Users\user\Desktop\nZdwtTEYoW.exe

File created: C:\Users\user\AppData\Local\Temp\~DF4BD41E0D5089FDFE.TMP

Jump to behavior

Source: nZdwtTEYoW.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\nZdwtTEYoW.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\nZdwtTEYoW.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: nZdwtTEYoW.exe	Virustotal: Detection: 25%
Source: nZdwtTEYoW.exe	ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Users\user\Desktop\nZdwtTEYoW.exe 'C:\Users\user\Desktop\nZdwtTEYoW.exe'
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\nZdwtTEYoW.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\nZdwtTEYoW.exe'	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Code function: 0_2_00401128 push esi; retn 4D4Dh	0_2_0040263F
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Code function: 0_2_00404916 push 00000014h; ret	0_2_00404938
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Code function: 0_2_02204823 push es; iretd	0_2_02204835
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Code function: 0_2_02201C0D push 760D0222h; iretd	0_2_02201C1A
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Code function: 0_2_02203246 push edx; iretd	0_2_02203210
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Code function: 0_2_022002A4 push edx; iretd	0_2_022002A6
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Code function: 0_2_02201CB5 push ebx; iretd	0_2_02201CC9
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Code function: 0_2_022012BE push ebp; retf	0_2_022012C5
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Code function: 0_2_02204299 push esp; iretd	0_2_0220429D
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Code function: 0_2_022000E9 push cs; iretd	0_2_022001ED
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Code function: 0_2_022004D6 push eax; iretd	0_2_022004D9
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Code function: 0_2_02202724 push 5D6DA1A4h; ret	0_2_02202729
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Code function: 0_2_02202546 pushfd ; iretd	0_2_02202559
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Code function: 0_2_02200B4D push edi; iretd	0_2_02200B51
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Code function: 0_2_0220354F push ebx; iretd	0_2_02203551
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Code function: 0_2_02206781 push ecx; ret	0_2_02206782
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Code function: 0_2_02204588 push esi; retf	0_2_02204641
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Code function: 0_2_02201793 push eax; iretd	0_2_02201795
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Code function: 0_2_02202593 push ecx; iretd	0_2_022025A9
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Code function: 0_2_022047EF push es; iretd	0_2_02204835
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Code function: 0_2_022043CC push CAFF1872h; retf	0_2_022043D1
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Code function: 0_2_022031CE push edx; iretd	0_2_02203210

Source: initial sample

Static PE information: section name: .text entropy: 6.90665747983

Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	RDTSC instruction interceptor: First address: 000000000220928F second address: 000000000220928F instructions:
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	RDTSC instruction interceptor: First address: 00000000022005C0 second address: 00000000022005C0 instructions:
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	RDTSC instruction interceptor: First address: 00000000022008A2 second address: 00000000022008A2 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001005A59 second address: 0000000001005A59 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001002FEB second address: 0000000001002FEB instructions:

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Function Chain: systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,threadDelayed,threadDelayed,threadAPCQueued,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,memAlloc,memAlloc,memAlloc,memAlloc,memAlloc,memAlloc,threadCreated

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: nZdwtTEYoW.exe, 00000000.00000002.480974452.0000000002220000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: nZdwtTEYoW.exe, 00000000.00000002.480974452.0000000002220000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE\SYSWOW64\MSVBVM60.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	RDTSC instruction interceptor: First address: 0000000002209277 second address: 000000000220928F instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor ecx, AF55D2FDh 0x00000009 mov dword ptr [edi+ecx], eax 0x0000000c mov ecx, C83BC8F2h 0x00000011 xor ecx, 51282A31h 0x00000017 pushad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	RDTSC instruction interceptor: First address: 000000000220928F second address: 000000000220928F instructions:
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	RDTSC instruction interceptor: First address: 0000000002205296 second address: 0000000002205247 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 06679C27h 0x00000013 add eax, 0CEA5E56h 0x00000018 add eax, DE18C33Ah 0x0000001d sub eax, F16ABDB6h 0x00000022 cmp eax, eax 0x00000024 pushad 0x00000025 mov ebx, 000000DAh 0x0000002a rdtsc
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	RDTSC instruction interceptor: First address: 0000000002205247 second address: 0000000002205296 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cpuid 0x00000005 bt ecx, 1Fh 0x00000009 jc 00007FEBD086EB9Eh 0x0000000f test dx, ax 0x00000012 popad 0x00000013 call 00007FEBD086C109h 0x00000018 lfence 0x0000001b rdtsc
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	RDTSC instruction interceptor: First address: 00000000022005C0 second address: 00000000022005C0 instructions:
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	RDTSC instruction interceptor: First address: 00000000022008A2 second address: 00000000022008A2 instructions:
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	RDTSC instruction interceptor: First address: 0000000002203C8D second address: 0000000002203DFF instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add dword ptr [edi+04h], 62B74E7Ch 0x0000000a mov eax, dword ptr [ebp+20h] 0x0000000d jmp 00007FEBD086C081h 0x00000012 cmp dh, bh 0x00000014 add eax, 00001410h 0x00000019 mov dword ptr [edi+08h], eax 0x0000001c test ch, ah 0x0000001e mov dword ptr [edi+0Ch], 361207FAh 0x00000025 xor dword ptr [edi+0Ch], 1EA55D3Ah 0x0000002c xor dword ptr [edi+0Ch], C3687A25h 0x00000033 cmp dx, dx 0x00000036 add dword ptr [edi+0Ch], 1420DF5Bh 0x0000003d cmp cl, 00000057h 0x00000040 mov dword ptr [edi+10h], 06FCCD04h 0x00000047 test al, dl 0x00000049 xor dword ptr [edi+10h], 6455CA4Dh 0x00000050 xor dword ptr [edi+10h], F2E3D9FCh 0x00000057 sub dword ptr [edi+10h], 904ADEB5h 0x0000005e mov dword ptr [edi+14h], 4FF36A5Bh 0x00000065 cmp ax, 00009154h 0x00000069 xor dword ptr [edi+14h], 61ED595Ah 0x00000070 xor dword ptr [edi+14h], 443083F2h 0x00000077 sub dword ptr [edi+14h], 6A2EB0F3h 0x0000007e test dh, ch 0x00000080 cmp dl, bl 0x00000082 pushad 0x00000083 lfence 0x00000086 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001005296 second address: 0000000001005247 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 06679C27h 0x00000013 add eax, 0CEA5E56h 0x00000018 add eax, DE18C33Ah 0x0000001d sub eax, F16ABDB6h 0x00000022 cmp eax, eax 0x00000024 pushad 0x00000025 mov ebx, 000000DAh 0x0000002a rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001005247 second address: 0000000001005296 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cpuid 0x00000005 bt ecx, 1Fh 0x00000009 jc 00007FEBD086EA5Eh 0x0000000f test dx, ax 0x00000012 popad 0x00000013 call 00007FEBD086BFC9h 0x00000018 lfence 0x0000001b rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001005A59 second address: 0000000001005A59 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001002FEB second address: 0000000001002FEB instructions:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Window / User API: threadDelayed 2374

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5804	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5804	Thread sleep time: -8130000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5804	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5804	Thread sleep time: -40156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5804	Thread sleep time: -40250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5804	Thread sleep time: -46688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5804	Thread sleep time: -45470s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5804	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5804	Thread sleep time: -55312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5804	Thread sleep time: -30594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5804	Thread sleep time: -42094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5804	Thread sleep time: -42218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5804	Thread sleep time: -41812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5804	Thread sleep time: -44626s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5804	Thread sleep time: -116000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: nZdwtTEYoW.exe, 00000000.00000002.480974452.0000000002220000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: nZdwtTEYoW.exe, 00000000.00000002.480974452.0000000002220000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe\syswow64\msvbvm60.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\nZdwtTEYoW.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\nZdwtTEYoW.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 1000000

Jump to behavior

Source: C:\Users\user\Desktop\nZdwtTEYoW.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\nZdwtTEYoW.exe'

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	DLL Side-Loading1	Process Injection111	Masquerading1	OS Credential Dumping2	Security Software Discovery621	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	DLL Side-Loading1	Disable or Modify Tools11	Input Capture111	Process Discovery1	Remote Desktop Protocol	Input Capture111	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion341	Security Account Manager	Virtualization/Sandbox Evasion341	SMB/Windows Admin Shares	Archive Collected Data1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection111	NTDS	Application Window Discovery1	Distributed Component Object Model	Data from Local System2	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	Remote System Discovery1	SSH	Clipboard Data1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	System Information Discovery313	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
nZdwtTEYoW.exe	25%	Virustotal		Browse
nZdwtTEYoW.exe	13%	ReversingLabs	Win32.Trojan.Vebzenpak
nZdwtTEYoW.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://ocsp.sectigo.	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://sectigo.com/C	0%	Avira URL Cloud	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
mail.privateemail.com	198.54.122.60	true	false	high
drive.google.com	142.250.203.110	true	false	high
googlehosted.l.googleusercontent.com	142.250.203.97	true	false	high
doc-0k-ak-docs.googleusercontent.com	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	RegAsm.exe, 0000000D.00000003.710145063.0000000000CEB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.sectigo.	RegAsm.exe, 0000000D.00000003.710572117.0000000000D35000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pki.goog/gsr2/GTS1O1.crt0	RegAsm.exe, 0000000D.00000003.710350087.0000000001491000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sectigo.com/CPS0	RegAsm.exe, 0000000D.00000003.710145063.0000000000CEB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pki.goog/gsr2/gsr2.crl0?	RegAsm.exe, 0000000D.00000003.710350087.0000000001491000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.sectigo.com0	RegAsm.exe, 0000000D.00000003.710145063.0000000000CEB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://doc-0k-ak-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/mf144o13	RegAsm.exe, 0000000D.00000003.710508701.0000000001465000.00000004.00000001.sdmp, RegAsm.exe, 0000000D.00000003.710522243.000000000146D000.00000004.00000001.sdmp	false		high
https://pki.goog/repository/0	RegAsm.exe, 0000000D.00000003.710350087.0000000001491000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sectigo.com/C	RegAsm.exe, 0000000D.00000003.710572117.0000000000D35000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pki.goog/GTS1O1core.crl0	RegAsm.exe, 0000000D.00000003.710350087.0000000001491000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.203.97	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
142.250.203.110	drive.google.com	United States	15169	GOOGLEUS	false
198.54.122.60	mail.privateemail.com	United States	22612	NAMECHEAP-NETUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	451394
Start date:	20.07.2021
Start time:	15:58:22
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	nZdwtTEYoW.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Suspected Instruction Hammering Hide Perf
Number of analysed new started processes analysed:	44
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winEXE@4/2@25/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, RuntimeBroker.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, MusNotifyIcon.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 104.43.193.48, 104.43.139.144, 23.211.4.86, 20.50.102.62, 173.222.108.210, 173.222.108.226, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.82.210.154, 20.54.110.249, 20.190.160.6, 20.190.160.136, 20.190.160.67, 20.190.160.4, 20.190.160.134, 20.190.160.8, 20.190.160.2, 20.190.160.75, 93.184.220.29, 20.49.150.241 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, cs9.wac.phicdn.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, ocsp.digicert.com, login.live.com, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, www.tm.a.prd.aadg.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:01:24	API Interceptor	1648x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
198.54.122.60	CORRECT BANK DETAILS FORM.doc	Get hash	malicious	Browse
	Shipping Documents .doc	Get hash	malicious	Browse
	0Lh7eA2VUZ.exe	Get hash	malicious	Browse
	REQUEST FOR QUOTATIO 158930165.doc	Get hash	malicious	Browse
	Inv PKF312021.doc	Get hash	malicious	Browse
	RFQ- ROTO Fittings- 19072021.doc	Get hash	malicious	Browse
	SOA.exe	Get hash	malicious	Browse
	20210716001.exe	Get hash	malicious	Browse
	20210716001.exe	Get hash	malicious	Browse
	Inquiry-Order.exe	Get hash	malicious	Browse
	New Order for Promax Ranger Neo2.doc	Get hash	malicious	Browse
	JaqsKbRJ8w.exe	Get hash	malicious	Browse
	neGJUsBCPT.exe	Get hash	malicious	Browse
	5Q2N9nbIIR.exe	Get hash	malicious	Browse
	BOQ.doc	Get hash	malicious	Browse
	Reversed Invoice KPR2021.doc	Get hash	malicious	Browse
	9PcMMlkF9y.exe	Get hash	malicious	Browse
	6mBVAJrIcy.exe	Get hash	malicious	Browse
	TpLxV14aT3.exe	Get hash	malicious	Browse
	requirement010.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mail.privateemail.com	CORRECT BANK DETAILS FORM.doc	Get hash	malicious	Browse	198.54.122.60
	Shipping Documents .doc	Get hash	malicious	Browse	198.54.122.60
	0Lh7eA2VUZ.exe	Get hash	malicious	Browse	198.54.122.60
	REQUEST FOR QUOTATIO 158930165.doc	Get hash	malicious	Browse	198.54.122.60
	Inv PKF312021.doc	Get hash	malicious	Browse	198.54.122.60
	RFQ- ROTO Fittings- 19072021.doc	Get hash	malicious	Browse	198.54.122.60
	SOA.exe	Get hash	malicious	Browse	198.54.122.60
	20210716001.exe	Get hash	malicious	Browse	198.54.122.60
	20210716001.exe	Get hash	malicious	Browse	198.54.122.60
	Inquiry-Order.exe	Get hash	malicious	Browse	198.54.122.60
	New Order for Promax Ranger Neo2.doc	Get hash	malicious	Browse	198.54.122.60
	JaqsKbRJ8w.exe	Get hash	malicious	Browse	198.54.122.60
	neGJUsBCPT.exe	Get hash	malicious	Browse	198.54.122.60
	5Q2N9nbIIR.exe	Get hash	malicious	Browse	198.54.122.60
	BOQ.doc	Get hash	malicious	Browse	198.54.122.60
	Reversed Invoice KPR2021.doc	Get hash	malicious	Browse	198.54.122.60
	9PcMMlkF9y.exe	Get hash	malicious	Browse	198.54.122.60
	6mBVAJrIcy.exe	Get hash	malicious	Browse	198.54.122.60
	TpLxV14aT3.exe	Get hash	malicious	Browse	198.54.122.60
	requirement010.exe	Get hash	malicious	Browse	198.54.122.60

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NAMECHEAP-NETUS	CORRECT BANK DETAILS FORM.doc	Get hash	malicious	Browse	198.54.122.60
	Shipping Documents .doc	Get hash	malicious	Browse	198.54.122.60
	QxnlprRUTx.exe	Get hash	malicious	Browse	199.188.200.230
	0Lh7eA2VUZ.exe	Get hash	malicious	Browse	198.54.122.60
	REQUEST FOR QUOTATIO 158930165.doc	Get hash	malicious	Browse	198.54.122.60
	Statement.xlsx	Get hash	malicious	Browse	162.0.237.9
	Inv PKF312021.doc	Get hash	malicious	Browse	198.54.122.60
	RFQ- ROTO Fittings- 19072021.doc	Get hash	malicious	Browse	198.54.122.60
	INVOICE.exe	Get hash	malicious	Browse	198.54.117.211
	Order.exe	Get hash	malicious	Browse	198.54.117.215
	SOA.exe	Get hash	malicious	Browse	198.54.122.60
	Inv_7623980.exe	Get hash	malicious	Browse	63.250.34.223
	xBMx9OBP97.exe	Get hash	malicious	Browse	198.54.114.131
	CSyG3zNcwS.exe	Get hash	malicious	Browse	198.54.114.131
	BrCi5pJr8J.exe	Get hash	malicious	Browse	198.54.114.131
	QQ9XxgbU1G.exe	Get hash	malicious	Browse	198.54.114.131
	20210716001.exe	Get hash	malicious	Browse	198.54.122.60
	WR0MTpWkYC.exe	Get hash	malicious	Browse	198.54.114.131
	LPY15536W4.exe	Get hash	malicious	Browse	198.54.117.211
	frank.connardiii@globalfoundries.com_34834865Application.HTM	Get hash	malicious	Browse	68.65.122.97

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	unJLhL75HG.exe	Get hash	malicious	Browse	142.250.203.110 142.250.203.97
	9bCnBwR693.exe	Get hash	malicious	Browse	142.250.203.110 142.250.203.97
	BVD1xWp0y0.exe	Get hash	malicious	Browse	142.250.203.110 142.250.203.97
	nRjbMQ5Jua.exe	Get hash	malicious	Browse	142.250.203.110 142.250.203.97
	Hsbc Scan copy 3547856788 Pdf.exe	Get hash	malicious	Browse	142.250.203.110 142.250.203.97
	DigitalLicense.exe	Get hash	malicious	Browse	142.250.203.110 142.250.203.97
	vir.dll	Get hash	malicious	Browse	142.250.203.110 142.250.203.97
	#Ud53c#Uc544#Ub178.exe	Get hash	malicious	Browse	142.250.203.110 142.250.203.97
	Wesnvuotnnnxvacefgejmjccyfnnrjmdmc.exe	Get hash	malicious	Browse	142.250.203.110 142.250.203.97
	Wesnvuotnnnxvacefgejmjccyfnnrjmdmc.exe	Get hash	malicious	Browse	142.250.203.110 142.250.203.97
	INV #95000987.html	Get hash	malicious	Browse	142.250.203.110 142.250.203.97
	F63V4i8eZU.exe	Get hash	malicious	Browse	142.250.203.110 142.250.203.97
	Doc_PDF.exe	Get hash	malicious	Browse	142.250.203.110 142.250.203.97
	5S6Cod7HCf.exe	Get hash	malicious	Browse	142.250.203.110 142.250.203.97
	SecuriteInfo.com.W32.AIDetect.malware2.14010.exe	Get hash	malicious	Browse	142.250.203.110 142.250.203.97
	xy3zf2YjS8.exe	Get hash	malicious	Browse	142.250.203.110 142.250.203.97
	2dgOIcIVVb.exe	Get hash	malicious	Browse	142.250.203.110 142.250.203.97
	2m4OlrMaLT.exe	Get hash	malicious	Browse	142.250.203.110 142.250.203.97
	WOVngDEXHM.dll	Get hash	malicious	Browse	142.250.203.110 142.250.203.97
	VUBuRErqKh.dll	Get hash	malicious	Browse	142.250.203.110 142.250.203.97

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\1t4tqdc1.agl\Chrome\Default\Cookies Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	modified
Size (bytes):	20480
Entropy (8bit):	0.6970840431455908
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5:	00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1:	14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256:	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512:	159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.964735178725505
Encrypted:	false
SSDEEP:	3:IBVFBWAGRHneyy:ITqAGRHner
MD5:	9F754B47B351EF0FC32527B541420595
SHA1:	006C66220B33E98C725B73495FE97B3291CE14D9
SHA-256:	0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
SHA-512:	C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	NordVPN directory not found!..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.4666127843418355
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	nZdwtTEYoW.exe
File size:	118784
MD5:	c8feb9d53b567cd1bfb0e59cf7d26bc2
SHA1:	82a22cb59d46bae21fa4877015e163eacc04a022
SHA256:	642a0df15a9b8e3124d638e755f0bdbacd0d1c3ff01b59b36213a190a5e5645a
SHA512:	da707134a7bfdcb66389f111bb363d1e7b7260bb718d6ae999a23fc538e2065d8be766a713d8d20860e835eb21609bbbcb0d0b6c237124fa38bd2ada04acf157
SSDEEP:	1536:/bjX1R6rHR+Gz6YsFdVfKcLe0NMDfuoFVHYGokXYtvcOOfgrJZ+R6rHJXdb:jjX1yH1HErzwmoFtoZtkJgrCyHJXd
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....!.Q.................@..........(........P....@................

File Icon


Icon Hash:	b29a4a4a5a4a4a45

Static PE Info

General
Entrypoint:	0x401128
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x510121E6 [Thu Jan 24 11:58:30 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5c4d602843f54570889588b32f7af650

Entrypoint Preview

Instruction
push 00407B98h
call 00007FEBD091D3B5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
lds esp, fword ptr [ecx-6Ch]
movsb
adc ch, byte ptr [edx+19h]
dec ebx
mov bh, byte ptr [ecx-56DB9884h]
hlt
add dword ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc edx
add byte ptr [esi], al
push eax
add dword ptr [ecx], 55h
dec esi
inc edx
inc ebp
dec esp
push esp
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
pop es
xchg byte ptr [esi+5DD8F6A1h], cl
xor al, byte ptr [eax-6Bh]
jle 00007FEBD091D404h
mov esp, FCF62DCCh
in al, dx
cmp byte ptr [edi], 0000006Bh
mov bl, D2h
dec edx
mov ecx, 88920A1Fh
pop esp
jle 00007FEBD091D3FCh
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
into
imul eax, dword ptr [eax], 0068A700h
add byte ptr [eax], al
or byte ptr [eax], al
dec esp
inc ecx
dec esi
inc esp
dec esp
dec edi
inc ebx
dec ebx
add byte ptr [42001001h], cl
push edx
dec edi
dec esp
inc edi
inc edi
inc ebp
push edx
dec edx
dec edi
dec ebp
inc esi
push edx
push ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14b44	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17000	0x6d6a	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x74	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13d90	0x14000	False	0.640209960938	data	6.90665747983	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x15000	0x115c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x17000	0x6d6a	0x7000	False	0.566301618304	data	5.78429982153	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1cec2	0xea8	data
RT_ICON	0x1c61a	0x8a8	data
RT_ICON	0x1bf52	0x6c8	data
RT_ICON	0x1b9ea	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x19442	0x25a8	data
RT_ICON	0x1839a	0x10a8	data
RT_ICON	0x17a12	0x988	data
RT_ICON	0x175aa	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x17534	0x76	data
RT_VERSION	0x17240	0x2f4	data	Maltese	Malta

Imports

DLL	Import
MSVBVM60.DLL	_CIcos, _adj_fptan, _adj_fdiv_m64, _adj_fprem1, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, _CIatan, _allmul, _CItan, _CIexp

Version Infos

Description	Data
Translation	0x043a 0x04b0
LegalCopyright	Schoology
InternalName	CALICOES
FileVersion	1.00
CompanyName	Schoology
LegalTrademarks	Schoology
Comments	Schoology
ProductName	Schoology
ProductVersion	1.00
FileDescription	Schoology
OriginalFilename	CALICOES.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Maltese	Malta

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 20, 2021 16:01:16.649255037 CEST	49739	443	192.168.2.3	142.250.203.110
Jul 20, 2021 16:01:16.699805021 CEST	443	49739	142.250.203.110	192.168.2.3
Jul 20, 2021 16:01:16.699923992 CEST	49739	443	192.168.2.3	142.250.203.110
Jul 20, 2021 16:01:16.749443054 CEST	49739	443	192.168.2.3	142.250.203.110
Jul 20, 2021 16:01:16.800117970 CEST	443	49739	142.250.203.110	192.168.2.3
Jul 20, 2021 16:01:16.813041925 CEST	443	49739	142.250.203.110	192.168.2.3
Jul 20, 2021 16:01:16.813079119 CEST	443	49739	142.250.203.110	192.168.2.3
Jul 20, 2021 16:01:16.813097954 CEST	443	49739	142.250.203.110	192.168.2.3
Jul 20, 2021 16:01:16.813116074 CEST	443	49739	142.250.203.110	192.168.2.3
Jul 20, 2021 16:01:16.813180923 CEST	49739	443	192.168.2.3	142.250.203.110
Jul 20, 2021 16:01:16.813214064 CEST	49739	443	192.168.2.3	142.250.203.110
Jul 20, 2021 16:01:16.936745882 CEST	49739	443	192.168.2.3	142.250.203.110
Jul 20, 2021 16:01:16.991370916 CEST	443	49739	142.250.203.110	192.168.2.3
Jul 20, 2021 16:01:16.991651058 CEST	49739	443	192.168.2.3	142.250.203.110
Jul 20, 2021 16:01:17.031358004 CEST	49739	443	192.168.2.3	142.250.203.110
Jul 20, 2021 16:01:17.087317944 CEST	443	49739	142.250.203.110	192.168.2.3
Jul 20, 2021 16:01:17.491307974 CEST	443	49739	142.250.203.110	192.168.2.3
Jul 20, 2021 16:01:17.491343975 CEST	443	49739	142.250.203.110	192.168.2.3
Jul 20, 2021 16:01:17.491358042 CEST	443	49739	142.250.203.110	192.168.2.3
Jul 20, 2021 16:01:17.491871119 CEST	49739	443	192.168.2.3	142.250.203.110
Jul 20, 2021 16:01:17.591367960 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:17.642157078 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:17.642330885 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:17.643248081 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:17.695247889 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:17.708862066 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:17.708887100 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:17.708905935 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:17.708924055 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:17.708937883 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:17.709063053 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:17.709141016 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:17.727169037 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:17.777195930 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:17.777941942 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:17.778827906 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:17.833444118 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.032804966 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.032830954 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.032841921 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.032855034 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.032875061 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.033045053 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.038549900 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.038574934 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.038754940 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.039973974 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.040007114 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.040060043 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.042001963 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.044874907 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.044900894 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.045114040 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.047503948 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.047530890 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.047713041 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.050456047 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.050478935 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.050627947 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.053874969 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.054040909 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.082561016 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.082685947 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.082767963 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.082798004 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.084403992 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.084536076 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.084559917 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.084626913 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.088063002 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.088215113 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.088229895 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.088282108 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.091739893 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.091761112 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.092333078 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.095387936 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.095407963 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.095617056 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.099056959 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.099080086 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.099257946 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.102751970 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.102778912 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.102930069 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.106424093 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.106456041 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.106584072 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.110598087 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.110619068 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.110757113 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.113070011 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.113091946 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.113316059 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.116164923 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.116185904 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.116337061 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.121037960 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.121057034 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.121253014 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.123049021 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.123069048 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.123250008 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.125550985 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.125591993 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.125715017 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.130857944 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.130930901 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.131131887 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.131321907 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.131724119 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.131752968 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.131861925 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.135265112 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.135397911 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.135413885 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.135478020 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.138328075 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.138345957 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.138488054 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.141028881 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.141127110 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.142002106 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.142024994 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.145286083 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.145304918 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.145450115 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.148138046 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.148159981 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.148175001 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.148191929 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.148278952 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.148308992 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.151865005 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.151884079 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.151901960 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.152023077 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.153927088 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.153951883 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.154061079 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.156059980 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.156080008 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.156091928 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.156208038 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.160731077 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.160748959 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.160762072 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.160773993 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.160897970 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.164621115 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.164648056 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.164664984 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.164691925 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.164805889 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.164858103 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.168842077 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.168860912 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.168878078 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.169008970 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.170012951 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.170237064 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.170769930 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.170788050 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.170911074 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.174140930 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.174168110 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.174302101 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.174743891 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.174762011 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.175088882 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.178641081 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.178661108 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.178673029 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.178687096 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.179197073 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.182034969 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.182055950 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.182152987 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.184938908 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.184968948 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.184989929 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.185091972 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.185838938 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.185873032 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.185971022 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.185970068 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.186022997 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.190099955 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.190131903 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.190237999 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.190260887 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.191448927 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.191472054 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.191545963 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.192158937 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.192188978 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.192214012 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.192264080 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.192322016 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.192666054 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.192687035 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.192703962 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.192758083 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.192809105 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.195569038 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.195591927 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.195667028 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.195899963 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.195915937 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.195935011 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.195964098 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.196012974 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.197134972 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.197160006 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.197182894 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.197242975 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.197277069 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.199296951 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.199322939 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.199348927 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.199429989 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.200433969 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.200459957 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.200479984 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.200542927 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.200572014 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.203799009 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.203828096 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.203851938 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.203875065 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.203948975 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.203999996 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.204041958 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.204066992 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.204116106 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.206166029 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.206197023 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.206257105 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.206274986 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.207032919 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.207062960 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.207083941 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.207106113 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.207140923 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.207190990 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.207879066 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.207904100 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.207967043 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.208004951 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.210084915 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.210118055 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.210187912 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.211179972 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.211205959 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.211227894 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.211249113 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.211268902 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.211324930 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.211950064 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.211977959 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.212040901 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.212084055 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.212938070 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.212965965 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.213052034 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.214118958 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.214158058 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.214255095 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.215856075 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.215883017 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.215902090 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.215924978 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.215979099 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.216012001 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.216773987 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.216797113 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.216888905 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.217637062 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.217654943 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.217730999 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.217782974 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.218596935 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.218615055 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.218724012 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.221832991 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.221862078 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.221882105 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.221908092 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.221910000 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.221930027 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.221951962 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.221954107 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.222007990 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.223167896 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.223200083 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.223222971 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.223272085 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.223315954 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.224227905 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.224260092 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.224283934 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.224359989 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.225786924 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.225819111 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.225835085 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:01:18.225899935 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:18.225958109 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:01:49.220343113 CEST	49741	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:01:49.414838076 CEST	587	49741	198.54.122.60	192.168.2.3
Jul 20, 2021 16:01:49.415095091 CEST	49741	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:01:49.590362072 CEST	49741	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:01:49.611522913 CEST	587	49741	198.54.122.60	192.168.2.3
Jul 20, 2021 16:01:49.611706018 CEST	49741	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:01:49.784364939 CEST	587	49741	198.54.122.60	192.168.2.3
Jul 20, 2021 16:01:49.784565926 CEST	49741	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:01:49.784744978 CEST	587	49741	198.54.122.60	192.168.2.3
Jul 20, 2021 16:01:49.784831047 CEST	49741	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:01:53.656987906 CEST	49742	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:01:53.856530905 CEST	587	49742	198.54.122.60	192.168.2.3
Jul 20, 2021 16:01:53.856694937 CEST	49742	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:01:53.965256929 CEST	49742	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:01:54.055201054 CEST	587	49742	198.54.122.60	192.168.2.3
Jul 20, 2021 16:01:54.055345058 CEST	49742	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:01:54.165236950 CEST	587	49742	198.54.122.60	192.168.2.3
Jul 20, 2021 16:01:54.165353060 CEST	49742	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:01:54.166327000 CEST	587	49742	198.54.122.60	192.168.2.3
Jul 20, 2021 16:01:54.166452885 CEST	49742	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:01:58.578448057 CEST	49743	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:01:58.772808075 CEST	587	49743	198.54.122.60	192.168.2.3
Jul 20, 2021 16:01:58.774825096 CEST	49743	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:01:58.907217979 CEST	49743	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:01:58.973331928 CEST	587	49743	198.54.122.60	192.168.2.3
Jul 20, 2021 16:01:58.981839895 CEST	49743	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:01:59.101351023 CEST	587	49743	198.54.122.60	192.168.2.3
Jul 20, 2021 16:01:59.101466894 CEST	49743	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:01:59.101628065 CEST	587	49743	198.54.122.60	192.168.2.3
Jul 20, 2021 16:01:59.101963043 CEST	49743	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:03.704493046 CEST	49746	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:03.899139881 CEST	587	49746	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:03.901654959 CEST	49746	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:04.098764896 CEST	587	49746	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:04.099298954 CEST	49746	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:04.294400930 CEST	587	49746	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:04.294552088 CEST	587	49746	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:04.295017958 CEST	49746	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:04.489243031 CEST	587	49746	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:04.522054911 CEST	49746	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:04.716234922 CEST	587	49746	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:04.717801094 CEST	587	49746	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:04.717832088 CEST	587	49746	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:04.717856884 CEST	587	49746	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:04.717888117 CEST	587	49746	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:04.717988014 CEST	49746	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:04.755825996 CEST	49746	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:04.884474039 CEST	49746	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:04.950365067 CEST	587	49746	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:04.951715946 CEST	587	49746	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:04.952128887 CEST	49746	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:05.080379963 CEST	587	49746	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:05.080892086 CEST	49746	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:05.081305981 CEST	587	49746	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:05.081367970 CEST	49746	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:09.572449923 CEST	49753	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:09.770024061 CEST	587	49753	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:09.770240068 CEST	49753	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:09.969183922 CEST	587	49753	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:09.969434023 CEST	49753	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:10.166169882 CEST	587	49753	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:10.166465998 CEST	587	49753	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:10.166765928 CEST	49753	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:10.367321014 CEST	587	49753	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:10.367911100 CEST	49753	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:10.564888954 CEST	587	49753	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:10.566488981 CEST	587	49753	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:10.566518068 CEST	587	49753	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:10.566543102 CEST	587	49753	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:10.566564083 CEST	587	49753	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:10.570775032 CEST	49753	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:10.576702118 CEST	49753	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:10.775271893 CEST	587	49753	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:10.776067972 CEST	587	49753	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:10.809561968 CEST	49753	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:11.006803989 CEST	587	49753	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:11.007174015 CEST	587	49753	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:11.007777929 CEST	49753	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:11.038090944 CEST	49753	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:11.206156969 CEST	587	49753	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:11.207442999 CEST	587	49753	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:11.207674980 CEST	49753	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:11.235304117 CEST	587	49753	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:11.235918045 CEST	587	49753	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:11.236011982 CEST	49753	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:11.236665964 CEST	49753	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:16.533072948 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:16.727556944 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:16.727688074 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:16.923929930 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:16.924472094 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:17.118573904 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:17.118699074 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:17.119184971 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:17.313260078 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:17.313888073 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:17.507811069 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:17.508088112 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:17.509506941 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:17.510353088 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:17.703526974 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:17.703835964 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:17.704200983 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:17.704981089 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:17.706177950 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:17.900132895 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:17.903165102 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:17.903743982 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.097871065 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:18.101013899 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:18.106015921 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.303390980 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:18.307404041 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:18.307998896 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.503454924 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:18.526954889 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:18.527458906 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.721498966 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:18.722212076 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:18.726265907 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.726424932 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.726546049 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.726725101 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.726841927 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.726943016 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.727037907 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.727142096 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.727231026 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.727320910 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.727420092 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.727524996 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.727619886 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.727722883 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.727816105 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.727910042 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.920430899 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:18.920523882 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.920701981 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:18.920718908 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:18.920727968 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:18.920737982 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:18.920838118 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.921047926 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:18.921063900 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:18.921123028 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.921164989 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.921170950 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.921175957 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.921946049 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:18.921972036 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:18.922075033 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:18.922123909 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:19.114429951 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:19.114622116 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:19.114695072 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:19.114770889 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:19.114867926 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:19.114969015 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:19.114988089 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:19.115082979 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:19.116358995 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:19.116380930 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:19.116480112 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:19.116523981 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:19.116631985 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:19.116651058 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:19.242346048 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:19.309622049 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:19.309660912 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:19.309672117 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:19.309686899 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:19.310879946 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:19.311470985 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:19.311609983 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:19.436561108 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:20.643507004 CEST	587	49756	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:20.643775940 CEST	49756	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:23.573612928 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:23.773694038 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:23.773840904 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:23.973472118 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:23.974122047 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:24.171111107 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:24.171462059 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:24.171804905 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:24.368725061 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:24.369584084 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:24.566663027 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:24.566958904 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:24.568975925 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:24.570763111 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:24.765723944 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:24.765820026 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:24.767781973 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:24.768244982 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:24.768918037 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:24.967987061 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:24.968036890 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:24.968442917 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.165770054 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:25.168939114 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:25.169502974 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.366796970 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:25.371757030 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:25.372545004 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.570008993 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:25.597923994 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:25.598587990 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.795768023 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:25.797147989 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:25.798019886 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.798275948 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.798441887 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.798634052 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.798772097 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.798960924 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.799067020 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.799216032 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.799345970 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.799509048 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.799623966 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.799797058 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.799902916 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.800061941 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.803658009 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.803694963 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.995176077 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:25.995385885 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:25.995407104 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:25.995476007 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:25.995490074 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:25.995507956 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.995536089 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.995570898 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.995577097 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.995896101 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:25.995939016 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:25.995994091 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.996009111 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.996016026 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.996123075 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:25.996139050 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:25.996159077 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.996191025 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.996200085 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.996229887 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.996236086 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.996278048 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:25.996289015 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:25.996390104 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.996449947 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.996654987 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:25.996675014 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:25.996731043 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.996743917 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.996758938 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.997031927 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.997143984 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:25.997230053 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:25.997241020 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:26.002737045 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.002896070 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:26.003001928 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:26.192614079 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.192646027 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.192786932 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:26.192940950 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.192956924 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.193030119 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:26.193063974 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:26.193103075 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.193118095 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.193131924 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.193146944 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.193161011 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.193196058 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:26.193214893 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:26.193253994 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.193279982 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.193279982 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:26.193382978 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:26.193392992 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:26.193937063 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.193960905 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.194056034 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:26.194139004 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:26.195092916 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.195632935 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:26.200027943 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.200059891 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.384419918 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:26.389998913 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.390011072 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.390072107 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.390269041 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.390301943 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.390377998 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.390407085 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.393646002 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.393678904 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.393698931 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.393714905 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.423841000 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.426846981 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:26.582242966 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.582268953 CEST	587	49757	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:26.582442045 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:26.582487106 CEST	49757	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:31.076443911 CEST	49758	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:31.272555113 CEST	587	49758	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:31.272655964 CEST	49758	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:31.469063997 CEST	587	49758	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:31.471573114 CEST	49758	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:31.666620970 CEST	587	49758	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:31.666650057 CEST	587	49758	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:31.667433023 CEST	49758	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:31.863683939 CEST	587	49758	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:31.871479988 CEST	49758	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:32.069536924 CEST	587	49758	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:32.069566965 CEST	587	49758	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:32.119338036 CEST	49758	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:32.491591930 CEST	49758	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:32.503546953 CEST	49758	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:32.688669920 CEST	587	49758	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:32.688703060 CEST	587	49758	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:32.697993040 CEST	587	49758	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:32.701201916 CEST	587	49758	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:32.701848030 CEST	49758	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:32.898590088 CEST	587	49758	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:32.901925087 CEST	587	49758	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:32.902508020 CEST	49758	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:33.100410938 CEST	587	49758	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:33.108822107 CEST	587	49758	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:33.164138079 CEST	49758	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:33.592626095 CEST	49758	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:33.786909103 CEST	587	49758	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:33.793858051 CEST	587	49758	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:33.822205067 CEST	49758	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:34.017457008 CEST	587	49758	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:34.039994001 CEST	587	49758	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:34.040549994 CEST	49758	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:34.056130886 CEST	49758	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:34.234911919 CEST	587	49758	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:34.235595942 CEST	587	49758	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:34.235852957 CEST	49758	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:34.250461102 CEST	587	49758	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:34.250475883 CEST	587	49758	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:34.250688076 CEST	49758	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:34.250706911 CEST	49758	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:38.366811991 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:38.564409018 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:38.564574003 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:38.764539957 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:38.765013933 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:38.961941004 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:38.962157011 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:38.962588072 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:39.160888910 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:39.161556959 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:39.358424902 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:39.358774900 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:39.364049911 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:39.366926908 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:39.561192036 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:39.561227083 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:39.563847065 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:39.564443111 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:39.564902067 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:39.762065887 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:39.763060093 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:39.763465881 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:39.960477114 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:39.974929094 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:39.975760937 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:40.172784090 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:40.175306082 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:40.176107883 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:40.379318953 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:40.411281109 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:40.411847115 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:40.609338999 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:40.609365940 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:40.610428095 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:40.610610962 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:40.610784054 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:40.611057997 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:40.611221075 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:40.611380100 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:40.613858938 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:40.614216089 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:40.614437103 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:40.614590883 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:40.614737034 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:40.614886999 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:40.615030050 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:40.615206957 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:40.615361929 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:40.615504980 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:40.808924913 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:40.809283972 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:40.809304953 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:40.809565067 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:40.810081959 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:40.812118053 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:40.812143087 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:40.812155008 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:40.812175989 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:40.812413931 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:40.812602043 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:41.007447958 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:41.007472992 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:41.007857084 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:41.008136034 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:41.008256912 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:41.009306908 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:41.009390116 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:41.009663105 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:41.010803938 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:41.010823011 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:41.010838032 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:41.011029005 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:41.011069059 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:41.011204958 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:41.011337996 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:41.018731117 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:41.205826044 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:41.205846071 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:41.205853939 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:41.207084894 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:41.207103014 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:41.208892107 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:41.208906889 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:41.208914995 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:41.208976984 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:41.209809065 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:41.215528965 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:41.227293015 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:41.274235964 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:45.731161118 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:45.890178919 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:45.928199053 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:45.928467989 CEST	587	49759	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:45.929856062 CEST	49759	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:46.084490061 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:46.084625006 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:46.282213926 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:46.282908916 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:46.477612019 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:46.477880001 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:46.478698015 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:46.672389984 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:46.687552929 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:46.881513119 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:46.881623983 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:46.921041012 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:46.921080112 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:47.125987053 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:47.126025915 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:47.126041889 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:47.126053095 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:47.129138947 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:47.322700024 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:47.323978901 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:47.324623108 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:47.518066883 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:47.525451899 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:47.525996923 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:47.719854116 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:47.720686913 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:47.721589088 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:47.915242910 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:47.938548088 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:47.946547031 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:48.140292883 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:48.143160105 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:48.197393894 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:48.522243023 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:48.522699118 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:48.523005962 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:48.716536045 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:48.716960907 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:48.717149973 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:48.807600021 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:48.808260918 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:48.808362007 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:49.001691103 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:49.001705885 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:49.002288103 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:49.074629068 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:49.268184900 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:49.322808981 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:49.323332071 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:49.323510885 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:49.323695898 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:49.332845926 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:49.516726971 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:49.517134905 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:49.517158031 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:49.517260075 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:49.526695013 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:50.588920116 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:50.783982992 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:50.965229034 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:50.966082096 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:50.966574907 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:51.190668106 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:51.190682888 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:51.258586884 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:51.259244919 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:51.263294935 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:51.453016996 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:51.453037977 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:51.458772898 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:51.458973885 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:51.494255066 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:51.527168036 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:51.527695894 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:51.527724028 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:51.528172016 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:51.528188944 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:51.528196096 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:51.528199911 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:51.528666973 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:51.528682947 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:51.653070927 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:51.658180952 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:51.687915087 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:51.720643044 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:51.721076965 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:51.722170115 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:51.722182989 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:51.762413979 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:51.842153072 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:51.856230974 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:51.907083035 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:51.956254005 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:51.960011005 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:51.960589886 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:51.960597038 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:51.962136030 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:51.962147951 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:51.962153912 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:52.036276102 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:52.101505995 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:52.154534101 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:52.154547930 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:52.156408072 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:52.156419039 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:52.159235954 CEST	587	49760	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:52.159470081 CEST	49760	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:52.993172884 CEST	49761	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:53.190469980 CEST	587	49761	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:53.190655947 CEST	49761	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:53.371097088 CEST	49761	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:53.390088081 CEST	587	49761	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:53.390842915 CEST	49761	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:53.575468063 CEST	587	49761	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:53.575498104 CEST	587	49761	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:53.575597048 CEST	49761	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:53.575664043 CEST	49761	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:53.796395063 CEST	49762	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:53.992515087 CEST	587	49762	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:53.993396044 CEST	49762	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:54.190349102 CEST	587	49762	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:54.190762043 CEST	49762	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:54.261944056 CEST	49762	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:54.385349035 CEST	587	49762	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:54.385458946 CEST	587	49762	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:54.385613918 CEST	49762	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:54.456984997 CEST	587	49762	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:54.457004070 CEST	587	49762	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:54.457313061 CEST	49762	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:54.457335949 CEST	49762	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:57.050010920 CEST	49763	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:57.244894028 CEST	587	49763	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:57.245043039 CEST	49763	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:57.416817904 CEST	49763	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:57.444710970 CEST	587	49763	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:57.444807053 CEST	49763	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:57.611207008 CEST	587	49763	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:57.611233950 CEST	587	49763	198.54.122.60	192.168.2.3
Jul 20, 2021 16:02:57.611324072 CEST	49763	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:02:57.611356974 CEST	49763	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:02.180047035 CEST	49764	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:02.377824068 CEST	587	49764	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:02.380712986 CEST	49764	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:02.580193996 CEST	587	49764	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:02.580537081 CEST	49764	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:02.605385065 CEST	49764	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:02.777522087 CEST	587	49764	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:02.778055906 CEST	587	49764	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:02.778244972 CEST	49764	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:02.802334070 CEST	587	49764	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:02.802587986 CEST	49764	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:02.802891016 CEST	587	49764	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:02.802998066 CEST	49764	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:07.699150085 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:03:07.749425888 CEST	443	49740	142.250.203.97	192.168.2.3
Jul 20, 2021 16:03:07.749576092 CEST	49740	443	192.168.2.3	142.250.203.97
Jul 20, 2021 16:03:08.074800014 CEST	49739	443	192.168.2.3	142.250.203.110
Jul 20, 2021 16:03:08.125653028 CEST	443	49739	142.250.203.110	192.168.2.3
Jul 20, 2021 16:03:08.128498077 CEST	49739	443	192.168.2.3	142.250.203.110
Jul 20, 2021 16:03:08.401731968 CEST	49765	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:08.599200010 CEST	587	49765	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:08.599365950 CEST	49765	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:08.798110008 CEST	587	49765	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:08.798660040 CEST	49765	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:08.855851889 CEST	49765	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:08.995902061 CEST	587	49765	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:08.995985031 CEST	587	49765	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:08.996088982 CEST	49765	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:09.052830935 CEST	587	49765	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:09.053014040 CEST	49765	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:09.053168058 CEST	587	49765	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:09.053224087 CEST	49765	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:14.737409115 CEST	49766	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:14.932365894 CEST	587	49766	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:14.932574987 CEST	49766	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:15.105701923 CEST	49766	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:15.129210949 CEST	587	49766	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:15.129389048 CEST	49766	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:15.299271107 CEST	587	49766	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:15.299480915 CEST	49766	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:15.299722910 CEST	587	49766	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:15.299774885 CEST	49766	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:21.513212919 CEST	49767	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:21.711272001 CEST	587	49767	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:21.711400986 CEST	49767	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:21.840857983 CEST	49767	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:21.910490990 CEST	587	49767	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:21.910651922 CEST	49767	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:22.039319038 CEST	587	49767	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:22.039881945 CEST	587	49767	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:22.043462992 CEST	49767	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:22.043564081 CEST	49767	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:28.061208010 CEST	49768	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:28.258487940 CEST	587	49768	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:28.259370089 CEST	49768	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:28.458374023 CEST	587	49768	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:28.462193012 CEST	49768	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:28.513695955 CEST	49768	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:28.660984039 CEST	587	49768	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:28.661011934 CEST	587	49768	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:28.661164045 CEST	49768	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:28.711354971 CEST	587	49768	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:28.711478949 CEST	49768	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:28.712275028 CEST	587	49768	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:28.712568045 CEST	49768	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:34.904155970 CEST	49769	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:35.101931095 CEST	587	49769	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:35.102152109 CEST	49769	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:35.303242922 CEST	587	49769	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:35.303745985 CEST	49769	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:35.326327085 CEST	49769	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:35.500746965 CEST	587	49769	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:35.501075029 CEST	587	49769	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:35.501210928 CEST	49769	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:35.524123907 CEST	587	49769	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:35.524262905 CEST	49769	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:35.525495052 CEST	587	49769	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:35.525636911 CEST	49769	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:41.959156990 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:42.154423952 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:42.154614925 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:42.350254059 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:42.350675106 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:42.544348955 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:42.544569016 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:42.545100927 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:42.739053965 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:42.740044117 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:42.933998108 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:42.934020042 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:42.936846018 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:42.938005924 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:43.130506992 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:43.130542994 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:43.131867886 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:43.132761002 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:43.133339882 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:43.328210115 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:43.330306053 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:43.331063032 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:43.524777889 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:43.527040958 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:43.527769089 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:43.723341942 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:43.726912975 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:43.730737925 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:43.924537897 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:43.955959082 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:43.974324942 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.167939901 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.168562889 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.169419050 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.169652939 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.169878006 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.170228004 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.170387030 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.170497894 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.170600891 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.170706034 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.170826912 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.170933962 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.171049118 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.171186924 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.171331882 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.171437025 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.171547890 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.171698093 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.363163948 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.363188982 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.363406897 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.363405943 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.363686085 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.363765955 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.363796949 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.363894939 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.363990068 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.364001036 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.364043951 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.364073992 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.364087105 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.364135027 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.364267111 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.364309072 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.364341974 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.364535093 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.364561081 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.364573956 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.364655018 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.364778042 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.364830017 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.364845991 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.365040064 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.365052938 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.365115881 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.365138054 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.365144968 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.365211964 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.365216017 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.367302895 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.367485046 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.557049990 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.557315111 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.557348013 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.557591915 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.557604074 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.557717085 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.557878017 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.557888985 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.557904005 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.557913065 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.557980061 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.558043003 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.558141947 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.558242083 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.558299065 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.558312893 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.558404922 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.558497906 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.558701992 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.558917046 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.558928013 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.558943033 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.558952093 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.559043884 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.559151888 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.559396029 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.559597969 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.559745073 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.559921980 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:44.561171055 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.561183929 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.751276970 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.751307011 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.751316071 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.751324892 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.751363993 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.751622915 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.751883030 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.751909018 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.752110958 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.752147913 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.752162933 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.752172947 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.752254009 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.752474070 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.752537966 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.752552986 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.752737999 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.752774954 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.752984047 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.753142118 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.753261089 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.767180920 CEST	587	49770	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:44.811376095 CEST	49770	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:48.881572962 CEST	49771	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:49.079339981 CEST	587	49771	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:49.079479933 CEST	49771	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:49.217951059 CEST	49771	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:49.279462099 CEST	587	49771	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:49.279611111 CEST	49771	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:49.415607929 CEST	587	49771	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:49.415663004 CEST	587	49771	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:49.415728092 CEST	49771	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:49.415756941 CEST	49771	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:56.602813005 CEST	49772	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:56.797208071 CEST	587	49772	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:56.797439098 CEST	49772	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:56.906362057 CEST	49772	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:56.998744965 CEST	587	49772	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:56.998908043 CEST	49772	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:57.102726936 CEST	587	49772	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:57.102756023 CEST	587	49772	198.54.122.60	192.168.2.3
Jul 20, 2021 16:03:57.102787971 CEST	49772	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:03:57.102816105 CEST	49772	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:12.112368107 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:12.306408882 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:12.309561014 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:12.507214069 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:12.508210897 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:12.704125881 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:12.704148054 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:12.753772974 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:12.818646908 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:13.012594938 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:13.030934095 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:13.225519896 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:13.225542068 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:13.227786064 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:13.229379892 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:13.422533035 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:13.422559023 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:13.425543070 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:13.425566912 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:13.426915884 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:13.621815920 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:13.624017954 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:13.624881029 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:13.820535898 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:13.824325085 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:13.824866056 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.018534899 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.020993948 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.021678925 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.216149092 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.240459919 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.241096973 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.434670925 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.435642958 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.436711073 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.436955929 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.437158108 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.437479019 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.437849998 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.438060045 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.438580990 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.438879013 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.439178944 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.439188004 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.439446926 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.439744949 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.440073967 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.440476894 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.440485954 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.440865993 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.630367041 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.630697966 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.630764961 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.630934954 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.631170988 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.631417990 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.631614923 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.631628036 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.631736994 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.631743908 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.631747007 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.632210016 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.632276058 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.632282019 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.632484913 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.632570982 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.632808924 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.632836103 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.632843018 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.632872105 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.633131027 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.633178949 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.633184910 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.633210897 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.633256912 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.633263111 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.633816004 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.633877993 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.633884907 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.634007931 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.634057045 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.634063959 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.634329081 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.634380102 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.634385109 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.634413958 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.634459019 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.634464025 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.635335922 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.824261904 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.824357986 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.824728012 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.824954033 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.825016022 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.825283051 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.825592041 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.825675011 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.825794935 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.825846910 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.826075077 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.826086998 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.826098919 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.826132059 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.826181889 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.826471090 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.826555014 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.826600075 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.826628923 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.826654911 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.826693058 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.826741934 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.826806068 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.826944113 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.826991081 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.827044964 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.827756882 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.827816963 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.828035116 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.828048944 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.828058958 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.828069925 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:14.828110933 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.828140020 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.828146935 CEST	49777	587	192.168.2.3	198.54.122.60
Jul 20, 2021 16:04:14.828794003 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:15.018178940 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:15.018383980 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:15.018539906 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:15.018735886 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:15.019184113 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:15.019196987 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:15.019375086 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:15.019537926 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:15.019656897 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:15.019669056 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:15.020184994 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:15.020359039 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:15.020373106 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:15.020382881 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:15.020509958 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:15.020620108 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:15.020632029 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:15.021258116 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:15.021584034 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:15.021939039 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:15.021975040 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:15.035438061 CEST	587	49777	198.54.122.60	192.168.2.3
Jul 20, 2021 16:04:15.079003096 CEST	49777	587	192.168.2.3	198.54.122.60

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 20, 2021 15:59:09.686992884 CEST	64938	53	192.168.2.3	8.8.8.8
Jul 20, 2021 15:59:09.745769024 CEST	53	64938	8.8.8.8	192.168.2.3
Jul 20, 2021 15:59:10.542202950 CEST	60152	53	192.168.2.3	8.8.8.8
Jul 20, 2021 15:59:10.603908062 CEST	53	60152	8.8.8.8	192.168.2.3
Jul 20, 2021 15:59:11.489335060 CEST	57544	53	192.168.2.3	8.8.8.8
Jul 20, 2021 15:59:11.543759108 CEST	53	57544	8.8.8.8	192.168.2.3
Jul 20, 2021 15:59:12.897804976 CEST	55984	53	192.168.2.3	8.8.8.8
Jul 20, 2021 15:59:12.960850000 CEST	53	55984	8.8.8.8	192.168.2.3
Jul 20, 2021 15:59:13.936111927 CEST	64185	53	192.168.2.3	8.8.8.8
Jul 20, 2021 15:59:13.999166965 CEST	53	64185	8.8.8.8	192.168.2.3
Jul 20, 2021 15:59:14.959609985 CEST	65110	53	192.168.2.3	8.8.8.8
Jul 20, 2021 15:59:15.020333052 CEST	53	65110	8.8.8.8	192.168.2.3
Jul 20, 2021 15:59:16.084290028 CEST	58361	53	192.168.2.3	8.8.8.8
Jul 20, 2021 15:59:16.146667957 CEST	53	58361	8.8.8.8	192.168.2.3
Jul 20, 2021 15:59:17.370071888 CEST	63492	53	192.168.2.3	8.8.8.8
Jul 20, 2021 15:59:17.423352957 CEST	53	63492	8.8.8.8	192.168.2.3
Jul 20, 2021 15:59:18.346654892 CEST	60831	53	192.168.2.3	8.8.8.8
Jul 20, 2021 15:59:18.399290085 CEST	53	60831	8.8.8.8	192.168.2.3
Jul 20, 2021 15:59:19.343493938 CEST	60100	53	192.168.2.3	8.8.8.8
Jul 20, 2021 15:59:19.393317938 CEST	53	60100	8.8.8.8	192.168.2.3
Jul 20, 2021 15:59:20.276182890 CEST	53195	53	192.168.2.3	8.8.8.8
Jul 20, 2021 15:59:20.337486982 CEST	53	53195	8.8.8.8	192.168.2.3
Jul 20, 2021 15:59:21.363965988 CEST	50141	53	192.168.2.3	8.8.8.8
Jul 20, 2021 15:59:21.415932894 CEST	53	50141	8.8.8.8	192.168.2.3
Jul 20, 2021 15:59:22.606445074 CEST	53023	53	192.168.2.3	8.8.8.8
Jul 20, 2021 15:59:22.660902023 CEST	53	53023	8.8.8.8	192.168.2.3
Jul 20, 2021 15:59:23.562870026 CEST	49563	53	192.168.2.3	8.8.8.8
Jul 20, 2021 15:59:23.616388083 CEST	53	49563	8.8.8.8	192.168.2.3
Jul 20, 2021 15:59:26.066628933 CEST	51352	53	192.168.2.3	8.8.8.8
Jul 20, 2021 15:59:26.120908022 CEST	53	51352	8.8.8.8	192.168.2.3
Jul 20, 2021 15:59:26.990281105 CEST	59349	53	192.168.2.3	8.8.8.8
Jul 20, 2021 15:59:27.039769888 CEST	53	59349	8.8.8.8	192.168.2.3
Jul 20, 2021 15:59:27.913355112 CEST	57084	53	192.168.2.3	8.8.8.8
Jul 20, 2021 15:59:27.964998960 CEST	53	57084	8.8.8.8	192.168.2.3
Jul 20, 2021 15:59:39.527177095 CEST	58823	53	192.168.2.3	8.8.8.8
Jul 20, 2021 15:59:39.586595058 CEST	53	58823	8.8.8.8	192.168.2.3
Jul 20, 2021 15:59:40.621812105 CEST	57568	53	192.168.2.3	8.8.8.8
Jul 20, 2021 15:59:40.689826012 CEST	53	57568	8.8.8.8	192.168.2.3
Jul 20, 2021 16:00:03.352047920 CEST	50540	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:00:03.415648937 CEST	53	50540	8.8.8.8	192.168.2.3
Jul 20, 2021 16:00:05.163518906 CEST	54366	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:00:05.235311031 CEST	53	54366	8.8.8.8	192.168.2.3
Jul 20, 2021 16:00:16.513597012 CEST	53034	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:00:16.574421883 CEST	53	53034	8.8.8.8	192.168.2.3
Jul 20, 2021 16:00:22.697794914 CEST	57762	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:00:22.758805990 CEST	53	57762	8.8.8.8	192.168.2.3
Jul 20, 2021 16:00:57.850130081 CEST	55435	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:00:57.908248901 CEST	53	55435	8.8.8.8	192.168.2.3
Jul 20, 2021 16:01:01.997508049 CEST	50713	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:01:02.057403088 CEST	53	50713	8.8.8.8	192.168.2.3
Jul 20, 2021 16:01:16.561033010 CEST	56132	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:01:16.629291058 CEST	53	56132	8.8.8.8	192.168.2.3
Jul 20, 2021 16:01:17.522702932 CEST	58987	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:01:17.588656902 CEST	53	58987	8.8.8.8	192.168.2.3
Jul 20, 2021 16:01:49.130983114 CEST	56579	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:01:49.187897921 CEST	53	56579	8.8.8.8	192.168.2.3
Jul 20, 2021 16:01:53.596967936 CEST	60633	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:01:53.655529976 CEST	53	60633	8.8.8.8	192.168.2.3
Jul 20, 2021 16:01:58.489578962 CEST	61292	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:01:58.551398039 CEST	53	61292	8.8.8.8	192.168.2.3
Jul 20, 2021 16:02:01.685981035 CEST	63619	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:02:01.746788979 CEST	53	63619	8.8.8.8	192.168.2.3
Jul 20, 2021 16:02:02.934686899 CEST	64938	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:02:02.991970062 CEST	53	64938	8.8.8.8	192.168.2.3
Jul 20, 2021 16:02:03.642308950 CEST	61946	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:02:03.702356100 CEST	53	61946	8.8.8.8	192.168.2.3
Jul 20, 2021 16:02:03.783469915 CEST	64910	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:02:03.842968941 CEST	53	64910	8.8.8.8	192.168.2.3
Jul 20, 2021 16:02:04.501070023 CEST	52123	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:02:04.561711073 CEST	53	52123	8.8.8.8	192.168.2.3
Jul 20, 2021 16:02:05.266207933 CEST	56130	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:02:05.323101997 CEST	53	56130	8.8.8.8	192.168.2.3
Jul 20, 2021 16:02:06.205374002 CEST	56338	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:02:06.262830019 CEST	53	56338	8.8.8.8	192.168.2.3
Jul 20, 2021 16:02:07.010139942 CEST	59420	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:02:07.059195995 CEST	53	59420	8.8.8.8	192.168.2.3
Jul 20, 2021 16:02:08.094140053 CEST	58784	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:02:08.151350975 CEST	53	58784	8.8.8.8	192.168.2.3
Jul 20, 2021 16:02:09.503528118 CEST	63978	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:02:09.563635111 CEST	53	63978	8.8.8.8	192.168.2.3
Jul 20, 2021 16:02:09.844876051 CEST	62938	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:02:09.897218943 CEST	53	62938	8.8.8.8	192.168.2.3
Jul 20, 2021 16:02:10.606864929 CEST	55708	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:02:10.666732073 CEST	53	55708	8.8.8.8	192.168.2.3
Jul 20, 2021 16:02:16.476000071 CEST	56803	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:02:16.528083086 CEST	53	56803	8.8.8.8	192.168.2.3
Jul 20, 2021 16:02:23.505131006 CEST	57145	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:02:23.561988115 CEST	53	57145	8.8.8.8	192.168.2.3
Jul 20, 2021 16:02:31.021351099 CEST	55359	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:02:31.073971033 CEST	53	55359	8.8.8.8	192.168.2.3
Jul 20, 2021 16:02:38.307100058 CEST	58306	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:02:38.359966040 CEST	53	58306	8.8.8.8	192.168.2.3
Jul 20, 2021 16:02:45.829462051 CEST	64124	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:02:45.881372929 CEST	53	64124	8.8.8.8	192.168.2.3
Jul 20, 2021 16:02:52.933203936 CEST	49361	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:02:52.991389036 CEST	53	49361	8.8.8.8	192.168.2.3
Jul 20, 2021 16:02:53.723814011 CEST	63150	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:02:53.776395082 CEST	53	63150	8.8.8.8	192.168.2.3
Jul 20, 2021 16:02:56.978291035 CEST	53279	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:02:57.038001060 CEST	53	53279	8.8.8.8	192.168.2.3
Jul 20, 2021 16:03:02.120524883 CEST	56881	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:03:02.177850962 CEST	53	56881	8.8.8.8	192.168.2.3
Jul 20, 2021 16:03:08.339550018 CEST	53642	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:03:08.399729013 CEST	53	53642	8.8.8.8	192.168.2.3
Jul 20, 2021 16:03:14.666552067 CEST	55667	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:03:14.723648071 CEST	53	55667	8.8.8.8	192.168.2.3
Jul 20, 2021 16:03:21.407037020 CEST	54833	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:03:21.468868017 CEST	53	54833	8.8.8.8	192.168.2.3
Jul 20, 2021 16:03:27.999461889 CEST	62476	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:03:28.050875902 CEST	53	62476	8.8.8.8	192.168.2.3
Jul 20, 2021 16:03:34.842991114 CEST	49705	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:03:34.899969101 CEST	53	49705	8.8.8.8	192.168.2.3
Jul 20, 2021 16:03:41.899107933 CEST	61477	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:03:41.956672907 CEST	53	61477	8.8.8.8	192.168.2.3
Jul 20, 2021 16:03:48.829394102 CEST	61633	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:03:48.879498959 CEST	53	61633	8.8.8.8	192.168.2.3
Jul 20, 2021 16:03:56.542314053 CEST	55949	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:03:56.600330114 CEST	53	55949	8.8.8.8	192.168.2.3
Jul 20, 2021 16:04:04.204080105 CEST	57601	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:04:04.260910988 CEST	53	57601	8.8.8.8	192.168.2.3
Jul 20, 2021 16:04:04.521047115 CEST	49342	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:04:04.571626902 CEST	53	49342	8.8.8.8	192.168.2.3
Jul 20, 2021 16:04:05.164776087 CEST	56253	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:04:05.230040073 CEST	53	56253	8.8.8.8	192.168.2.3
Jul 20, 2021 16:04:11.109642029 CEST	49667	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:04:11.183250904 CEST	53	49667	8.8.8.8	192.168.2.3
Jul 20, 2021 16:04:12.056706905 CEST	55439	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:04:12.110840082 CEST	53	55439	8.8.8.8	192.168.2.3
Jul 20, 2021 16:04:16.757446051 CEST	57069	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:04:16.814409971 CEST	53	57069	8.8.8.8	192.168.2.3
Jul 20, 2021 16:04:17.133900881 CEST	57659	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:04:17.184412956 CEST	53	57659	8.8.8.8	192.168.2.3
Jul 20, 2021 16:06:28.928275108 CEST	54717	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:06:28.994211912 CEST	53	54717	8.8.8.8	192.168.2.3
Jul 20, 2021 16:07:05.017988920 CEST	63975	53	192.168.2.3	8.8.8.8
Jul 20, 2021 16:07:05.091588974 CEST	53	63975	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 20, 2021 16:01:16.561033010 CEST	192.168.2.3	8.8.8.8	0x5431	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)
Jul 20, 2021 16:01:17.522702932 CEST	192.168.2.3	8.8.8.8	0x9b80	Standard query (0)	doc-0k-ak-docs.googleusercontent.com	A (IP address)	IN (0x0001)
Jul 20, 2021 16:01:49.130983114 CEST	192.168.2.3	8.8.8.8	0x72a6	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jul 20, 2021 16:01:53.596967936 CEST	192.168.2.3	8.8.8.8	0x807c	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jul 20, 2021 16:01:58.489578962 CEST	192.168.2.3	8.8.8.8	0x9b5e	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jul 20, 2021 16:02:03.642308950 CEST	192.168.2.3	8.8.8.8	0xa7be	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jul 20, 2021 16:02:09.503528118 CEST	192.168.2.3	8.8.8.8	0xb30d	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jul 20, 2021 16:02:16.476000071 CEST	192.168.2.3	8.8.8.8	0x76ff	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jul 20, 2021 16:02:23.505131006 CEST	192.168.2.3	8.8.8.8	0x7c28	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jul 20, 2021 16:02:31.021351099 CEST	192.168.2.3	8.8.8.8	0xdbfe	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jul 20, 2021 16:02:38.307100058 CEST	192.168.2.3	8.8.8.8	0xf9e6	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jul 20, 2021 16:02:45.829462051 CEST	192.168.2.3	8.8.8.8	0xe75a	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jul 20, 2021 16:02:52.933203936 CEST	192.168.2.3	8.8.8.8	0xf58b	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jul 20, 2021 16:02:53.723814011 CEST	192.168.2.3	8.8.8.8	0x3720	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jul 20, 2021 16:02:56.978291035 CEST	192.168.2.3	8.8.8.8	0xd4b	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jul 20, 2021 16:03:02.120524883 CEST	192.168.2.3	8.8.8.8	0xaaab	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jul 20, 2021 16:03:08.339550018 CEST	192.168.2.3	8.8.8.8	0xf053	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jul 20, 2021 16:03:14.666552067 CEST	192.168.2.3	8.8.8.8	0xc9cf	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jul 20, 2021 16:03:21.407037020 CEST	192.168.2.3	8.8.8.8	0x7fa9	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jul 20, 2021 16:03:27.999461889 CEST	192.168.2.3	8.8.8.8	0x4517	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jul 20, 2021 16:03:34.842991114 CEST	192.168.2.3	8.8.8.8	0xc4c0	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jul 20, 2021 16:03:41.899107933 CEST	192.168.2.3	8.8.8.8	0x8d83	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jul 20, 2021 16:03:48.829394102 CEST	192.168.2.3	8.8.8.8	0x1e6a	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jul 20, 2021 16:03:56.542314053 CEST	192.168.2.3	8.8.8.8	0xd7be	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jul 20, 2021 16:04:12.056706905 CEST	192.168.2.3	8.8.8.8	0x7218	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 20, 2021 16:01:16.629291058 CEST	8.8.8.8	192.168.2.3	0x5431	No error (0)	drive.google.com		142.250.203.110	A (IP address)	IN (0x0001)
Jul 20, 2021 16:01:17.588656902 CEST	8.8.8.8	192.168.2.3	0x9b80	No error (0)	doc-0k-ak-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Jul 20, 2021 16:01:17.588656902 CEST	8.8.8.8	192.168.2.3	0x9b80	No error (0)	googlehosted.l.googleusercontent.com		142.250.203.97	A (IP address)	IN (0x0001)
Jul 20, 2021 16:01:49.187897921 CEST	8.8.8.8	192.168.2.3	0x72a6	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jul 20, 2021 16:01:53.655529976 CEST	8.8.8.8	192.168.2.3	0x807c	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jul 20, 2021 16:01:58.551398039 CEST	8.8.8.8	192.168.2.3	0x9b5e	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jul 20, 2021 16:02:03.702356100 CEST	8.8.8.8	192.168.2.3	0xa7be	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jul 20, 2021 16:02:09.563635111 CEST	8.8.8.8	192.168.2.3	0xb30d	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jul 20, 2021 16:02:16.528083086 CEST	8.8.8.8	192.168.2.3	0x76ff	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jul 20, 2021 16:02:23.561988115 CEST	8.8.8.8	192.168.2.3	0x7c28	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jul 20, 2021 16:02:31.073971033 CEST	8.8.8.8	192.168.2.3	0xdbfe	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jul 20, 2021 16:02:38.359966040 CEST	8.8.8.8	192.168.2.3	0xf9e6	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jul 20, 2021 16:02:45.881372929 CEST	8.8.8.8	192.168.2.3	0xe75a	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jul 20, 2021 16:02:52.991389036 CEST	8.8.8.8	192.168.2.3	0xf58b	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jul 20, 2021 16:02:53.776395082 CEST	8.8.8.8	192.168.2.3	0x3720	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jul 20, 2021 16:02:57.038001060 CEST	8.8.8.8	192.168.2.3	0xd4b	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jul 20, 2021 16:03:02.177850962 CEST	8.8.8.8	192.168.2.3	0xaaab	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jul 20, 2021 16:03:08.399729013 CEST	8.8.8.8	192.168.2.3	0xf053	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jul 20, 2021 16:03:14.723648071 CEST	8.8.8.8	192.168.2.3	0xc9cf	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jul 20, 2021 16:03:21.468868017 CEST	8.8.8.8	192.168.2.3	0x7fa9	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jul 20, 2021 16:03:28.050875902 CEST	8.8.8.8	192.168.2.3	0x4517	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jul 20, 2021 16:03:34.899969101 CEST	8.8.8.8	192.168.2.3	0xc4c0	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jul 20, 2021 16:03:41.956672907 CEST	8.8.8.8	192.168.2.3	0x8d83	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jul 20, 2021 16:03:48.879498959 CEST	8.8.8.8	192.168.2.3	0x1e6a	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jul 20, 2021 16:03:56.600330114 CEST	8.8.8.8	192.168.2.3	0xd7be	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jul 20, 2021 16:04:04.260910988 CEST	8.8.8.8	192.168.2.3	0x50da	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jul 20, 2021 16:04:12.110840082 CEST	8.8.8.8	192.168.2.3	0x7218	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jul 20, 2021 16:01:16.813116074 CEST	142.250.203.110	443	192.168.2.3	49739	CN=*.google.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Mon Jun 28 03:38:45 CEST 2021 Thu Jun 15 02:00:42 CEST 2017	Mon Sep 20 03:38:44 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Jul 20, 2021 16:01:16.813116074 CEST	142.250.203.110	443	192.168.2.3	49739	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		37f463bf4616ecd445d4a1937da06e19
Jul 20, 2021 16:01:17.708937883 CEST	142.250.203.97	443	192.168.2.3	49740	CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Mon Jun 28 05:06:51 CEST 2021 Thu Jun 15 02:00:42 CEST 2017	Mon Sep 20 05:06:50 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Jul 20, 2021 16:01:17.708937883 CEST	142.250.203.97	443	192.168.2.3	49740	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		37f463bf4616ecd445d4a1937da06e19

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 20, 2021 16:01:49.611522913 CEST	587	49741	198.54.122.60	192.168.2.3	220 PrivateEmail.com prod Mail Node
Jul 20, 2021 16:01:54.055201054 CEST	587	49742	198.54.122.60	192.168.2.3	220 PrivateEmail.com prod Mail Node
Jul 20, 2021 16:01:58.973331928 CEST	587	49743	198.54.122.60	192.168.2.3	220 PrivateEmail.com prod Mail Node
Jul 20, 2021 16:02:04.098764896 CEST	587	49746	198.54.122.60	192.168.2.3	220 PrivateEmail.com prod Mail Node
Jul 20, 2021 16:02:04.099298954 CEST	49746	587	192.168.2.3	198.54.122.60	EHLO 724536
Jul 20, 2021 16:02:04.294552088 CEST	587	49746	198.54.122.60	192.168.2.3	250-mta-07.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-CHUNKING 250 STARTTLS
Jul 20, 2021 16:02:04.295017958 CEST	49746	587	192.168.2.3	198.54.122.60	STARTTLS
Jul 20, 2021 16:02:04.489243031 CEST	587	49746	198.54.122.60	192.168.2.3	220 Ready to start TLS
Jul 20, 2021 16:02:09.969183922 CEST	587	49753	198.54.122.60	192.168.2.3	220 PrivateEmail.com prod Mail Node
Jul 20, 2021 16:02:09.969434023 CEST	49753	587	192.168.2.3	198.54.122.60	EHLO 724536
Jul 20, 2021 16:02:10.166465998 CEST	587	49753	198.54.122.60	192.168.2.3	250-mta-07.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-CHUNKING 250 STARTTLS
Jul 20, 2021 16:02:10.166765928 CEST	49753	587	192.168.2.3	198.54.122.60	STARTTLS
Jul 20, 2021 16:02:10.367321014 CEST	587	49753	198.54.122.60	192.168.2.3	220 Ready to start TLS
Jul 20, 2021 16:02:16.923929930 CEST	587	49756	198.54.122.60	192.168.2.3	220 PrivateEmail.com prod Mail Node
Jul 20, 2021 16:02:16.924472094 CEST	49756	587	192.168.2.3	198.54.122.60	EHLO 724536
Jul 20, 2021 16:02:17.118699074 CEST	587	49756	198.54.122.60	192.168.2.3	250-mta-07.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-CHUNKING 250 STARTTLS
Jul 20, 2021 16:02:17.119184971 CEST	49756	587	192.168.2.3	198.54.122.60	STARTTLS
Jul 20, 2021 16:02:17.313260078 CEST	587	49756	198.54.122.60	192.168.2.3	220 Ready to start TLS
Jul 20, 2021 16:02:23.973472118 CEST	587	49757	198.54.122.60	192.168.2.3	220 PrivateEmail.com prod Mail Node
Jul 20, 2021 16:02:23.974122047 CEST	49757	587	192.168.2.3	198.54.122.60	EHLO 724536
Jul 20, 2021 16:02:24.171462059 CEST	587	49757	198.54.122.60	192.168.2.3	250-mta-07.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-CHUNKING 250 STARTTLS
Jul 20, 2021 16:02:24.171804905 CEST	49757	587	192.168.2.3	198.54.122.60	STARTTLS
Jul 20, 2021 16:02:24.368725061 CEST	587	49757	198.54.122.60	192.168.2.3	220 Ready to start TLS
Jul 20, 2021 16:02:31.469063997 CEST	587	49758	198.54.122.60	192.168.2.3	220 PrivateEmail.com prod Mail Node
Jul 20, 2021 16:02:31.471573114 CEST	49758	587	192.168.2.3	198.54.122.60	EHLO 724536
Jul 20, 2021 16:02:31.666650057 CEST	587	49758	198.54.122.60	192.168.2.3	250-mta-07.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-CHUNKING 250 STARTTLS
Jul 20, 2021 16:02:31.667433023 CEST	49758	587	192.168.2.3	198.54.122.60	STARTTLS
Jul 20, 2021 16:02:31.863683939 CEST	587	49758	198.54.122.60	192.168.2.3	220 Ready to start TLS
Jul 20, 2021 16:02:38.764539957 CEST	587	49759	198.54.122.60	192.168.2.3	220 PrivateEmail.com prod Mail Node
Jul 20, 2021 16:02:38.765013933 CEST	49759	587	192.168.2.3	198.54.122.60	EHLO 724536
Jul 20, 2021 16:02:38.962157011 CEST	587	49759	198.54.122.60	192.168.2.3	250-mta-07.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-CHUNKING 250 STARTTLS
Jul 20, 2021 16:02:38.962588072 CEST	49759	587	192.168.2.3	198.54.122.60	STARTTLS
Jul 20, 2021 16:02:39.160888910 CEST	587	49759	198.54.122.60	192.168.2.3	220 Ready to start TLS
Jul 20, 2021 16:02:46.282213926 CEST	587	49760	198.54.122.60	192.168.2.3	220 PrivateEmail.com prod Mail Node
Jul 20, 2021 16:02:46.282908916 CEST	49760	587	192.168.2.3	198.54.122.60	EHLO 724536
Jul 20, 2021 16:02:46.477880001 CEST	587	49760	198.54.122.60	192.168.2.3	250-mta-07.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-CHUNKING 250 STARTTLS
Jul 20, 2021 16:02:46.478698015 CEST	49760	587	192.168.2.3	198.54.122.60	STARTTLS
Jul 20, 2021 16:02:46.672389984 CEST	587	49760	198.54.122.60	192.168.2.3	220 Ready to start TLS
Jul 20, 2021 16:02:53.390088081 CEST	587	49761	198.54.122.60	192.168.2.3	220 PrivateEmail.com prod Mail Node
Jul 20, 2021 16:02:54.190349102 CEST	587	49762	198.54.122.60	192.168.2.3	220 PrivateEmail.com prod Mail Node
Jul 20, 2021 16:02:54.190762043 CEST	49762	587	192.168.2.3	198.54.122.60	EHLO 724536
Jul 20, 2021 16:02:54.385458946 CEST	587	49762	198.54.122.60	192.168.2.3	250-mta-07.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-CHUNKING 250 STARTTLS
Jul 20, 2021 16:02:57.444710970 CEST	587	49763	198.54.122.60	192.168.2.3	220 PrivateEmail.com prod Mail Node
Jul 20, 2021 16:03:02.580193996 CEST	587	49764	198.54.122.60	192.168.2.3	220 PrivateEmail.com prod Mail Node
Jul 20, 2021 16:03:02.580537081 CEST	49764	587	192.168.2.3	198.54.122.60	EHLO 724536
Jul 20, 2021 16:03:02.778055906 CEST	587	49764	198.54.122.60	192.168.2.3	250-mta-07.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-CHUNKING 250 STARTTLS
Jul 20, 2021 16:03:08.798110008 CEST	587	49765	198.54.122.60	192.168.2.3	220 PrivateEmail.com prod Mail Node
Jul 20, 2021 16:03:08.798660040 CEST	49765	587	192.168.2.3	198.54.122.60	EHLO 724536
Jul 20, 2021 16:03:08.995985031 CEST	587	49765	198.54.122.60	192.168.2.3	250-mta-07.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-CHUNKING 250 STARTTLS
Jul 20, 2021 16:03:15.129210949 CEST	587	49766	198.54.122.60	192.168.2.3	220 PrivateEmail.com prod Mail Node
Jul 20, 2021 16:03:21.910490990 CEST	587	49767	198.54.122.60	192.168.2.3	220 PrivateEmail.com prod Mail Node
Jul 20, 2021 16:03:28.458374023 CEST	587	49768	198.54.122.60	192.168.2.3	220 PrivateEmail.com prod Mail Node
Jul 20, 2021 16:03:28.462193012 CEST	49768	587	192.168.2.3	198.54.122.60	EHLO 724536
Jul 20, 2021 16:03:28.661011934 CEST	587	49768	198.54.122.60	192.168.2.3	250-mta-07.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-CHUNKING 250 STARTTLS
Jul 20, 2021 16:03:35.303242922 CEST	587	49769	198.54.122.60	192.168.2.3	220 PrivateEmail.com prod Mail Node
Jul 20, 2021 16:03:35.303745985 CEST	49769	587	192.168.2.3	198.54.122.60	EHLO 724536
Jul 20, 2021 16:03:35.501075029 CEST	587	49769	198.54.122.60	192.168.2.3	250-mta-07.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-CHUNKING 250 STARTTLS
Jul 20, 2021 16:03:42.350254059 CEST	587	49770	198.54.122.60	192.168.2.3	220 PrivateEmail.com prod Mail Node
Jul 20, 2021 16:03:42.350675106 CEST	49770	587	192.168.2.3	198.54.122.60	EHLO 724536
Jul 20, 2021 16:03:42.544569016 CEST	587	49770	198.54.122.60	192.168.2.3	250-mta-07.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-CHUNKING 250 STARTTLS
Jul 20, 2021 16:03:42.545100927 CEST	49770	587	192.168.2.3	198.54.122.60	STARTTLS
Jul 20, 2021 16:03:42.739053965 CEST	587	49770	198.54.122.60	192.168.2.3	220 Ready to start TLS
Jul 20, 2021 16:03:49.279462099 CEST	587	49771	198.54.122.60	192.168.2.3	220 PrivateEmail.com prod Mail Node
Jul 20, 2021 16:03:56.998744965 CEST	587	49772	198.54.122.60	192.168.2.3	220 PrivateEmail.com prod Mail Node
Jul 20, 2021 16:04:12.507214069 CEST	587	49777	198.54.122.60	192.168.2.3	220 PrivateEmail.com prod Mail Node
Jul 20, 2021 16:04:12.508210897 CEST	49777	587	192.168.2.3	198.54.122.60	EHLO 724536
Jul 20, 2021 16:04:12.704148054 CEST	587	49777	198.54.122.60	192.168.2.3	250-mta-07.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-CHUNKING 250 STARTTLS
Jul 20, 2021 16:04:12.818646908 CEST	49777	587	192.168.2.3	198.54.122.60	STARTTLS
Jul 20, 2021 16:04:13.012594938 CEST	587	49777	198.54.122.60	192.168.2.3	220 Ready to start TLS

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: nZdwtTEYoW.exe PID: 6052 Parent PID: 5728

General

Start time:	15:59:17
Start date:	20/07/2021
Path:	C:\Users\user\Desktop\nZdwtTEYoW.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\nZdwtTEYoW.exe'
Imagebase:	0x400000
File size:	118784 bytes
MD5 hash:	C8FEB9D53B567CD1BFB0E59CF7D26BC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 4180 Parent PID: 6052

General

Start time:	16:00:14
Start date:	20/07/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\nZdwtTEYoW.exe'
Imagebase:	0xc30000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4816 Parent PID: 4180

General

Start time:	16:00:14
Start date:	20/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: nZdwtTEYoW.exe PID: 6052 Parent PID: 5728 nZdwtTEYoW.exeCOMMON

Executed Functions

Function 00401128, Relevance: 7.9, APIs: 1, Strings: 3, Instructions: 945COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 0040112D

Strings

VB5!6&*, xrefs: 00401128
q, xrefs: 0040230E
1%nB, xrefs: 0040260E

Memory Dump Source

Source File: 00000000.00000002.480398181.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.480391257.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.480431744.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.480439156.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: 1%nB$VB5!6&*$q
API String ID: 1341478452-1418848133
Opcode ID: 0bb2582355f795bb24e430a3c1cb97c7a51ba9a4cd9eece23b16decd8ea0fbc3
Instruction ID: d91c6dda3393b829e1e0181ca1c959403ab251d6e7d627793f2febcae7cdbe5c
Opcode Fuzzy Hash: 0bb2582355f795bb24e430a3c1cb97c7a51ba9a4cd9eece23b16decd8ea0fbc3
Instruction Fuzzy Hash: 7D5236614097C05EC70B4A348E2D2567F72AAA336679905FBC481BF1F3D1BE4886C76D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report nZdwtTEYoW.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Networking:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

SMTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre